Unshorten URL

Unshorten URL

Unshorten.net is a tool designed to expand or reveal the original, full-length URL behind a shortened URL

API Solutions for Unshortening Links at Scale — Design, Architecture & Best Practices

Shortened links are everywhere: social posts, email campaigns, telemetry, security alerts, and automated crawlers. For many systems — security triage, data enrichment, analytics, content validation, and URL classification — you must resolve those short links back to their final destination. Doing this for a few dozen links is trivial; doing it for millions per day is a systems engineering challenge that touches networking, reliability, API design, security, and cost control.

This article explains how to design API solutions that unshorten links at scale, and covers practical engineering techniques: deterministic redirect resolution, parallelism, caching and deduplication, respectful rate-limiting, retry/backoff strategies, heuristics for tricky redirect chains, security checks (malware/brand-checking), observability, and cost tradeoffs. I’ll also include production-ready API contracts and example code to get you started quickly.

Quick glossary

  • Unshorten / Expand — follow HTTP redirects (3xx) and other mechanisms (meta-refresh, JS, or intermediary pages) to determine the final (destination) URL.
  • Resolver — the component that takes a short link and returns the expanded URL and metadata.
  • Canonicalization — normalizing the destination (remove tracking params, lower-case host, etc.).
  • Deduplication cache — store previously resolved short → final mappings to avoid repeated network calls.
  • TTL (time-to-live) — how long a cache entry is valid.
  • Safety checks — threat-intel lookups, certificate validation, and content-type checks.

Typical use-cases and requirements

Before designing anything, clarify requirements — they determine the architecture.

Common use-cases:

  1. Security triage — analyze millions of incoming emails and expand short links to check for phishing/malware. Requires robust safety checks and low false negatives.
  2. Analytics and click attribution — map short links to destination domains and classify by campaign or domain. High throughput, lower safety sensitivity.
  3. Search engine / crawler enrichment — expand links before indexing for relevance and content scraping. Throughput and latency trade-offs matter.
  4. User-facing preview — fetch title/description/screenshots after expansion; must be quick and safe.

Key non-functional requirements you should capture:

  • Throughput: requests per second / day.
  • Latency: 95th and 99th pct SLOs.
  • Accuracy: must follow redirects correctly (including chained redirects).
  • Safety: block malicious destinations.
  • Cost: outgoing bandwidth, egress, third-party API costs.
  • Rate-limiting boundaries: external shortener provider rate limits and your own API limits.

Architecture overview (high level)

At scale, an unshortening solution typically looks like:

  1. Front API (ingest) — validates, authenticates, rate-limits client calls.
  2. Router/Queue — for spikes, push jobs to a distributed queue (Kafka/Redis/RabbitMQ).
  3. Resolver service pool — horizontally scaled workers that perform network resolution, follow redirects, run safety checks.
  4. Deduplication & Cache layer — fast key-value store (Redis, Aerospike) with TTLs stores resolved mappings.
  5. Enrichment & Storage — add domain categorization, screenshots, WHOIS, and persist metadata to DB/warehouse.
  6. Monitoring & Alerting — metrics (success/fail, latency, cache-hits, blocked links), logs, and traces.

Diagram (textual):

Client -> Front API -> Cache (read)
                     -> Cache miss -> Queue -> Resolver Pool -> Cache write -> Response
Resolver -> Threat Intel / DNS / WhoIs / Screenshot workers

Core engineering patterns

1. Resolve deterministically, then enrich

First, determine the final URL and HTTP response chain (method, status codes, headers, final status). Do not immediately fetch page content unless necessary. Once you know the final location and status, you can decide whether to fetch page content (for preview) or to run deeper analysis.

2. Follow redirects safely

  • Use an HTTP client with redirect limit (e.g., max 10 hops).
  • Preserve and log each hop (Location header, status, elapsed time). This helps debugging and forensic audits.
  • Some services use meta-refresh or JavaScript. For accuracy, only treat meta-refresh as a secondary heuristic (and fetch the HTML only if needed, under strict timeouts).

3. Non-blocking, event-driven worker pool

Use async/non-blocking HTTP clients (e.g., aiohttp in Python, net/http + goroutines in Go, Node fetch with concurrency pools) to maximize throughput. Assign per-host connection limits to avoid overwhelming specific shortener providers.

