Protected Links API
Create or reuse bot-protected go.requestguard.com links for redirects, embeds, and private handoffs.
Create or reuse a bot-protected go.requestguard.com link from the RequestGuard API. The destination URL is stored server-side by RequestGuard Go. The response returns the protected short URL, destination hostname, and policy metadata, but it does not expose the full destination URL.
Endpoint
POST /go/linksAuthentication
Creating go.requestguard.com links can be anonymous with no API key.
A valid RequestGuard API key is optional and only needed when you want account-scoped tracking, account-scoped reuse, or quota attribution. If you send an API key, it must be valid. Invalid keys are rejected.
Anonymous REST Example
Use REST or fetch for anonymous creation:
curl "https://api.requestguard.com/v1/go/links" \
-H "Content-Type: application/json" \
--data '{"target_url":"https://example.com/private-video"}'const response = await fetch("https://api.requestguard.com/v1/go/links", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
target_url: "https://example.com/private-video"
})
});
const link = await response.json();
console.log(link.protected_url);SDK Anonymous Example
The JavaScript SDK can also create anonymous protected links. Configure only the endpoint when you do not want account-scoped tracking:
import RequestGuard from "@requestguard/js";
const rg = RequestGuard({ endpoint: "https://api.requestguard.com/v1" });
const link = await rg.createLink({
targetUrl: "https://example.com/private-video"
});
console.log(link.protectedUrl);Account-Scoped Example
Add an API key only when you want the created link attributed to your account for tracking, quota, and active-link reuse:
curl "https://api.requestguard.com/v1/go/links" \
-H "Authorization: Bearer rg_sk_live_..." \
-H "Content-Type: application/json" \
--data '{"target_url":"https://example.com/private-video"}'Request
{
"target_url": "https://example.com/private-video",
"expires_at": null,
"password": null
}| Field | Type | Required | Description |
|---|---|---|---|
target_url | string | Yes | Destination URL to protect. Must use http or https. |
expires_at | string or null | No | Optional ISO 8601 expiry time. |
password | string or null | No | Optional password requirement for the protected link. |
Response
{
"code": "a1c2d3rs",
"protected_url": "https://go.requestguard.com/a1c2d3rs/",
"target_host": "example.com",
"expires_at": null,
"password_protected": false,
"created_at": "2026-05-18T12:00:00.000Z",
"reused": true
}Active, non-expiring links without passwords can be reused for the same normalized target_url and account scope. Anonymous and authenticated scopes are separate. Links with an expiry or password create separate records because their access policy is different.
Embeds
The protected URL can be opened directly or embedded in an iframe when you need to protect a video, private asset page, partner handoff, or other destination from automated crawlers:
<iframe
src="https://go.requestguard.com/a1c2d3rs/"
loading="lazy"
referrerpolicy="strict-origin-when-cross-origin"
></iframe>PHP Video Iframe Example
Create the protected URL server-side, then render it as the video iframe source. The destination video URL is sent only to the RequestGuard API, not to the browser HTML.
<?php
$payload = json_encode([
'target_url' => 'https://video.example.com/embed/private-demo',
'expires_at' => null,
'password' => null,
]);
$headers = ['Content-Type: application/json'];
$apiKey = getenv('REQUESTGUARD_API_KEY');
if ($apiKey) {
$headers[] = 'Authorization: Bearer ' . $apiKey;
}
$ch = curl_init('https://api.requestguard.com/v1/go/links');
curl_setopt_array($ch, [
CURLOPT_POST => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => $headers,
CURLOPT_POSTFIELDS => $payload,
]);
$response = curl_exec($ch);
if ($response === false) {
throw new RuntimeException(curl_error($ch));
}
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($status < 200 || $status >= 300) {
throw new RuntimeException('RequestGuard link creation failed.');
}
$link = json_decode($response, true, flags: JSON_THROW_ON_ERROR);
$protectedUrl = $link['protected_url'];
?>
<iframe
src="<?= htmlspecialchars($protectedUrl, ENT_QUOTES, 'UTF-8') ?>"
title="Protected video"
loading="lazy"
referrerpolicy="strict-origin-when-cross-origin"
allowfullscreen
></iframe>