The key

Every short link comes with one revocation key. The key is generated server-side from a cryptographic random source, returned to you exactly once in the shorten response, and then forgotten. What stays on disk is an argon2 hash of the key, not the key itself.

Why one chance

Storing the plaintext key would mean a database compromise hands every link to whoever reads the dump. Emailing it would mean a mailbox compromise does the same. Adding a recovery flow would mean inventing a second secret to protect the first, and we would be right back where we started. The simplest honest design is to hand the key to the person who made the link, once, and trust them to save it.

What happens if you lose it

The link keeps working. fwd2 has no way to verify that you are the one who created it. There is no support ticket, no email reset, no operator override. That is the trade.

How to use it

Paste the code and the key into revoke a link, or call the API. Either path verifies the key against the stored hash and deletes the link on match. A wrong key returns the same error as an unknown code, so guessing reveals nothing.

How to save it

A password manager is the obvious choice. A note in a private file works. A piece of paper in a drawer works. fwd2 does not have an opinion. The only thing fwd2 has an opinion about is that the key lives with you, not with us.