Claim flow

Lifecycle

• Agent calls POST /api/links (or CLI / SDK) without a signed-in Linky session. Linky creates the bundle anonymously and mints a claim token that expires in 30 days.
• Response returns claimToken, claimUrl, claimExpiresAt, and a warning. The CLI prints them in green; the SDK returns them; the web UI renders a "keep this for later" card.
• User visits /claim/<token>. Signed-out visitors see Sign-in / Sign-up CTAs that round-trip back to the claim URL via redirect_url. Signed-in visitors have the token consumed atomically and land on /dashboard/links/<slug> as the new owner.

One-shot guarantee

• claimToken is returned exactly once. Lose it and the Linky can never be bound to an account. Persist it to a secret store immediately.
• Consuming a token is atomic — races can't double-assign a Linky.
• No endpoint re-issues a claim token for an existing anonymous Linky. By design.

Expiry + windows

• Claim window: 30 days from create time. Not extended by re-reads or passive activity.
• After expiry the Linky stays live at /l/<slug> but cannot be bound to an account. Anonymous Linkies are permanent — no TTL on the bundle itself.
• Anonymous Linkies remain immutable until claimed. Policies attached at create time by an anonymous caller lock with the Linky.

Ownership rules at claim time

Organization context wins. If the claiming user has an active Linky organization, ownership is attributed to the organization (team-owned). Switch to your personal account in the organization switcher before claiming to attribute to your individual user instead.

Claiming is a no-op on bundles that already have an owner — prevents a race from transferring a claimed Linky a second time.

Failure modes