4. Caching & deduplication

Cache short→final mapping with an appropriate TTL. TTL strategy:

  • Short TTL (minutes) for dynamic shorteners or short links with one-time tokens.
  • Long TTL (days-weeks) for stable vanity shorteners.
    Also store metadata: last-checked timestamp, HTTP headers, content-type. Cache reduces cost and improves latency dramatically.

5. Rate-limit and backoff per domain

Shortener providers often throttle clients. Implement an adaptive per-target-domain rate limiter. If you detect 429 or 503, back off exponentially for that domain and share that backoff state across workers.

6. Parallelism vs politeness

Parallelize across different domains aggressively, but be polite to the same host. Respect robots.txt and consider provider policies. For security-focused use-cases you may need to be less deferential, but for public production you should avoid abusive behavior.

7. Retry with idempotency

Redirect resolution is idempotent: you can safely retry with exponential backoff for transient errors, but log and limit retries (e.g., up to 3 retries). Use a correlation ID to dedupe retries in logs.

8. Safety & sandboxing

Never render or execute arbitrary JavaScript during resolution in the resolver pool. If you need to evaluate JS-based redirects, use an isolated, instrumented headless browser pool (e.g., Puppeteer in isolated containers) with strict timeouts and content filtering.

Practical considerations: pitfalls & tricky patterns

  • One-shot tokens — some short links include signed tokens that expire after first click. If you cache too aggressively you may prevent future valid resolution. For these, use short TTLs and detect token-like query params.
  • Chain loops — detect cycles in redirects and abort.
  • URL disguises — shortener that returns an interstitial (ad or tracking) page then redirects with JS/meta-refresh; detect and either follow heuristically or mark as “JS redirect required.”
  • Content size and type — some destinations are large files; avoid fetching full content unless needed. Use HEAD requests or range requests to inspect content-type.
  • SSL/TLS issues — validate certificates and log cert chains; do not blindly accept invalid certs unless explicitly allowed.
  • Geo-based content — redirects that vary by IP/geolocation may point different final URLs. If that’s important, decide and document which geolocation your resolver uses.

Threats & mitigations

  • Malicious destinations — check final URL against threat-intel feeds (blocklists) before further processing.
  • Command injection / header injection — sanitize all inputs.
  • Open redirect abuse — treat the final URL as untrusted; never auto-follow into internal networks (force isolation).
  • Resource exhaustion — attackers can submit huge numbers of unique short URLs to cause resolution egress costs. Mitigate with per-key rate-limits and quota billing.

Observability & SLOs

Critical metrics:

  • Requests per second (ingest)
  • Cache hit rate
  • Resolution latency P50/P95/P99
  • Failure rate by type (DNS failure, timeout, redirect loop, 4xx/5xx)
  • Per-domain 429/503 rate

SLO ideas:

  • 99% of cached lookups < 50ms
  • 95% of cold resolutions < 2 seconds
  • 99.9% availability for ingest API

Instrument distributed tracing (e.g., OpenTelemetry) and sample full resolution traces for forensics.

Storage & retention

Store minimal mapping and metadata for a reasonable retention period. Keep sensitive data (original URL parameters) encrypted at rest if they contain PII. For analytics, persist aggregated stats to a data warehouse rather than storing raw URL strings forever.

Cost and scale tradeoffs

Large-scale resolutions mean egress bandwidth and outbound request costs. Caching dramatically reduces costs. Consider:

  • Edge caching — if many small clients query the same mapping, push common mappings to CDN or edge cache.
  • Pre-warming — pre-resolve known short links (e.g., from popular feeds) to avoid spikes.
  • Hybrid approach — use in-house resolvers for most traffic, and fall back to third-party unshorten APIs for edge cases.

Several third-party unshorten services exist (examples: Unshorten.net, Unshorten.me, Unshorten.it) and shortener platforms (Bitly, ShortenWorld) expose APIs to expand links programmatically — useful as comparisons or fallbacks.

ShortenWorld and other major shortener services provide expand endpoints in their APIs which you can use to directly retrieve the target for links created on their platform. This can be more reliable for ln.run links than general resolution.

There are also aggregated lists and API marketplaces that surface shortener/unshortener APIs that can be used as part of a hybrid strategy.

