Snipr - Link Operations Platform
A production-minded link-operations platform (a URL shortener taken to a sellable, multi-tenant standard) - not a live SaaS but a finished build available to license, white-label or self-host. Snipr ships cached sub-30ms redirects, buffered analytics, device/UTM routing, URL safety scoring with interstitials, abuse reporting, per-user scoped API keys, signed webhooks with a dead-letter queue, role-based access, audit logs, QR codes and a React dashboard - with an OpenAPI spec and CI across SQLite and PostgreSQL.
Scope: Solo full build: Express API + React dashboard, redirect cache, buffered analytics, URL safety, scoped API keys, signed webhooks + DLQ, RBAC, audit log, Prometheus metrics, OpenAPI. Not deployed - available to license, white-label or self-host.
A production-minded link-operations platform (a URL shortener taken to a sellable, multi-tenant standard) - not a live SaaS but a finished build available to license, white-label or self-host. Snipr ships cached sub-30ms redirects, buffered analytics, rich link metadata (campaigns, tags, device/UTM routing), URL safety scoring with interstitial warnings, public abuse reporting, per-user scoped API keys, signed webhooks with a dead-letter queue, role-based access, audit logs, feature flags, QR codes, and a React dashboard - with an OpenAPI spec and CI across SQLite and PostgreSQL.

The Challenge
A link shortener looks trivial until you run one in production: redirects have to stay sub-30ms under load, analytics cannot block the hot path, malicious destinations need scoring and interstitials, and abuse handling, rate limiting, API keys, webhooks, RBAC and audit trails all have to exist before anyone trusts you with their traffic. Most open shorteners stop at "create code → redirect" and leave operability, safety and multi-tenant concerns as an exercise. The goal was a single-node foundation that already carries the full production surface - security, observability, a real API and URL safety - finished to a standard you could sell, white-label or self-host.
The Solution
Built on Express (Node 22, ESM) with SQLite (WAL) locally or PostgreSQL for durable deploys, a layered redirect cache (in-memory + optional Redis), and a React 19 / Vite / Tailwind dashboard. The full feature set: cached `/:code` redirects plus `/p/:code` OG-preview pages; buffered, batched analytics with human-vs-bot breakdowns and preview-bot intercept (Slackbot, iMessage, SafeLinks) so previews never fire fake clicks; device + UTM routing (iOS / Android / desktop targets, UTM builder); password-protected links, expirations, custom branded domains, campaigns and tags; URL safety scoring at create time with an interstitial warning page (optional Google Safe Browsing); public abuse reporting with an admin moderation queue and auto-flag thresholds; per-user scoped API keys (links / analytics / webhooks scopes) documented in an OpenAPI spec; signed `link.click` webhooks with an admin dead-letter queue and replay; roles & capabilities (user / admin) with a per-user audit log; feature flags with env overrides; QR codes; account deletion and full data export (SAR). Production-hardened throughout: HSTS, security headers, login-attempt lockout, password complexity, CSRF double-submit, Redis-backed distributed rate limiting, Postgres advisory-locked migrations, optional Sentry, health/readiness probes (`/healthz`, `/readyz`) and a token-protected Prometheus `/metrics` endpoint. CI runs `npm audit` and the test suite against both SQLite and PostgreSQL.
Client
Self-built platform · available to license / white-label / self-host
“Snipr is the boring-but-hard 90% that most side projects skip: the safety scoring, the scoped API keys, the signed webhooks with a dead-letter queue, the audit log, the rate limiting, the metrics. It is a link platform finished to the standard a paying customer would actually trust - and it is available to license, white-label or self-host.”
Kiril Urbonas
Designer & Engineer, Snipr
Key Results
Routing, analytics, safety, webhooks, API keys
Scoped keys · OpenAPI spec · signed webhooks + DLQ
CSRF · rate limits · RBAC · audit log · metrics
Finished build - license / white-label / self-host
Timeline
Designed & built solo - available now · 2026
Completed 2026
Scope: Solo full build: Express API + React dashboard, redirect cache, buffered analytics, URL safety, scoped API keys, signed webhooks + DLQ, RBAC, audit log, Prometheus metrics, OpenAPI. Not deployed - available to license, white-label or self-host.
Want results like these for your business?
I'll map out a clear plan, timeline, and realistic results for your project - no obligation.