Shortcut endpoints
A shortcut is a per-action URL that any HTTP caller can hit — an Apple or
Android shortcut, a browser, curl, or a no-code automation tool — and
CommandLatch fires the pinned action on the paired device.
Shortcuts are simpler than webhooks. Webhooks require computing an HMAC signature with each request; shortcuts put the credential in the URL, so any HTTP client can use them with no signing required. Use shortcuts for phone automation apps and voice assistants; use webhooks for server-to-server integrations.
What it is
Section titled “What it is”Each shortcut is a narrow, single-purpose link:
- One device (the action fires there and only there).
- One action (
lock,lock_sleep,keep_awake_start, etc.). - The URL itself is the credential — anyone with it can trigger that one action.
- Rate-limited to prevent abuse if the URL is ever leaked.
- Revocable at any time, independently of the device pairing.
1. Create a shortcut endpoint
Section titled “1. Create a shortcut endpoint”In the web dashboard, open the Shortcuts tab (or expand Shortcuts under a device), fill in a name + action, and submit. The page shows the URL exactly once — copy it right away.
If you lose it, delete the shortcut and create a new one.
2. Wire the URL into a trigger
Section titled “2. Wire the URL into a trigger”The URL is a plain HTTP endpoint, so anything that can open a URL can fire it. GET or POST both work; no headers or signature are required.
Apple — iPhone, iPad & Mac
- Open the Shortcuts app (built into iOS, iPadOS, and macOS) and tap + to start a new shortcut.
- Add the Get Contents of URL action and paste the URL.
- (Optional) Tap Show More → Method and choose POST. GET also works.
- Name it something you can say — e.g. “Sleep my Mac” — and run it by voice, from the share sheet, a Home-Screen icon, or the Mac menu bar.
Android
- HTTP Shortcuts (free, open-source on Google Play) — add a shortcut with the URL, choose GET/POST, and place its home-screen widget. It can also be launched from Google Assistant.
- Tasker / MacroDroid — add an HTTP Request action with the URL, then bind it to a widget, voice command, NFC tag, or any automation.
Browser or terminal
- Paste the URL into any browser’s address bar and press enter.
- From a shell:
curl -X POST "<your URL>"(GET works too) — useful for cron jobs, CI, or scripts.
Automation tools
- Zapier / IFTTT: add a Webhooks action. Make: HTTP. n8n: HTTP Request. Set the method to GET/POST and paste the URL.
- Now any trigger those tools support — an email, a schedule, a button, a smart-home event — can fire the shortcut.
3. (Optional) Per-call overrides
Section titled “3. (Optional) Per-call overrides”If a shortcut needs runtime parameters — e.g. “lock my Mac in 30 seconds” — use POST with a JSON body:
{ "payload": { "delay_secs": 30 } }The payload field merges on top of the shortcut’s stored defaults, so a
single shortcut can be reused for “lock now” and “lock in N seconds” flows.
URL format
Section titled “URL format”The shortcut URL supports both GET and POST. No request body or headers are required.
Successful trigger response:
{ "command_id": "…", "expires_at": "2026-05-14T…Z" }The Mac picks up the command within a couple of seconds.
Rate limiting
Section titled “Rate limiting”Each shortcut is limited to 60 triggers per minute by default. This cap limits the impact if a URL is ever shared unintentionally. Every request counts — including rejected ones — so if you hit the limit, wait a moment before trying again. Contact support if a legitimate automation needs a higher limit.
Response codes
Section titled “Response codes”| Status | Body | Meaning |
|---|---|---|
201 | {"command_id","expires_at"} | Queued for the agent. |
401 | {"error":"invalid_token"} | Unknown or malformed token. |
403 | {"error":"shortcut_disabled"} | Owner toggled it off. |
403 | {"error":"remote_disabled"} | Device has remote commands off. |
429 | {"error":"rate_limited"} | Window cap exceeded. |
405 | {"error":"method_not_allowed"} | Use GET, POST, or OPTIONS. |
500 | {"error":"…"} | Database error; retry. |
Security
Section titled “Security”The URL is the only thing needed to trigger the shortcut, so treat it like a password. If you think a URL has been exposed, delete it in the dashboard — the link stops working immediately and you can create a new one.
Each shortcut is locked to a single device and a single action, so even in the worst case a compromised URL can only perform that one operation on that one machine. When you need a more secure, server-to-server integration, use a webhook instead.
Troubleshooting
Section titled “Troubleshooting”- The dashboard shows the URL exactly once. Save it into your trigger immediately. If you navigate away without copying it, delete the shortcut and create a new one.
{"error":"invalid_token"}from a copied URL. The URL must be copied exactly from the dashboard — no trailing slash, extra characters, or query string. Paste it directly rather than retyping.- Shortcut runs but nothing happens on the Mac. Confirm the device is Online in the dashboard. Commands expire 60 seconds after they’re queued — an offline Mac will miss them.
- The automation reads back the response. Many “fetch a URL” actions read the response aloud or pass it to the next step. Add a step that discards or replaces the response (for example, a notification with a static confirmation message).
- Need to change the action. The action is set at creation. Delete the shortcut, create a new one with the desired action, and update your trigger with the new URL.
See also
Section titled “See also”- Siri & phone shortcuts — the step-by-step walkthrough.
- Webhooks — signed requests for servers and CI.
- Use the dashboard — create and revoke shortcuts.