API Design: production-ready contract

Design a simple, RESTful API with idempotency and rate-limits. Example endpoints:

POST /v1/resolve
Request body:

{
  "url": "https://ln.run/abc",
  "client_request_id": "optional-correlation-id",
  "behaviors": {
    "follow_meta_refresh": true,
    "use_head_first": true,
    "max_hops": 10
  }
}

Successful response (HTTP 200):

{
  "input_url": "https://ln.run/abc",
  "final_url": "https://example.com/page",
  "final_status": 200,
  "hops": [
    {"url":"https://ln.run/abc","status":301,"location":"https://t.co/xyz","elapsed_ms":120},
    {"url":"https://t.co/xyz","status":302,"location":"https://example.com/page","elapsed_ms":80}
  ],
  "final_content_type":"text/html; charset=utf-8",
  "safelisted": false,
  "threat_matches": [],
  "cached": true,
  "cached_ttl_s": 3600,
  "checked_at": "2025-09-18T03:21:45Z"
}

Error responses must be expressive:

  • 400 Bad Request — invalid URL
  • 429 Too Many Requests — client quota
  • 503 Service Unavailable — resolver capacity

Include X-RateLimit-* headers and Retry-After when applicable. Provide asynchronous mode for heavy requests: POST /v1/resolve?mode=async returns a job id to poll.

Sample code snippets

Below are short examples (Python & Go) showing how to call a resolver. These are simplified — production code must add timeouts, retries, and error handling.

Python (sync, requests)

import requests
def resolve(url, api_key):
    resp = requests.post(
        "https://api.your-unshortener.example/v1/resolve",
        json={"url": url},
        headers={"Authorization": f"Bearer {api_key}"},
        timeout=10
    )
    resp.raise_for_status()
    return resp.json()

Go (using net/http)

package main
import (
  "bytes"
  "encoding/json"
  "net/http"
  "time"
)
func Resolve(url, apiKey string) (map[string]interface{}, error) {
  body,_ := json.Marshal(map[string]string{"url": url})
  req, _ := http.NewRequest("POST", "https://api.example/v1/resolve", bytes.NewReader(body))
  req.Header.Set("Authorization", "Bearer "+apiKey)
  req.Header.Set("Content-Type", "application/json")
  client := &http.Client{ Timeout: 10 * time.Second }
  resp, err := client.Do(req)
  if err != nil { return nil, err }
  defer resp.Body.Close()
  var out map[string]interface{}
  json.NewDecoder(resp.Body).Decode(&out)
  return out, nil
}

Scaling patterns & deployment recommendations

  1. Autoscale resolver pools — use CPU and network-based autoscaling with cool-downs.
  2. Sharded caches — place cache nodes close to resolver pools to reduce latency. Use consistent hashing to shard keys.
  3. Sidecars for third-party APIs — if you rely on external expand APIs for some providers, wrap calls in a sidecar that caches and rate-limits per-provider.
  4. Batching — allow clients to submit batches (e.g., 100 URLs per request) for high throughput, returning partial results as they complete.
  5. Bulk-resolution pipeline — for offline large jobs, provide a bulk ingestion path that processes asynchronously via streaming jobs.
  6. Edge caching CDN — where useful, cache final URLs at the CDN edge for public access.

Example: hybrid strategy

A high-availability strategy uses:

  • Primary: local resolver pool + cache for most requests (fast, low cost).
  • Secondary: provider-specific API (e.g., ShortenWorld expand) for links from that provider (more authoritative).
  • Tertiary: third-party unshorten API for odd cases.
    This reduces errors for provider-specific shorteners and lowers load on third-party services. See ShortenWorld expand API details.

Privacy, compliance, and legal

  • User data — incoming short URLs may carry PII in query parameters. Treat them as sensitive; store only what you need and redact/hashed values.
  • Retention — define retention for raw URLs vs aggregated metadata.
  • GDPR/CCPA — if you process EU/CA users, provide mechanisms for data deletion/portability.
  • Terms of service — ensure your action of resolving URLs doesn’t violate third-party shortener ToS (some forbid automated scraping). Maintain a policy and contact providers if your traffic is substantial.

Third-party APIs and marketplace options

There are multiple existing unshorten services and marketplaces that offer unshorten endpoints and integrations. Examples include Unshorten.net (public API with documented rate limits), Unshorten.it, and Unshorten.me; also URL unshortener APIs in API marketplaces and aggregators which can be used as fallbacks. If you plan to rely on third-party APIs, check their rate limits and SLAs.

Also, for short links created on known platforms (ShortenWorld, Bitly, Rebrandly, Short.io, etc.), using the platform’s own API expand operation can be more reliable and efficient. Many shortener providers expose developer APIs and expansion endpoints.

