SaaS / Developer Tools2026Active // Live at shur.click

shur.click

A production-grade SaaS URL shortener with guest flows, account management, click analytics, geo tracking, and Razorpay-powered subscription billing

CLIENT ROLEFull-Stack Engineering, System Architecture, UI/UX Design
YEAR2026
CORE TECH
Spring BootReactTypeScriptPostgreSQL+4
STATUSLIVE
MEASURED IMPACT
Auth Methods Supported3OTP email flow, Google Identity sign-in, and password-based login all handled natively
Redirect LatencySub 50msOptional Redis lookup cache serves hot short codes without hitting the database
Guest to User ConversionSeamlessGuest links created before signup are automatically migrated into the user account on sign-in
Plan EnforcementAutomatedFree tier capped at 5 links, Pro tier unlocked for 30 days on payment verification
Analytics DepthPer clickClick counts, last accessed timestamps, and country-level geo breakdown for Pro users
API CoverageFull OpenAPIEvery endpoint documented and explorable via Swagger UI powered by springdoc

Section 01 - The Problem

The goal was to build a URL shortener that could actually be shipped and monetised, not a tutorial project. That meant handling real-world concerns from day one: guest users who convert mid-session, multiple auth methods, rate limiting, a billing system with plan enforcement, and analytics that give Pro users a reason to pay.

Most URL shortener implementations stop at the happy path: paste a URL, get a short link, done. shur.click was designed to go further. It needed to handle anonymous users who create links before deciding to sign up, and do so without losing their work in the process. It needed authentication that covered multiple entry points including OTP-based signup, Google sign-in, password reset, email change verification, and account deletion, all with proper security boundaries. It needed a billing layer that was not just a checkout button but a real plan enforcement system where free users hit a cap, Pro users get unlocked capabilities, and the subscription state is tied to verified payment events rather than client-side flags. And it needed to be fast enough that redirect latency was never something a user would notice, which meant thinking about caching from the architecture stage rather than bolting it on later.

Section 02 - Diagnosis

01

Guest Flow Design

The most common drop-off point in tools like this is the moment a user is asked to sign up before they have seen any value. The solution was to allow up to 2 link creations as an anonymous user identified by a browser token. When that user signs up or logs in, those guest links are detected and migrated into their account automatically. The user never loses work and the signup moment comes after they have already experienced the product.

02

Auth Complexity Mapping

Supporting three authentication methods while keeping the security model consistent required careful planning. OTP flows cover signup, password reset, and email change, each with its own verification step and expiry window. Google Identity sign-in runs through a separate token verification path. JWT is used for session management across both flows with Spring Security handling access control. Each path had to be rate limited independently to prevent abuse without punishing legitimate users.

03

Billing and Plan State Architecture

Razorpay checkout is straightforward. The harder problem is what happens after payment: verifying the webhook, updating plan state atomically, handling failed payments, and enforcing limits accurately on every link creation request. Plan state is stored server-side and checked at the API layer, not the frontend, so there is no way to bypass limits by manipulating client state. Pro status expires after 30 days unless renewed.

04

Redirect Performance Planning

Short code redirects are the highest-traffic operation in any URL shortener. Every redirect hitting the database under load would create a ceiling on throughput. Redis was introduced as an optional lookup cache for hot short codes, meaning frequently accessed links resolve without a database round trip. The architecture supports running without Redis in development and enabling it in production through a single config flag.

Section 03 - Solution

Built shur.click as a production-ready SaaS product with a Spring Boot API backend and a React TypeScript frontend. Every feature from link creation to billing to analytics was designed for real-world use, not just demonstration.

01

Link Creation and Management

Users can create short links with an auto-generated code or a custom alias using alphanumeric characters, underscores, and hyphens between 3 and 20 characters long. URLs without a protocol prefix are automatically normalised to https. The dashboard lets signed-in users list all their links, copy the short URL, view click counts and last accessed time, generate a QR code, and delete links. Free users are capped at 5 links. Pro users have no limit.

02

Guest Flow and Link Migration

Anonymous users can create up to 2 links before being prompted to sign up, identified by a browser-scoped anonymous token. On signup or sign-in, the backend detects any links associated with that token and transfers ownership to the newly authenticated account. The user sees all their links in the dashboard without needing to recreate them. This flow was designed to lower the barrier to first value and improve signup conversion.

03

Authentication System

Three auth paths are supported. OTP-based email flows handle new account signup, forgotten password reset, and profile email change, each requiring a time-limited verification code delivered via Resend. Google Identity Services handles one-tap Google sign-in on the frontend with token verification on the backend. All sessions are managed with JWT. Spring Security enforces route-level access control. In-memory rate limiting is applied to OTP endpoints and other sensitive routes to prevent abuse.

04

Razorpay Billing and Plan Enforcement

Pro plan upgrade flows through Razorpay Checkout on the frontend with payment verification handled server-side using the Razorpay Java SDK. On successful verification, the user account is updated to Pro status with a 30-day expiry. Plan limits are enforced at the API layer on every link creation request, so free users cannot exceed 5 links regardless of what the frontend shows. The Pro price is configured in subunits server-side and displayed as $2.00 per month on the frontend.

05

Click Analytics and Geo Tracking

Every redirect records a click event with a timestamp and the short code accessed. Click counts and last accessed times are visible to all signed-in users on their dashboard. Pro users additionally get country-level breakdown of where their clicks are coming from, giving them a basic but genuinely useful picture of their audience geography. Analytics are stored in PostgreSQL and queried per link on the dashboard.

06

Performance, Infrastructure, and Developer Experience

Short code redirects optionally resolve through a Redis lookup cache, bypassing the database for hot links and keeping redirect latency consistently low under load. The backend is built on Java 17 with Spring Boot 3.2 and uses H2 for test runs so the full test suite runs without a live database. Every API endpoint is documented through springdoc OpenAPI and explorable via Swagger UI. The frontend is built with React 19, TypeScript, and Vite for fast development builds. Public pages include SEO metadata, a sitemap, a robots file, and app icons configured for sharing and indexing.