diff --git a/docs.json b/docs.json
index 6fe199b..5ecc585 100644
--- a/docs.json
+++ b/docs.json
@@ -97,6 +97,7 @@
"manage/access-control/create-user",
"manage/access-control/approvals",
"manage/access-control/rules",
+ "manage/access-control/links",
"manage/access-control/forwarded-headers",
"manage/access-control/login-page",
"manage/ssh",
diff --git a/manage/access-control/links.mdx b/manage/access-control/links.mdx
new file mode 100644
index 0000000..26629ba
--- /dev/null
+++ b/manage/access-control/links.mdx
@@ -0,0 +1,75 @@
+---
+title: "Share Links"
+icon: "link"
+description: "Create share links and use access tokens for browser or programmatic access."
+---
+
+import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
+
+
+
+Share links let you grant access to a resource without provisioning a full user account or changing the resource's main authentication settings.
+
+Use them when you need temporary access, simple external sharing, or token-based requests from scripts and integrations.
+
+## Create a Share Link
+
+From the resource authentication flow, create a share link by:
+
+1. Choosing the target resource.
+2. Adding a title if you want the link to be easy to identify later.
+3. Setting an expiration, or enabling **Never expire** if the link should stay valid until you revoke it.
+4. Copying the generated link and token details immediately after creation.
+
+
+Anyone with the link or access token can use it. Treat both like credentials.
+
+
+## Use the Access Token
+
+Pangolin can accept a share-link access token in either the query string or request headers.
+
+### Query Parameter
+
+By default, Pangolin accepts the access token in the `p_token` query parameter:
+
+```bash
+curl "https://resource.example.com/?p_token=."
+```
+
+The query-string value is the token ID and token joined with a `.`.
+
+If you changed `resource_access_token_param` in the config file, use that parameter name instead.
+
+### Request Headers
+
+By default, Pangolin accepts these headers:
+
+- `P-Access-Token-Id`
+- `P-Access-Token`
+
+Example:
+
+```bash
+curl \
+ -H "P-Access-Token-Id: " \
+ -H "P-Access-Token: " \
+ "https://resource.example.com/"
+```
+
+This is the same token data as the query-string form, just split into two headers instead of `.`.
+
+If you changed `resource_access_token_headers.id` or `resource_access_token_headers.token` in the config file, use the configured names shown by your deployment.
+
+## Expiration and Revocation
+
+- Expiring links stop working automatically when their lifetime ends.
+- Non-expiring links remain valid until you delete them.
+- Deleting the share link revokes both the link and its access token.
+
+## Important Notes
+
+- Share links are best for targeted sharing and automation, not broad long-term access.
+- Share-link access does not carry per-user identity headers to the upstream app. For identity-aware upstream integrations, see [Forwarded Headers](/manage/access-control/forwarded-headers).
+- For the underlying auth settings on the resource itself, see [Authentication](/manage/resources/public/authentication).
+- For the self-hosted config fields behind these defaults, see [Config File](/self-host/advanced/config-file#resource_access_token_param).