About 1use.lol

We build link infrastructure for the things you don't want to outlive their first click.

1use.lol was started by a small team of security engineers tired of pasting credentials into chat windows and hoping nobody scrolled. We built the link shortener we wanted to use ourselves — encrypted, time-boxed, single-use, and ruthlessly simple.

Encrypt by default

Every URL is sealed at rest with AES-256-GCM. There is no "off" switch for this — it is the only mode.

Minimal data

We collect the email Google gives us. We do not log IPs, referrers, or click fingerprints.

Burn on read

A one-time link transitions to a burned state atomically inside the database, with no chance of a double-resolve.

Auditable surface

Small Next.js app, single dependency surface, no analytics SDKs, no third-party trackers.

No vendor lock-in

Standard Postgres-compatible schema and open formats. Export your links anytime.

Built for builders

A clean API, predictable rate limits, and a CLI on the way for sharing inside scripts and CI.

How a 1use share works

  1. 01
    You paste a URL

    The URL never leaves the encrypted column. We generate a 10-character code from an ambiguity-safe alphabet.

  2. 02
    We seal it with AES-256-GCM

    A fresh 96-bit IV per link, authenticated by the GCM tag. The key is loaded from a hardware-backed secret.

  3. 03
    You share the short link

    Recipient hits /r/<code>. We atomically increment the click counter and flip the burned flag on first resolve.

  4. 04
    It vanishes

    Subsequent visits return a burn notice. Decryption is impossible without the row, which we can wipe on schedule.

Our security posture

  • • Strict Content-Security-Policy with no unsafe-inline scripts in production builds
  • • HSTS preload, X-Frame-Options DENY, X-Content-Type-Options nosniff
  • • SSRF guards on destination URLs — no metadata, no link-local, no private ranges
  • • Rate limiting per user + IP
  • • bcrypt cost-12 for passphrase hashes; constant-time compares on secrets

What we are not

  • • Not an analytics product — we don't track who clicked
  • • Not a marketing tool — no UTM rewriting or A/B campaign tooling
  • • Not a free-for-all shortener — abusive destinations are blocked at issuance

Have a question we didn't answer?

Contact the team