fix(short-io): address PR review feedback

- Change apiKey visibility from 'hidden' to 'user-only' in all 6 tools
- Simplify block tool selector to string interpolation
- Move QR code generation to server-side API route, return as file
  object (name, mimeType, data, size) matching standard file pattern
- Update block outputs and docs to reflect file type for QR code

Author: abram0v1ch

apps/docs/content/docs/en/tools/short_io.mdx

@@ -135,9 +135,7 @@ Generate a QR code for a Short.io link. Returns a base64 data URL (e.g. data:ima
 
 | Parameter   | Type    | Description                                      |
 | ---------- | ------- | ------------------------------------------------ |
-| `success`  | boolean | Success status                                   |
-| `qrCodeURL`| string  | Base64 data URL of the QR code image              |
-| `error`    | string  | Error message                                     |
+| `file`     | file    | Generated QR code image file                      |
 
 ### `short_io_get_analytics`
 

apps/sim/app/api/tools/short_io/qr/route.ts

@@ -0,0 +1,98 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { generateRequestId } from '@/lib/core/utils/request'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('ShortIoQrAPI')
+
+const ShortIoQrSchema = z.object({
+  apiKey: z.string().min(1, 'API key is required'),
+  linkId: z.string().min(1, 'Link ID is required'),
+  color: z.string().optional(),
+  backgroundColor: z.string().optional(),
+  size: z.number().min(1).max(99).optional(),
+  type: z.enum(['png', 'svg']).optional(),
+  useDomainSettings: z.boolean().optional(),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized Short.io QR request: ${authResult.error}`)
+      return NextResponse.json(
+        { success: false, error: authResult.error || 'Authentication required' },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validated = ShortIoQrSchema.parse(body)
+
+    const qrBody: Record<string, unknown> = {
+      useDomainSettings: validated.useDomainSettings ?? true,
+    }
+    if (validated.color) qrBody.color = validated.color
+    if (validated.backgroundColor) qrBody.backgroundColor = validated.backgroundColor
+    if (validated.size) qrBody.size = validated.size
+    if (validated.type) qrBody.type = validated.type
+
+    const response = await fetch(`https://api.short.io/links/qr/${validated.linkId}`, {
+      method: 'POST',
+      headers: {
+        Authorization: validated.apiKey,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify(qrBody),
+    })
+
+    if (!response.ok) {
+      const errorText = await response.text().catch(() => response.statusText)
+      logger.error(`[${requestId}] Short.io QR API error: ${errorText}`)
+      return NextResponse.json(
+        { success: false, error: `Short.io API error: ${errorText}` },
+        { status: response.status }
+      )
+    }
+
+    const contentType = response.headers.get('Content-Type') ?? 'image/png'
+    const fileBuffer = Buffer.from(await response.arrayBuffer())
+    const mimeType = contentType.split(';')[0]?.trim() || 'image/png'
+    const ext = validated.type === 'svg' ? 'svg' : 'png'
+    const fileName = `qr-${validated.linkId}.${ext}`
+
+    logger.info(`[${requestId}] QR code generated`, {
+      linkId: validated.linkId,
+      size: fileBuffer.length,
+      mimeType,
+    })
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        file: {
+          name: fileName,
+          mimeType,
+          data: fileBuffer.toString('base64'),
+          size: fileBuffer.length,
+        },
+      },
+    })
+  } catch (error: unknown) {
+    if (error instanceof z.ZodError) {
+      return NextResponse.json(
+        { success: false, error: `Validation error: ${error.errors.map((e) => e.message).join(', ')}` },
+        { status: 400 }
+      )
+    }
+    const message = error instanceof Error ? error.message : 'Unknown error'
+    logger.error(`[${requestId}] Short.io QR error: ${message}`)
+    return NextResponse.json({ success: false, error: message }, { status: 500 })
+  }
+}

apps/sim/blocks/blocks/short_io.ts

@@ -159,24 +159,7 @@ export const ShortIoBlock: BlockConfig<ToolResponse> = {
             'short_io_get_analytics',
         ],
         config: {
-            tool: (params) => {
-                switch (params.operation) {
-                    case 'create_link':
-                        return 'short_io_create_link'
-                    case 'list_domains':
-                        return 'short_io_list_domains'
-                    case 'list_links':
-                        return 'short_io_list_links'
-                    case 'delete_link':
-                        return 'short_io_delete_link'
-                    case 'get_qr_code':
-                        return 'short_io_get_qr_code'
-                    case 'get_analytics':
-                        return 'short_io_get_analytics'
-                    default:
-                        throw new Error(`Invalid Short.io operation: ${params.operation}`)
-                }
-            },
+            tool: (params) => `short_io_${params.operation}`,
             params: (params) => {
                 const { apiKey, operation, size, domainId, limit, ...rest } = params
                 const out: Record<string, unknown> = { ...rest, apiKey }
@@ -222,7 +205,7 @@ export const ShortIoBlock: BlockConfig<ToolResponse> = {
         links: { type: 'array', description: 'List of links (from List Links)' },
         nextPageToken: { type: 'string', description: 'Pagination token for next page' },
         deleted: { type: 'boolean', description: 'Whether the link was deleted' },
-        qrCodeURL: { type: 'string', description: 'Base64 data URL of the generated QR code image' },
+        file: { type: 'file', description: 'Generated QR code image file' },
         clicks: { type: 'number', description: 'Total clicks in period' },
         totalClicks: { type: 'number', description: 'Total clicks' },
         humanClicks: { type: 'number', description: 'Human clicks' },

