WarpLink
Concepts

Password Protection

How password-protected links work in WarpLink.

WarpLink supports password-protected links that require users to enter a password before being redirected to the destination.

How It Works

The entire password flow happens in the Cloudflare Worker — no round-trip to the origin server:

  1. User clicks a password-protected WarpLink URL
  2. The Worker detects that the link has a password set
  3. The Worker serves an HTML form asking for the password
  4. User enters the password and submits the form
  5. The Worker hashes the submitted password and compares it to the stored hash
  6. Match — User is redirected to the destination via 302
  7. No match — The form is re-displayed with an error message

Server-Side Validation

Password validation is entirely server-side:

  • Passwords are stored as hashes in the link configuration (never in plaintext)
  • The comparison happens in the Worker at the edge
  • No client-side JavaScript is needed for validation
  • The password is submitted via an HTML form POST

This means the password flow works even with JavaScript disabled.

Setting a Password

Set a password when creating or updating a link via the API:

curl -X POST https://api.warplink.app/v1/links \
  -H "Authorization: Bearer wl_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "destination_url": "https://example.com/secret-content",
    "password": "my-secret-password"
  }'

Or set it in the dashboard when creating or editing a link.

Removing a Password

Update the link and set the password to null:

curl -X PATCH https://api.warplink.app/v1/links/LINK_ID \
  -H "Authorization: Bearer wl_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "password": null }'

Behavior with Bots

Social media bots that crawl password-protected links receive the OG/Twitter Card metadata without needing the password. The social preview is still generated — only the redirect to the final destination requires the password.

Limitations

  • Password-protected links do not support deep linking into mobile apps (the HTML form step breaks the Universal Link / App Link flow)
  • The password form is served with a standard HTML page — custom styling is not currently supported
  • Passwords are per-link (not per-user). Anyone with the password can access the link.

Social Previews

How WarpLink generates rich link previews for social media.

Firebase Dynamic Links Migration

Step-by-step guide to migrate from Firebase Dynamic Links to WarpLink.

On this page

How It WorksServer-Side ValidationSetting a PasswordRemoving a PasswordBehavior with BotsLimitations