diff --git a/functions/api/short-links/_middleware.ts b/functions/api/short-links/_middleware.ts
new file mode 100644
index 0000000..d639c1a
--- /dev/null
+++ b/functions/api/short-links/_middleware.ts
@@ -0,0 +1,14 @@
+import { jsonError } from "../../common.js";
+
+export async function onRequest(context: RequestContext) {
+  const { current_user: user } = context.data;
+
+  if (!user) return jsonError("Unauthorized", 401);
+
+  if (
+    ![0, 2, 4, 5, 6, 7, 9, 10, 11, 12].find((i) => user.permissions & (1 << i))
+  )
+    return jsonError("Forbidden", 403);
+
+  return await context.next();
+}
diff --git a/functions/api/short-links/list.ts b/functions/api/short-links/list.ts
new file mode 100644
index 0000000..d242c57
--- /dev/null
+++ b/functions/api/short-links/list.ts
@@ -0,0 +1,11 @@
+import { jsonResponse } from "../../common.js";
+
+export async function onRequestGet(context: RequestContext) {
+  const { results } = await context.env.D1.prepare(
+    "SELECT created_at, destination, path FROM short_links WHERE user = ?;",
+  )
+    .bind(context.data.current_user.id)
+    .all();
+
+  return jsonResponse(JSON.stringify(results));
+}