apps/sim/tools/short_io/create_link.ts

@@ -10,7 +10,7 @@ export const shortIoCreateLinkTool: ToolConfig<ShortIoCreateLinkParams, ToolResp
     apiKey: {
       type: 'string',
       required: true,
-      visibility: 'hidden',
+      visibility: 'user-only',
       description: 'Short.io Secret API Key',
     },
     domain: {

apps/sim/tools/short_io/delete_link.ts

@@ -7,7 +7,7 @@ export const shortIoDeleteLinkTool: ToolConfig<ShortIoDeleteLinkParams, ToolResp
   description: 'Delete a short link by ID (e.g. lnk_abc123_abcdef). Rate limit 20/s.',
   version: '1.0',
   params: {
-    apiKey: { type: 'string', required: true, visibility: 'hidden', description: 'Short.io Secret API Key' },
+    apiKey: { type: 'string', required: true, visibility: 'user-only', description: 'Short.io Secret API Key' },
     linkId: { type: 'string', required: true, visibility: 'user-or-llm', description: 'Link ID to delete' },
   },
   request: {

apps/sim/tools/short_io/get_analytics.ts

@@ -22,7 +22,7 @@ export const shortIoGetAnalyticsTool: ToolConfig<ShortIoGetAnalyticsParams, Tool
     apiKey: {
       type: 'string',
       required: true,
-      visibility: 'hidden',
+      visibility: 'user-only',
       description: 'Short.io Secret API Key',
     },
     linkId: { type: 'string', required: true, visibility: 'user-or-llm', description: 'Link ID' },

apps/sim/tools/short_io/get_qr_code.ts

@@ -10,7 +10,7 @@ export const shortIoGetQrCodeTool: ToolConfig<ShortIoGetQrParams, ToolResponse>
     apiKey: {
       type: 'string',
       required: true,
-      visibility: 'hidden',
+      visibility: 'user-only',
       description: 'Short.io Secret API Key',
     },
     linkId: {
@@ -46,14 +46,15 @@ export const shortIoGetQrCodeTool: ToolConfig<ShortIoGetQrParams, ToolResponse>
     },
   },
   request: {
-    url: (params) => `https://api.short.io/links/qr/${params.linkId}`,
+    url: '/api/tools/short_io/qr',
     method: 'POST',
-    headers: (params) => ({
-      Authorization: params.apiKey,
+    headers: () => ({
       'Content-Type': 'application/json',
     }),
     body: (params) => {
       const body: Record<string, unknown> = {
+        apiKey: params.apiKey,
+        linkId: params.linkId,
         useDomainSettings: params.useDomainSettings ?? true,
       }
       if (params.color != null && params.color !== '') body.color = params.color
@@ -64,31 +65,22 @@ export const shortIoGetQrCodeTool: ToolConfig<ShortIoGetQrParams, ToolResponse>
     },
   },
   transformResponse: async (response: Response) => {
-    if (!response.ok) {
-      const err = await response.text().catch(() => response.statusText)
-      return { success: false, output: { success: false, error: err } }
+    const data = await response.json().catch(() => ({}))
+    if (!response.ok || !data.success) {
+      return {
+        success: false,
+        output: { success: false, error: data.error || response.statusText },
+      }
     }
-
-    const contentType = response.headers.get('Content-Type') ?? ''
-    const blob = await response.blob()
-    const arrayBuffer = await blob.arrayBuffer()
-    const bytes = new Uint8Array(arrayBuffer)
-    let binary = ''
-    for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]!)
-    const base64 = typeof btoa !== 'undefined' ? btoa(binary) : ''
-    const mediaType = contentType.split(';')[0]?.trim() || 'image/png'
-    const dataUrl = base64 ? `data:${mediaType};base64,${base64}` : ''
     return {
       success: true,
-      output: { success: true, qrCodeURL: dataUrl },
+      output: data.output,
     }
   },
   outputs: {
-    success: { type: 'boolean', description: 'Success status' },
-    qrCodeURL: {
-      type: 'string',
-      description: 'Base64 data URL of the QR code image (e.g. data:image/png;base64,...)',
+    file: {
+      type: 'file',
+      description: 'Generated QR code image file',
     },
-    error: { type: 'string', description: 'Error message' },
   },
 }

apps/sim/tools/short_io/list_domains.ts

@@ -7,7 +7,7 @@ export const shortIoListDomainsTool: ToolConfig<ShortIoListDomainsParams, ToolRe
   description: 'List Short.io domains. Returns domain IDs and details for use in List Links.',
   version: '1.0',
   params: {
-    apiKey: { type: 'string', required: true, visibility: 'hidden', description: 'Short.io Secret API Key' },
+    apiKey: { type: 'string', required: true, visibility: 'user-only', description: 'Short.io Secret API Key' },
   },
   request: {
     url: 'https://api.short.io/api/domains',

apps/sim/tools/short_io/list_links.ts

@@ -8,7 +8,7 @@ export const shortIoListLinksTool: ToolConfig<ShortIoListLinksParams, ToolRespon
     'List short links for a domain. Requires domain_id (from List Domains or dashboard). Max 150 per request.',
   version: '1.0',
   params: {
-    apiKey: { type: 'string', required: true, visibility: 'hidden', description: 'Short.io Secret API Key' },
+    apiKey: { type: 'string', required: true, visibility: 'user-only', description: 'Short.io Secret API Key' },
     domainId: {
       type: 'number',
       required: true,