Mask Portal URL

Then you need to make sure that this link can only be used once. Encrypted URL parameters are the way to go. For generated links, you will have to track usage in the database.

This is accurate. To add onto it: there is no method for making sure a portal URL, once generated, can only be used from within a specific website. However, if you generate using encrypted URLs and add the app behavior Stefan is suggesting to prevent using a URL twice, you'll have effectively achieved what you want.

Stefan Helzle  John Rogers  Can you further elaborate? The goal is to expire a URL but I don't think us having the URL tracked in the DB does much for us. The user can still save the URL and paste it later for future use and it will work.

Assuming your user is expected to take some sort of action on the portal site, then at the same time a unique identifier for that portal "instance" (which you'd invent at creation time and pass into it using URL parameters), would be written to the database as having been "used".  When the portal first loads, it would query that same database and make sure its "instance" identifier is not yet marked as "used", otherwise it would display a blank page / warning message / severe scolding / etc.  At least, that's the simplest way I can think of doing this off the top of my head.

Assuming your user is expected to take some sort of action on the portal site, then at the same time a unique identifier for that portal "instance" (which you'd invent at creation time and pass into it using URL parameters), would be written to the database as having been "used".  When the portal first loads, it would query that same database and make sure its "instance" identifier is not yet marked as "used", otherwise it would display a blank page / warning message / severe scolding / etc.  At least, that's the simplest way I can think of doing this off the top of my head.