[Daycrawler]

> So what, the site could route you through a server side proxy anyways

There's little interest in proxying through a token system (this would require a DB read at each click, and a DB write at each page generation), which means the actual link is available client-side and the whole thing can be bypassed.

[AgentME]

It's easy to design a system like this where the actual link isn't available client-side, and the server doesn't need to wait on a DB read and write before responding to the client: make the URL parameter be the destination URL encrypted so that only the server can read it. That kills the need for a DB read. Then the server can respond to the request before the DB write finishes since the integrity/consistency of that write is likely less critical than the response time.

[Daycrawler]

That's correct.

[bastawhiz]

Most implementations that I've seen, including Google's, just put the linked URL in the query params of the redirect endpoint URL.

'/redirect?url=...'