TinyURL / Short URL Service

✅ Functional Requirements

• Given a long URL, generate a shorter unique alias (the "short link")
• When users hit a short link, redirect them to the original URL
• Users can optionally pick a custom alias for their URL
• Links expire after a default timespan; users can override the expiry

⚙️ Non-Functional Requirements

• Highly available — if redirection is down, every link on the internet pointing at us is broken
• Real-time redirection — under 100ms latency p99
• Unguessable short keys — should not be predictable (for privacy & abuse)

➕ Extended

• Analytics — click counts, geo, referrer, browser
• REST APIs for other services to integrate

Writes

~200 URLs/sec

500M / (30 × 86400)

Reads

~20K redirects/sec

100 × 200/sec

Ingress

~100 KB/s

200 × 500 bytes

Egress

~10 MB/s

20K × 500 bytes

💥 Hash collisions at write time

Two users submit the same long URL — they get the same short hash. Or worse, two different URLs hash to the same 6-character prefix. Each create now costs a DB read (to check collision) before the write. At 200 writes/sec each adding a round trip, write latency creeps up — and collision-retry storms can spike it 10×.

💥 20K reads/sec crushes one DB

A single MySQL instance tops out around 5K-10K simple SELECTs/sec on commodity hardware. We need 20K, growing 20%/year. The DB CPU pegs at 100% and p99 latency balloons from 5ms to 500ms — every redirect on the internet now feels broken.

💥 15TB doesn't fit on one box

Five years of growth gives us 15TB of data. A single MySQL server with one disk can't hold it. Even if it could, backup/restore takes hours and a single disk failure loses every link we ever made — which is unacceptable for a service whose entire promise is "this link works forever".

✍️ Write Path

200 req/sec. Low volume, but every request must be durable — losing a write means a user got back a short link that points to nothing. Latency budget: 50-100ms. Needs strong consistency on the unique-key constraint.

📖 Read Path

20,000 req/sec. 100× the write volume. Latency budget: 50ms p99 — a slow redirect is a broken-feeling link. Stale reads are fine (URLs don't change). Cacheable up to the moon.

🔑 Key Generation

Constant background process. Manufacture unique 6-char keys offline so the write path never has to retry on collisions. Decoupled from request traffic entirely — pre-fills a pool that workers drain.

① Client

Anything that hits a TinyURL — a browser following a tweet link, a mobile app deep-linking, an integration calling our API. The browser is the most common; it sends a plain HTTP GET on the short URL and expects a 302 redirect. From the client's view, the entire system is one URL.

Solves: nothing on its own — but every design choice flows backward from "what does the client experience?" Latency, availability, and the redirect protocol are all client-facing concerns.

② CDN (CloudFront / Akamai)

A globally-distributed edge network that sits in front of the load balancer. For very hot URLs (think the top 1000 viral links), the CDN caches the 302 response at edge POPs around the world. A user in Tokyo following a hot link never reaches our origin servers — they get the redirect from a CDN node 20ms away.

Solves: global latency. Without a CDN, every redirect from Tokyo travels to our US-East data center and back — 200ms minimum on physics alone. A CDN turns that into 20ms for the head of the long-tail distribution, which is most of the traffic.

③ Load Balancer

The traffic cop. Sits in front of both write and read app servers, distributes incoming HTTP, and yanks unhealthy backends out of rotation via health checks every few seconds. Round-robin is fine to start; switch to least-connections once we have enough nodes that load skew matters.

Solves: single-server bottleneck and single-server failure. Without an LB, one app crash takes down the whole service. With it, we lose 1/N of capacity for a few seconds until health checks fail the bad node out.

④ Write App Server

Stateless service that handles POST /api/v1/urls. The flow per request: validate input → ask KGS for an unused key → write (hash, original_url, ...) to the URL DB → return the short URL. Total budget: under 100ms. Scaling is easy because it's stateless — add pods behind the LB.

Solves: isolating the heavy lifting (key generation, DB write) behind a clean API surface. Without a dedicated write tier, write traffic would compete with the much larger read traffic for app server CPU — causing reads to slow down whenever a write spike hits.

⑤ Key Generation Service (KGS)

A standalone service whose only job is to pre-generate random 6-character base62 keys and stockpile them in the Key DB. It runs on its own cadence — say batches of 10K keys every minute — and serves keys to write app servers from an in-memory queue. When a key is handed out, it's atomically moved from the "unused" pool to the "used" pool. With 56.8 billion possible keys and 200 writes/sec, the pool will outlast 5 years easily.

