Here Now

1---2name: here-now3description: >4  Publish files and folders to the web instantly. Static hosting for HTML sites,5  images, PDFs, and any file type. Sites can connect to external APIs (LLMs,6  databases, email, payments) via proxy routes with server-side credential7  injection. Use when asked to "publish this", "host this", "deploy this",8  "share this on the web", "make a website", "put this online", "upload to9  the web", "create a webpage", "share a link", "serve this site", "generate10  a URL", or "build a chatbot". Outputs a live, shareable URL at {slug}.here.now.11---12 13# here.now14 15**Skill version: 1.12.1**16 17Create a live URL from any file or folder. Static hosting with optional proxy routes for calling external APIs server-side.18 19To install or update (recommended): `npx skills add heredotnow/skill --skill here-now -g`20 21For repo-pinned/project-local installs, run the same command without `-g`.22 23## Requirements24 25- Required binaries: `curl`, `file`, `jq`26- Optional environment variable: `$HERENOW_API_KEY`27- Optional credentials file: `~/.herenow/credentials`28 29## Create a site30 31```bash32./scripts/publish.sh {file-or-dir}33```34 35Outputs the live URL (e.g. `https://bright-canvas-a7k2.here.now/`).36 37Under the hood this is a three-step flow: create/update -> upload files -> finalize. A site is not live until finalize succeeds.38 39Without an API key this creates an **anonymous site** that expires in 24 hours.40With a saved API key, the site is permanent.41 42**File structure:** For HTML sites, place `index.html` at the root of the directory you publish, not inside a subdirectory. The directory's contents become the site root. For example, publish `my-site/` where `my-site/index.html` exists — don't publish a parent folder that contains `my-site/`.43 44You can also publish raw files without any HTML. Single files get a rich auto-viewer (images, PDF, video, audio). Multiple files get an auto-generated directory listing with folder navigation and an image gallery.45 46## Update an existing site47 48```bash49./scripts/publish.sh {file-or-dir} --slug {slug}50```51 52The script auto-loads the `claimToken` from `.herenow/state.json` when updating anonymous sites. Pass `--claim-token {token}` to override.53 54Authenticated updates require a saved API key.55 56## Client attribution57 58Pass `--client` so here.now can track reliability by agent:59 60```bash61./scripts/publish.sh {file-or-dir} --client cursor62```63 64This sends `X-HereNow-Client: cursor/publish-sh` on publish API calls.65If omitted, the script sends a fallback value.66 67## API key storage68 69The publish script reads the API key from these sources (first match wins):70 711. `--api-key {key}` flag (CI/scripting only — avoid in interactive use)722. `$HERENOW_API_KEY` environment variable733. `~/.herenow/credentials` file (recommended for agents)74 75To store a key, write it to the credentials file:76 77```bash78mkdir -p ~/.herenow && echo "{API_KEY}" > ~/.herenow/credentials && chmod 600 ~/.herenow/credentials79```80 81**IMPORTANT**: After receiving an API key, save it immediately — run the command above yourself. Do not ask the user to run it manually. Avoid passing the key via CLI flags (e.g. `--api-key`) in interactive sessions; the credentials file is the preferred storage method.82 83Never commit credentials or local state files (`~/.herenow/credentials`, `.herenow/state.json`) to source control.84 85## State file86 87After every site create/update, the script writes to `.herenow/state.json` in the working directory:88 89```json90{91  "publishes": {92    "bright-canvas-a7k2": {93      "siteUrl": "https://bright-canvas-a7k2.here.now/",94      "claimToken": "abc123",95      "claimUrl": "https://here.now/claim?slug=bright-canvas-a7k2&token=abc123",96      "expiresAt": "2026-02-18T01:00:00.000Z"97    }98  }99}100```101 102Before creating or updating sites, you may check this file to find prior slugs.103Treat `.herenow/state.json` as internal cache only.104Never present this local file path as a URL, and never use it as source of truth for auth mode, expiry, or claim URL.105 106## What to tell the user107 108- Always share the `siteUrl` from the current script run.109- Read and follow `publish_result.*` lines from script stderr to determine auth mode.110- When `publish_result.auth_mode=authenticated`: tell the user the site is **permanent** and saved to their account. No claim URL is needed.111- When `publish_result.auth_mode=anonymous`: tell the user the site **expires in 24 hours**. Share the claim URL (if `publish_result.claim_url` is non-empty and starts with `https://`) so they can keep it permanently. Warn that claim tokens are only returned once and cannot be recovered.112- Never tell the user to inspect `.herenow/state.json` for claim URLs or auth status.113 114## Limits115 116|                | Anonymous          | Authenticated                |117| -------------- | ------------------ | ---------------------------- |118| Max file size  | 250 MB             | 5 GB                         |119| Expiry         | 24 hours           | Permanent (or custom TTL)    |120| Rate limit     | 5 / hour / IP      | 60 / hour free, 200 / hour hobby |121| Account needed | No                 | Yes (get key at here.now)    |122 123## Getting an API key124 125To upgrade from anonymous (24h) to permanent sites:126 1271. Ask the user for their email address.1282. Request a one-time sign-in code:129 130```bash131curl -sS https://here.now/api/auth/agent/request-code \132  -H "content-type: application/json" \133  -d '{"email": "user@example.com"}'134```135 1363. Tell the user: "Check your inbox for a sign-in code from here.now and paste it here."1374. Verify the code and get the API key:138 139```bash140curl -sS https://here.now/api/auth/agent/verify-code \141  -H "content-type: application/json" \142  -d '{"email":"user@example.com","code":"ABCD-2345"}'143```144 1455. Save the returned `apiKey` yourself (do not ask the user to do this):146 147```bash148mkdir -p ~/.herenow && echo "{API_KEY}" > ~/.herenow/credentials && chmod 600 ~/.herenow/credentials149```150 151## Script options152 153| Flag                   | Description                                  |154| ---------------------- | -------------------------------------------- |155| `--slug {slug}`        | Update an existing site instead of creating |156| `--claim-token {token}`| Override claim token for anonymous updates    |157| `--title {text}`       | Viewer title (non-HTML sites)             |158| `--description {text}` | Viewer description                            |159| `--ttl {seconds}`      | Set expiry (authenticated only)               |160| `--client {name}`      | Agent name for attribution (e.g. `cursor`)    |161| `--base-url {url}`     | API base URL (default: `https://here.now`)    |162| `--allow-nonherenow-base-url` | Allow sending auth to non-default `--base-url` |163| `--api-key {key}`      | API key override (prefer credentials file)    |164| `--spa`                | Enable SPA routing (serve index.html for unknown paths) |165| `--forkable`           | Allow others to fork this site                           |166 167## SPA routing168 169For React, Vue, Svelte, and other single-page applications, pass `--spa` when publishing:170 171```bash172./scripts/publish.sh ./dist --spa173```174 175This tells here.now to serve `index.html` for any path that doesn't match a real file, so client-side routing works on refresh and direct links. Without `--spa`, unknown paths return 404.176 177You can also toggle SPA mode on an existing site without re-publishing:178 179```bash180curl -sS -X PATCH https://here.now/api/v1/publish/{slug}/metadata \181  -H "Authorization: Bearer {API_KEY}" \182  -H "Content-Type: application/json" \183  -d '{"spaMode": true}'184```185 186**Asset paths:** Make sure the build uses root-relative paths (`/assets/app.js`) not bare relative paths (`assets/app.js`). Vite and Create React App do this by default.187 188## Duplicate a site189 190```bash191curl -sS -X POST https://here.now/api/v1/publish/{slug}/duplicate \192  -H "Authorization: Bearer {API_KEY}" \193  -H "Content-Type: application/json" \194  -d '{}'195```196 197Creates a full copy of the site under a new slug. All files are copied server-side — no upload needed. The new site is immediately live. Requires authentication and ownership of the source site.198 199Optionally override viewer metadata (shallow-merged with the source):200 201```bash202curl -sS -X POST https://here.now/api/v1/publish/{slug}/duplicate \203  -H "Authorization: Bearer {API_KEY}" \204  -H "Content-Type: application/json" \205  -d '{"viewer": {"title": "My Copy"}}'206```207 208## Forking a site209 210Publishers can allow others to fork their sites. When a site has `forkable: true`, its file manifest is exposed and visitors see a fork button.211 212**Publishing a forkable site:**213 214```bash215./scripts/publish.sh ./dist --forkable216```217 218Or toggle on an existing site:219 220```bash221curl -sS -X PATCH https://here.now/api/v1/publish/{slug}/metadata \222  -H "Authorization: Bearer {API_KEY}" \223  -H "Content-Type: application/json" \224  -d '{"forkable": true}'225```226 227**Forking an existing forkable site:**228 2291. Fetch the file manifest: `GET https://{slug}.here.now/.herenow/manifest.json`2302. Download each file from: `GET https://{slug}.here.now/.herenow/raw/{path}`2313. Publish the downloaded files232 233The manifest returns a JSON object with `files` (array of `{path, size}`), `spaMode`, and `requiredVariables` (variables needed for proxy routes, with upstream domains).234 235If the site has proxy routes, the `.herenow/proxy.json` file is included in the download. The forker needs to set up their own variables for the proxy routes to work. Check `requiredVariables` in the manifest for what's needed.236 237Forkable is mutually exclusive with password protection and payment gating — disable one before enabling the other.238 239## Beyond the script240 241For delete, metadata patch (including password protection and payment gating), duplicate, claim, list, and other operations, see [references/REFERENCE.md](references/REFERENCE.md).242 243## Payment gating244 245Sites can require stablecoin payment on the Tempo network before granting access. Payments go directly from the visitor's wallet to the publisher's wallet.246 247To receive payments you need a Tempo wallet address. Get one at [wallet.tempo.xyz](https://wallet.tempo.xyz/) or by