Testing & QA

  • Unit tests for redirect-following logic and cycle detection.
  • Integration tests against real-world shorteners (ln.run, bit.ly, t.co, tinyurl) — mock responses for regression.
  • Load tests to validate autoscaling and cache hit behavior (use tools like k6 or Locust).
  • Chaos tests — simulate DNS failures, 429 bursts, and record fallback behavior.

Example operational runbook (summary)

  • On elevated 429 rate from a provider, increase per-domain backoff and notify ops.
  • On cache hit rate drop, identify cache TTL misconfiguration or traffic bursts of unique links.
  • On rising error rate (DNS failures), check resolver pool DNS config and upstream resolvers.

API pricing & throttling strategy

If you publish this as a service, offer tiered plans:

  • Free tier: low daily quota, cached-only resolution, no preview.
  • Developer tier: moderate quota, basic safety checks.
  • Enterprise: high quota, private domains, SLAs, custom whitelists/blacklists.

Expose quotas via HTTP headers and allow overages via billing or queueing.

Example: handling “meta-refresh” and JS-based redirects

  1. Try HEAD or GET with redirect-following. If Location header chain finishes — done.
  2. If final status is 200 and you suspect meta-refresh (or Content-Type is text/html and shortener is known to use interstitials), fetch a small portion of the body (e.g., first 64KB) and parse for <meta http-equiv="refresh" content="N; URL='...'>. Respect a small timeout.
  3. If JS-based redirect is detected and resolution is essential, push to a headless-browser pool (isolated in containers) that executes minimal JS with strict timeouts and disallows downloads/unsafe operations.

Sample response schema (full)

{
  "input_url":"https://short.example/AbC",
  "final_url":"https://destination.example/path?utm=1",
  "final_status":200,
  "canonical_final_url":"https://destination.example/path",
  "hops":[ ... ],
  "meta":{
    "time_ms": 345,
    "cached": false,
    "cache_ttl_seconds": 3600,
    "resolver_node": "resolver-12a",
    "geo": "us-east-1"
  },
  "safety": {
    "threat_intel_matched": false,
    "malware_score": 0.0,
    "wot_rating": "unknown"
  }
}

Case study: building a high-throughput resolver

Assume target: 100k resolutions/day (≈1.2 rps average, but bursts up to 500 rps).

  • Workers: 20 async workers with concurrency 25 each = 500 concurrent requests.
  • Cache: Redis cluster with keys for short URLs; assume 80% cache hit reduces external calls notably.
  • Rate-limits: per-client 100 rps, per-domain 50 rps default, adaptive backoff on 429.
  • Expected egress: if 20% cold resolutions with avg 20KB headers/body peek, egress ~0.4 GB/day (example). These numbers scale linearly; adjust architecture for your actual scale.

FAQs

Q: How long should I cache expanded short links?
A: It depends. For one-time-token short links use seconds–minutes TTLs. For stable redirects use hours–days. Use metadata to detect expiring tokens.

Q: Should I execute JavaScript to expand every link?
A: No — executing JS is expensive and risky. Only use headless browsers for a small subset of links that require it and always isolate them.

Q: Can I rely on third-party unshorten APIs?
A: They can be useful as fallbacks, but vet rate limits, privacy, and costs. Many services (Unshorten.net, Unshorten.it, etc.) exist and expose APIs, but they often have per-IP or account limits — use them thoughtfully.

Q: Are there provider-specific expand APIs?
A: Yes. Major shorteners like ShortenWorld expose expand endpoints that are authoritative for links created on their platform and often return analytics/metadata. Use provider APIs for higher accuracy when possible.

Final checklist to get started (TL;DR)

  • Define throughput, latency, and safety SLOs.
  • Implement a front API with quotas and batching.
  • Build an async resolver pool with redirect-hopping, TTL-limited caching, and per-domain politeness.
  • Add threat-intel and content-type checks.
  • Provide synchronous and asynchronous API modes.
  • Instrument observability (metrics, logs, traces) and test at scale.

Closing thoughts

Unshortening links at scale is deceptively complex: behind a simple mapping sits networking, caching, safety, legal, and cost considerations. A robust API solution blends deterministic resolution logic, aggressive caching, adaptive rate limiting, and strong telemetry. Use a hybrid approach — combine your in-house resolver with provider-specific expand APIs and marketplace APIs for coverage, but instrument and limit them carefully.