Solves: the core write-path problem. Without KGS, every write must do "generate hash → check DB for collision → retry if dup → insert", which is two round trips minimum and gets worse as the namespace fills up. With KGS, the write path is one round trip with zero collision risk by construction.

What if KGS dies? Single point of failure — solved by running an active-standby pair. Each write app server also caches a small batch of keys locally (~100 keys), so a 30-second KGS outage doesn't stop creates.

⑥ Key DB (KGS storage)

Two tables: unused_keys (the pool waiting to be claimed) and used_keys (already assigned). At 6 bytes per key × 56.8B keys this is ~341GB if we ever fully populate it — but in practice we only keep maybe 1M unused keys ahead of demand, so it's tiny. A simple key-value store works fine.

Solves: persisting the pool so KGS can restart without losing keys. If KGS held keys only in memory and crashed, we'd lose 10K unallocated keys per restart — acceptable, but persisting them lets us also support fancier schemes like "reserve a key for 5 minutes for a logged-in user".

⑦ Read App Server

Stateless service that handles GET /:url_key. The flow per request: parse hash from URL → check cache → on hit, return 302; on miss, query URL DB, populate cache, return 302 → emit a click event to telemetry. Latency budget: under 50ms. Scaled aggressively because read traffic is 100× write traffic.

Solves: serving the redirect workload at scale without touching the write path. Splitting reads from writes lets each tier scale independently — 50 read pods and 5 write pods, not 55 of each.

⑧ Cache (Memcached / Redis)

An in-memory key-value store holding the hottest 20% of URL mappings — about 170GB. Read flow: app server sends GET hash → cache returns the long URL in microseconds. Eviction policy: LRU — the least-recently-viewed mapping gets evicted first. Replicated for fault tolerance and to spread the load (no single cache node serves all 20K req/sec).

Solves: the 20K req/sec problem. Without a cache, every redirect hits the DB. With it, 80% of requests never touch the DB — letting the DB tier stay sized for the cold-tail 4K req/sec instead of the full 20K.

⑨ URL DB (Cassandra / DynamoDB)

The source of truth — a partitioned, replicated NoSQL key-value store holding all 30 billion (hash → original_url) mappings. Sharded by hash via consistent hashing, with each shard replicated 3× across availability zones. Cassandra's quorum reads (R=2, W=2, N=3) give us strong-enough consistency without sacrificing availability.

Solves: durable storage that scales horizontally. A single MySQL box maxes out around 1TB of healthy operation; we need 15TB. Cassandra spreads it across dozens of nodes and handles node failures automatically.

⑩ Cleanup Service

A background worker that scans the URL DB for expired entries (every link has an expiration_date) and either soft-deletes them or fully removes them, returning the freed key to the KGS unused pool for recycling. Runs in low-traffic windows. Also lazily expires URLs on read — if a read app server fetches an expired URL, it deletes it and returns 404.

Solves: preventing the DB from growing unbounded with abandoned/expired links. Without cleanup, our 5-year storage estimate would be 5-year accumulation forever — eventually we'd be paying to store 100TB of dead links nobody clicks.

⑪ Telemetry Pipeline

Every redirect emits a click event ({hash, timestamp, geo, referrer, user_agent}) to a Kafka topic. Downstream consumers fan out: real-time aggregator updates click counts in a Redis sorted set; batch ETL feeds a data warehouse for "show me the click history of tinyurl.com/abc". Crucially this is async — the read app server doesn't wait for telemetry before returning the 302.

Solves: click analytics without slowing down the redirect. If we tried to UPDATE click_count = click_count + 1 in the URL DB on every read, a viral link with 10K clicks/sec would melt that DB row. The async pipeline absorbs the spike and rolls up counts safely in the background.

✍️ Write flow — Sarah shortens her blog link at 14:02:06

1. Sarah's browser ① POSTs to tinyurl.com/api/v1/urls with her long URL.
2. The Load Balancer ③ routes it to a Write App Server ④. (CDN ② doesn't cache write requests.)
3. The write app calls KGS ⑤: "give me a key" → KGS pops jlg8zpc from its in-memory pool and atomically marks it used in Key DB ⑥.
4. Write app inserts {hash: "jlg8zpc", original_url: "https://...", user_id: 42, expiration: 2030-12-31} into URL DB ⑨ — sharded by hash, replicated 3×.
5. Write app returns {short_url: "https://tinyurl.com/jlg8zpc"}. Total elapsed: 60ms.

