diff --git a/Caddyfile b/Caddyfile
index f99b060..70ef180 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -5,20 +5,44 @@
 
 :8550 {
 	# route by host header to each backend
+
 	@paste host {env.PASTE_DOMAIN}
 	handle @paste {
+		# privatebin ui
 		reverse_proxy privatebin:8080
 	}
 
 	@files host {env.FILES_DOMAIN}
 	handle @files {
+		# lufi ui
 		reverse_proxy lufi:8081
 	}
 
 	@short host {env.SHORT_DOMAIN}
 	handle @short {
+		# shlink ui/api default
 		reverse_proxy shlink:8080
 	}
 
+	# --- adapter endpoint so privatebin can call a simple ?link=... and get a plain-text short url ---
+	# this lives on the same short domain; it just proxies to your tiny bun adapter service
+	@shorten host {env.SHORT_DOMAIN} && path /shorten
+	handle @shorten {
+		# allow browser calls from your privatebin origin
+		header {
+			Access-Control-Allow-Origin https://{env.PASTE_DOMAIN}
+			Access-Control-Allow-Methods GET, OPTIONS
+			Access-Control-Allow-Headers *
+			# do not cache shortened responses; they contain the full (keyed) url
+			Cache-Control no-store
+		}
+		# forward to the adapter (which turns GET ?link=... into a shlink POST and replies with text)
+		reverse_proxy shlink-adapter:3000
+	}
+
+	# preflight for /shorten
+	@shortenPre host {env.SHORT_DOMAIN} && method OPTIONS && path /shorten
+	respond @shortenPre 204
+
 	respond "unauthorized domain" 404
 }
diff --git a/docker-compose.yml b/docker-compose.yml
index a8e79ff..cdaacb1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,6 +11,7 @@ services:
             - PASTE_DOMAIN=${PASTE_DOMAIN}
             - FILES_DOMAIN=${FILES_DOMAIN}
             - SHORT_DOMAIN=${SHORT_DOMAIN}
+            - INITIAL_API_KEY=${INITIAL_API_KEY}
         networks:
             - proxy
 
diff --git a/privatebin.conf.php b/privatebin.conf.php
index 192bf87..367d760 100644
--- a/privatebin.conf.php
+++ b/privatebin.conf.php
@@ -65,7 +65,10 @@ availabletemplates[] = "bootstrap-compact-page"
 ; (optional) URL shortener address to offer after a new document is created.
 ; It is suggested to only use this with self-hosted shorteners as this will leak
 ; the documents encryption key.
-; urlshortener = "https://shortener.example.com/api?link="
+; in privatebin.conf.php  ([main] section)
+; important: only do this with your self-hosted shortener (see note below)
+
+urlshortener = "https://{env.SHORT_DOMAIN}/shorten?link="
 
 ; (optional) Whether to shorten the URL by default when a new document is created.
 ; If set to true, the "Shorten URL" functionality will be automatically called.