docs: add share links access token guide

Split from #76 (https://github.com/fosrl/docs-v2/pull/76).

docs.json

@@ -97,6 +97,7 @@
                                     "manage/access-control/create-user",
                                     "manage/access-control/approvals",
                                     "manage/access-control/rules",
+                                    "manage/access-control/links",
                                     "manage/access-control/forwarded-headers",
                                     "manage/access-control/login-page",
                                     "manage/ssh",

manage/access-control/links.mdx

@@ -0,0 +1,75 @@
+---
+title: "Share Links"
+icon: "link"
+description: "Create share links and use access tokens for browser or programmatic access."
+---
+
+import PangolinCloudTocCta from "/snippets/pangolin-cloud-toc-cta.mdx";
+
+<PangolinCloudTocCta />
+
+Share links let you grant access to a resource without provisioning a full user account or changing the resource's main authentication settings.
+
+Use them when you need temporary access, simple external sharing, or token-based requests from scripts and integrations.
+
+## Create a Share Link
+
+From the resource authentication flow, create a share link by:
+
+1. Choosing the target resource.
+2. Adding a title if you want the link to be easy to identify later.
+3. Setting an expiration, or enabling **Never expire** if the link should stay valid until you revoke it.
+4. Copying the generated link and token details immediately after creation.
+
+<Warning>
+Anyone with the link or access token can use it. Treat both like credentials.
+</Warning>
+
+## Use the Access Token
+
+Pangolin can accept a share-link access token in either the query string or request headers.
+
+### Query Parameter
+
+By default, Pangolin accepts the access token in the `p_token` query parameter:
+
+```bash
+curl "https://resource.example.com/?p_token=<token-id>.<access-token>"
+```
+
+The query-string value is the token ID and token joined with a `.`.
+
+If you changed `resource_access_token_param` in the config file, use that parameter name instead.
+
+### Request Headers
+
+By default, Pangolin accepts these headers:
+
+- `P-Access-Token-Id`
+- `P-Access-Token`
+
+Example:
+
+```bash
+curl \
+  -H "P-Access-Token-Id: <token-id>" \
+  -H "P-Access-Token: <access-token>" \
+  "https://resource.example.com/"
+```
+
+This is the same token data as the query-string form, just split into two headers instead of `<token-id>.<access-token>`.
+
+If you changed `resource_access_token_headers.id` or `resource_access_token_headers.token` in the config file, use the configured names shown by your deployment.
+
+## Expiration and Revocation
+
+- Expiring links stop working automatically when their lifetime ends.
+- Non-expiring links remain valid until you delete them.
+- Deleting the share link revokes both the link and its access token.
+
+## Important Notes
+
+- Share links are best for targeted sharing and automation, not broad long-term access.
+- Share-link access does not carry per-user identity headers to the upstream app. For identity-aware upstream integrations, see [Forwarded Headers](/manage/access-control/forwarded-headers).
+- For the underlying auth settings on the resource itself, see [Authentication](/manage/resources/public/authentication).
+- For the self-hosted config fields behind these defaults, see [Config File](/self-host/advanced/config-file#resource_access_token_param).