📖 Read flow — Raj in Tokyo clicks the link 8 hours later

1. Raj's browser ① GETs tinyurl.com/jlg8zpc. DNS routes him to the nearest CDN ② edge in Tokyo.
2. CDN cache hit? If yes → 302 returned in 15ms. Done.
3. If no → CDN forwards to our origin Load Balancer ③ → Read App Server ⑦.
4. Read app checks Cache ⑧ for jlg8zpc → hit (the link is hot today) → returns 302 with the long URL. ~30ms.
5. If cache miss → read app queries URL DB ⑨, populates the cache, returns 302. ~80ms.
6. Read app fires off a click event to Telemetry ⑪ asynchronously. CDN may also cache this 302 for next time.

✅ Why KGS wins

• Zero collision risk at write time — uniqueness is guaranteed by the unused pool
• One round-trip per write (vs. 1-3 with hashing)
• Same long URL submitted twice → two different short keys → independent analytics & expiry
• Can pre-warm the pool, app servers cache 100 keys locally for burst tolerance
• Recycle expired keys back into the pool — namespace never permanently fills

⚠️ KGS's own challenges

• Single point of failure — solved with an active-standby replica that takes over via failover
• Concurrency — two write apps must not get the same key. Solved by an atomic POP from a Redis set, or a row-level SELECT FOR UPDATE on the unused table
• Lost keys on crash — if KGS hands a key to a write app that then crashes before INSERT, the key is gone. Acceptable: 56.8B keys, losing a few thousand to crashes is rounding error

💥 A read-before-write on every single create

Every shorten request now pays for at least one extra DB round trip just to ask "is this key free?" As the keyspace fills (30B of 56.8B keys used), collisions get more frequent, so some requests loop "generate → check → collision → regenerate → check" several times. The 60ms write budget blows up under collision-retry storms.

💥 A race condition the check can't catch

Two write servers generate the same key at the same millisecond. Both run "SELECT where hash=X" → both see "free" → both INSERT. One silently overwrites the other, and a user who just shortened a link finds it now points somewhere else. The existence check is not atomic with the insert, so it can never fully prevent this.

🎲 Strategy A — Pre-generated random pool

A background job generates random 6-char base62 keys using a cryptographically-secure RNG (SecureRandom), and inserts each into an unused_keys table with a UNIQUE constraint. Duplicate generations simply fail the insert and are skipped — and because this runs offline, that collision check costs nobody any request latency.

Pro: keys are genuinely unpredictable (unguessable). Con: you must store the pool of unused keys.

🔢 Strategy B — Counter + base62 encode

Keep a single monotonic counter and base62-encode the integer to get the key: 1 → "b", 125000000 → "8M0kX". Collisions are mathematically impossible — each integer maps to exactly one string — so no existence check ever runs.

Pro: zero storage (just an integer), zero collisions ever. Con: raw counters are sequential and guessable, so you run the counter through a reversible scramble (Feistel / multiply-by-large-coprime mod 62⁶) so output looks random while staying unique.

① Write App Server (key consumer)

The stateless service handling POST /api/v1/urls. It does not call KGS per request — it holds a block of keys (say 1,000) in local memory and pops one per create. When its local block runs low (e.g. 10% remaining), it asks the allocator for the next block in the background, so it never blocks a user while topping up.

Solves: turning a network call into a memory read. Without local blocks, every create is a synchronous round-trip to KGS — adding latency and making KGS a 200 req/sec choke point.

② Block Allocator

The only contended operation in the whole service: "give out the next block." It performs one atomic step — INCRBY counter 1000 in Redis, or SELECT … FOR UPDATE on a counter row in SQL — and returns the range [N … N+1000). Sub-millisecond, and it runs only once per ~1,000 creates.

Solves: the race condition from Pass 1. Because the bump is atomic and ranges are disjoint, two app servers can never receive overlapping keys — uniqueness is guaranteed by construction, with zero existence checks.

③ Background Generator

For the random-pool strategy (A), this batch job runs on its own clock — generate 10K random base62 keys, bulk-insert into unused_keys with a UNIQUE constraint, skip the rare duplicate. For the counter strategy (B), there's no pool to fill; this box is just the scramble function applied at hand-out time.

Solves: moving collision-checking off the hot path. All the "is this key taken?" work happens here, offline, where latency doesn't matter and a retry costs nobody anything.

