# exl.ink

> Ephemeral, no-login developer utilities — file links, tunnels, webhook bins, pipes, secrets, short links, and network/DNS/email tools — all usable over plain HTTP by humans, scripts, and AI agents. No account, no API key, no database. Resources are unguessable random ids that expire; there is no list or search endpoint.

For agents: most tools are a single `curl` away. Read the full reference (every endpoint, params, and curl examples) at /llms-full.txt, or import the OpenAPI 3.1 contract at /openapi.json. All limits below are the free tier; a Pro pass (bought over HTTP) multiplies them.

## Quickstart
```
# one-time file link (≤ 100 MB, 3/12h per IP, gone after one download or 6h)
curl --data-binary @file.zip "https://exl.ink/api/upload?filename=file.zip"
# catch a webhook: create a bin, then read what hit it
curl -s https://exl.ink/api/bin/new
curl -s "https://exl.ink/api/bin/<id>?secret=<secret>"
# a public URL that streams incoming requests to your terminal
curl -s "https://exl.ink/api/tunnel/open?mode=sink"
# what's my public IP / is my port open / is this site up?
curl https://exl.ink/api/ip
```

## Tools
- [File link](https://exl.ink/): drop any file → a one-time direct link; `POST /api/upload?filename=`, download `GET /d/<id>` (served once).
- [Tunnel](https://exl.ink/tunnel): a public URL that relays HTTP to your machine — receive webhooks or expose localhost; `GET /api/tunnel/open`, stream via `/api/tunnel/pull`.
- [Request bin](https://exl.ink/bin): a public URL that records incoming requests so you can inspect them; `GET /api/bin/new`.
- [HTTP pipe](https://exl.ink/pipe): stream bytes between two machines with two curls; `GET /api/pipe/new`, then `/p/<id>`.
- [One-time secret](https://exl.ink/secret): burn-after-reading text; `POST /api/secret` (server-side) or in-browser E2EE.
- [Short link](https://exl.ink/short): throwaway redirect with optional click cap/TTL; `GET|POST /api/short?url=`.
- [Connection inspector](https://exl.ink/ip): your public IP, rDNS, geo, and the request as received; `GET /api/ip`.
- [Port checker](https://exl.ink/port): is a port open from the internet on your own IP; `GET /api/port?p=443`.
- [Uptime + TLS](https://exl.ink/check): fetch a URL from outside — status, redirects, latency, cert expiry; `GET /api/check?url=`.
- [Scheduled callback](https://exl.ink/later): have the server POST your webhook once, later; `GET|POST /api/later?url=&in=30m`.
- [DNS toolkit](https://exl.ink/dns): resolve across three resolvers (propagation) or audit SPF/DMARC/DKIM/MX; `GET /api/dns?name=&type=`.
- [Pub/sub channel](https://exl.ink/bus): live SSE fan-out — POST a message, every subscriber gets it; `GET|POST /api/bus/<channel>`.
- [Disposable inbox](https://exl.ink/inbox): a throwaway address that catches incoming email; `GET /api/inbox/new`.
- [Blind XSS catcher](https://exl.ink/xss): catch blind/stored/OOB XSS — inject a payload, get the victim's page, cookies & DOM when it fires; `GET /api/xss/new`. Authorized testing only.
- [OOB callback logger](https://exl.ink/oast): a unique URL that logs every request it receives, to detect blind SSRF/RCE/SQLi; `GET /api/oast/new`. Authorized testing only.
- [Payload host](https://exl.ink/host): serve a small JS/HTML/SVG/CSRF blob repeatedly with a chosen Content-Type and open CORS; `POST /api/host?type=`. Authorized testing only.
- [Redirector](https://exl.ink/redir): a token that 30x-redirects to any target (internal IPs, non-HTTP schemes, multi-hop chains) for SSRF/open-redirect tests; `GET|POST /api/redir?url=`. Authorized testing only.
- [QR code](https://exl.ink/qr): render any text or URL as an SVG QR code; `GET /api/qr?text=`.

## Reference & specs
- [Full API reference](https://exl.ink/llms-full.txt): every endpoint, parameter, response shape, limit, and curl example, in prose.
- [OpenAPI 3.1 spec](https://exl.ink/openapi.json): machine-readable contract — import into Postman/Insomnia, generate a client, or load into an agent tool layer.
- [Raise the limits](https://exl.ink/pro): optional Pro pass (signed bearer token, paid with crypto) that multiplies every per-window limit; send as `Authorization: Bearer`, `X-Exl-Pass:`, or `?pass=`.

## Notes
- File links and secrets are single-use — `HEAD` for metadata, `GET` only to consume. A second read returns 404.
- Honor `429` + `Retry-After`. Everything is ephemeral; don't rely on it for durable storage.
- Treat every returned URL (and any `#fragment` key) as a bearer secret.