Developer Terms

1. Scope

These Developer Terms apply to API keys, public API endpoints, MCP tools, webhooks or scripts, conversion tracking, code examples, documentation, SDK-like materials, automation, and integrations that interact with ShortURL.bot. They supplement the Terms of Service.

2. API Keys and Credentials

You are responsible for securing API keys, tokens, secrets, workspace scopes, and integration credentials. Do not embed secret keys in public client-side code, public repositories, shared screenshots, browser extensions, or places where unauthorized users can access them. You are responsible for all activity through your keys.

3. Permitted Use

You may use the API and MCP tools only to create, read, update, manage, automate, or measure your own authorized links, QR codes, pages, forms, conversion events, workspaces, and related assets according to documentation, plan limits, and applicable law.

If you connect an MCP-capable AI assistant, agent, browser extension, desktop client, or other automated client to our MCP tools, you are responsible for choosing, vetting, and securing that client, for limiting the scope of access, and for reviewing the actions the client takes on your behalf. Actions performed through your MCP integration, including actions triggered by prompts, attached documents, pasted content, or content fetched from a destination URL, count as your actions under these Terms. You are responsible for the risk that an AI client is induced by prompt injection, adversarial content, or compromised context to take actions you did not intend. We may rate-limit, suspend, or revoke MCP access that we reasonably believe is being abused or is exposing the Service to risk.

4. Prohibited Use

You may not use developer features to bypass product limits, scrape data, bulk-create abusive links, attack or stress the Service, reverse engineer private endpoints, enumerate users or workspaces, create deceptive clients, sell access as a competing service, hide abusive traffic, violate platform rules, or process data without required notice and consent.

5. Rate Limits and Changes

API and MCP access is subject to rate limits, quotas, throttling, feature gates, entitlement rules, and fair-use limits. We may change endpoints, schemas, limits, authentication requirements, or behavior with or without notice where needed for security, legal compliance, reliability, abuse prevention, or product evolution.

6. Conversion Tracking and Customer Data

If you send lead, sale, customer, invoice, email, name, revenue, or event data to conversion endpoints or scripts, you must have a lawful basis, provide required notices, obtain required consent, and avoid sending sensitive or regulated data unless permitted. You must not use conversion tracking to circumvent privacy choices or browser controls.

7. Security Testing

Do not perform vulnerability testing, load testing, automated scanning, fuzzing, credential testing, or denial-of-service testing without written authorization. Report suspected vulnerabilities through the Help Center or admin@shorturl.bot and avoid accessing or disclosing other users' data.

8. Suspension and Revocation

We may throttle, suspend, revoke, rotate, or require re-authentication of keys or clients if we detect abuse, security risk, excessive usage, unpaid balances, terms violations, data-protection concerns, or activity that threatens the Service or third parties.

9. No Service-Level Commitment

Developer features, examples, preview endpoints, and MCP tools are provided as-is unless a separate written agreement states otherwise. We do not guarantee availability, backward compatibility, latency, completeness, or suitability for your use case.

10. Webhooks and Outbound Events

If you enable webhooks, event streams, or other outbound event delivery from the Service to an endpoint you control, you are responsible for the security, availability, validation, and data handling of that endpoint. Event payloads may contain click identifiers, conversion details, campaign metadata, customer-provided identifiers, and other fields determined by your configuration and by the visitors who interact with your links, forms, or pages.

Webhook payloads are signed with HMAC-SHA256 over the raw request body, using your workspace webhook secret, and delivered in the X-ShortUrl-Signature header. You must verify the signature before acting on received data. Payload format, signature header name, secret rotation, and retry behavior are documented in the Help Center and may evolve as the Service changes; we will not weaken the signature scheme without notice.

We do not guarantee ordering, exactly-once delivery, latency, or retry success; events may be delayed, duplicated, dropped, re-sent, or delivered out of order. We may throttle, disable, rotate, or redirect webhook delivery where we detect abuse, security risk, delivery failures, or endpoints that appear compromised. You are solely responsible for the lawful use of event data at your endpoint, including applicable privacy notices, consent capture, retention, and security measures.

11. Contact

Developer terms questions can be sent through the Help Center or to admin@shorturl.bot.