④⑤ Active + Standby KGS

KGS is a single point of failure — if it's the only thing that can mint keys, its death stops every create on the platform. So we run an active-standby pair: the standby watches the active via heartbeat and takes over the counter (which is persisted in ⑥) within seconds if the active dies.

Solves: availability of the write path. Combined with the app-server local block cache (①), even a 30-second failover window doesn't drop a single create.

⑥ Counter Row / Key DB

The durable source of truth. For strategy B it's literally one integer (the high-water mark of allocated blocks); for strategy A it's two tables — unused_keys and used_keys. Persisting it means a KGS restart resumes from the last allocated block, never from the last used key.

Solves: not re-issuing keys after a crash. If the counter lived only in memory, a restart could replay block [1…1M] twice and hand the same keys to two different URLs — silent overwrites again.

⑦ Recycled-Key Feed

When the Cleanup Service (§11) expires a URL, its key is freed and pushed back into the unused_keys pool (strategy A only — counter-based keys aren't recycled, the space is large enough not to bother).

Solves: the namespace never permanently fills. Without recycling, every expired link would burn a key forever; with it, the 56.8B keyspace effectively never runs dry.

❌ Range-based sharding by first letter

"All URLs whose hash starts with A go to shard 1, B to shard 2…" Easy to implement, predictable. But: hashes aren't uniformly distributed across the alphabet, so some shards get hot. And custom aliases like my-blog-post all start with M — that shard melts.

✅ Hash-based sharding (with consistent hashing)

Compute shard = consistent_hash(url_hash) % N. Distribution is uniform by construction. Use consistent hashing (not modulo) so adding/removing a shard only relocates 1/N of keys instead of all of them — no global rebalancing during scale-out.

📦 Sizing

170GB to hold the hot 20% (calculated in §3). Modern servers ship with 256GB+ RAM, but we use 4-6 cache nodes for redundancy and to spread the 20K QPS load. Memcached or Redis both work; Redis wins if we want to also cache click counts in sorted sets.

♻️ Eviction

LRU (least recently used). Hot URLs stay hot — a viral tweet's link lives in cache for days. Cold URLs naturally roll out as fresh content takes their slot. Implemented via a linked hash map / Redis LRU policy.

🔄 Invalidation

URLs are immutable (you can't edit where a short link points), so we only invalidate on delete/expire. The cleanup service explicitly invalidates the cache key when it expires a URL. No write-through complexity needed.

① Client → App tier

Public-facing LB (AWS ALB / nginx). Distributes incoming HTTPS across read and write app pods. Health-checks every 5s, evicts unhealthy pods. Terminates TLS so backend pods don't pay the crypto cost.

② App → Cache

Client-side or sidecar LB. Uses consistent hashing on the URL hash so the same hash always goes to the same cache node — maximizing hit rate.

③ App → DB

Cassandra/DynamoDB drivers do this themselves — the client knows the cluster topology and routes to the right shard's coordinator node.

🐢 Lazy cleanup (preferred)

Don't actively scan for expired entries — wait until a user actually requests one. On read, the app server checks the expiration; if expired, returns 404 to the user and asynchronously deletes the row. Trade-off: expired-but-unread entries linger in the DB forever, but storage is cheap and we save a giant background scan.

🧹 Active cleanup (supplement)

A lightweight Cleanup Service ⑩ runs nightly during low-traffic windows, scanning for entries where expiration_date < now() and bulk-deleting them. Returns the freed keys to the KGS unused pool for recycling.

🔐 Private URLs

Add a visibility column: PUBLIC (anyone can resolve) or PRIVATE (only the creator + whitelisted users). On read, the app server checks the auth token against an ACL table; on mismatch, return 401 instead of 302.

🛡️ Abuse / phishing

Submitted URLs go through a real-time Google Safe Browsing check before being shortened. Rejected URLs return 400. Reactive: a "report abuse" link on every redirect page; reported URLs go into a moderation queue.

🚫 Rate limiting

Per-API-key quota — 1000 URLs/hour for free tier, higher for paid. Implemented at the LB or in a dedicated rate-limiter service (token bucket in Redis). Anonymous creates require captcha.

🔒 Unguessable keys

KGS-generated keys are random 6-character base62, not sequential. An attacker can't enumerate /aaaaaa, /aaaaab, ... to discover private URLs — the keyspace is 56.8B, sparsely populated, so brute force is infeasible.