Share links

A share link is a single-use URL that, when visited, sets a cookie in the visitor's browser. The cookie satisfies the share-link gate (see Grants and visibility) for that browser, for as long as the share link is active.

Use share links when you want to give someone access without making them sign up — clients reviewing previews, designers sanity-checking mockups, journalists embargo-previewing a launch.

Create

vibehost app share-link create --app my-site

Output:

{
  "ok": true,
  "data": {
    "id": "shr_...",
    "url": "https://my-site.vibehost.space/_share/<token>",
    "createdAt": "2026-05-23T08:00:00Z",
    "expiresAt": null
  }
}

Send data.url to the recipient. The first time they open it, their browser gets a signed cookie (vh_share_<id>) that bypasses the share-link gate on subsequent requests.

List + revoke

vibehost app share-link ls --app my-site                  # all share links on this app

Revoke happens via the dashboard's app settings → Share links. Revoked links invalidate immediately — the cookie still exists in the browser but the dispatcher rejects it.

Best practices

What share links don't do

• They don't authenticate the visitor. The cookie is bound to the share link, not the person. Anyone with the URL can satisfy the gate.
• They don't bypass visibility = workspace or private grants. If the app is private and the visitor has no grant, they still get an access denial — share links only satisfy the share-link gate, not the grant gate. (Most use cases keep visibility public + private apps gate on grant alone; share links bridge the in-between case.)
• They don't expire by default. Set an expiry in the dashboard to auto-revoke.