running `npx mppx account create`.248 249**CLI commands:**250 251```bash252# Set your Tempo wallet address (once)253herenow wallet set 0xYOUR_ADDRESS --api-key $HERENOW_API_KEY254 255# Require payment on a site (or change an existing price)256herenow price set <slug> 0.50 --api-key $HERENOW_API_KEY257 258# Use a different wallet for a specific site259herenow price set <slug> 1.00 --wallet 0xOTHER_ADDRESS --api-key $HERENOW_API_KEY260 261# Remove payment requirement262herenow price remove <slug> --api-key $HERENOW_API_KEY263 264# Check your wallet address265herenow wallet --api-key $HERENOW_API_KEY266```267 268Payment gating and password protection are mutually exclusive. You can also manage payments from the dashboard (Wallet tab for address, site menu for pricing).269 270## Accessing a paid site271 272If you fetch a here.now URL and get a `402 Payment Required` response, the site requires payment.273 274**If you have Tempo wallet + mppx installed:** payment is handled automatically. No action needed.275 276**If you have the Tempo CLI:** run `tempo request <url>` to pay and retrieve the content.277 278**If you don't have Tempo:** use the payment session flow. The 402 response body includes `paymentSession` URLs:279 280```json281{282  "price": { "amount": "0.10", "currency": "USD" },283  "paymentSession": {284    "createUrl": "https://here.now/api/pay/<slug>/session",285    "pollUrl": "https://here.now/api/pay/<slug>/poll",286    "grantUrl": "https://here.now/api/pay/<slug>/grant"287  },288  "walletUrl": "https://wallet.tempo.xyz/"289}290```291 292Steps:293 2941. `POST <createUrl>` to get a unique deposit address and session ID2952. Show the user the amount, deposit address, and wallet link (`https://wallet.tempo.xyz/`)2963. Poll `POST <pollUrl>` with `{"sessionId": "<id>"}` every 3 seconds2974. When the response has `"found": true`, call `POST <grantUrl>` with `{"sessionId": "<id>", "txHash": "<hash>"}`2985. The response contains a `token`. Fetch the original URL with `?__hn_grant=<token>` to get the content.299 300Example message to the user:301 302> This site requires payment of $0.10 (USD) on the Tempo network.303> Send $0.10 to: 0xBd46...DbB6304> If you need a Tempo wallet: https://wallet.tempo.xyz/305 306The agent should poll silently and present the content once payment is detected.307 308## Service variables and proxy routes309 310Sites can make authenticated API calls to external services without exposing secrets in client-side code. Store API keys as variables on the account, add a proxy manifest to the site, and the site's frontend calls a relative URL that here.now proxies server-side.311 312### Store variables on the account313 314Variables are account-level. Set them once and every site can use them.315 316```bash317curl -sS -X PUT https://here.now/api/v1/me/variables/OPENROUTER_API_KEY \318  -H "Authorization: Bearer {API_KEY}" \319  -H "Content-Type: application/json" \320  -d '{"value": "sk-or-v1-abc123"}'321```322 323List variables (values are never returned):324 325```bash326curl -sS https://here.now/api/v1/me/variables \327  -H "Authorization: Bearer {API_KEY}"328```329 330Delete a variable:331 332```bash333curl -sS -X DELETE https://here.now/api/v1/me/variables/OPENROUTER_API_KEY \334  -H "Authorization: Bearer {API_KEY}"335```336 337Variable names must be uppercase letters, digits, and underscores, starting with a letter (e.g. `OPENROUTER_API_KEY`). Max 50 variables per account, 4 KB per value.338 339Users can also manage variables from the dashboard (Variables tab).340 341### Add a proxy manifest to the site342 343Create a `.herenow/proxy.json` file in the site directory:344 345```json346{347  "proxies": {348    "/api/chat": {349      "upstream": "https://openrouter.ai/api/v1/chat/completions",350      "method": "POST",351      "headers": {352        "Authorization": "Bearer ${OPENROUTER_API_KEY}"353      }354    },355    "/api/db/*": {356      "upstream": "https://xyz.supabase.co/rest/v1",357      "headers": {358        "apikey": "${SUPABASE_KEY}",359        "Authorization": "Bearer ${SUPABASE_KEY}"360      }361    }362  }363}364```365 366Each key is a path on the site. Exact paths (like `/api/chat`) match that path only. Prefix patterns (like `/api/db/*`) match any path starting with that prefix — the rest is appended to the upstream URL. Query parameters are forwarded automatically.367 368`${VAR_NAME}` references are resolved from the account's variables at request time. Headers like `Content-Type` and `Accept` are forwarded from the browser automatically; the manifest only needs to declare the auth header.369 370### Frontend calls a relative URL371 372```javascript373const res = await fetch('/api/chat', {374  method: 'POST',375  headers: { 'Content-Type': 'application/json' },376  body: JSON.stringify({377    model: 'anthropic/claude-sonnet-4',378    messages: [{ role: 'user', content: question }],379    stream: true380  })381});382```383 384The browser hits its own site's URL. here.now intercepts the request, injects the API key server-side, forwards to the upstream, and streams the response back. The key never reaches the browser.385 386### Common proxy configurations387 388| Service | Upstream | Auth header |389|---|---|---|390| OpenRouter | `https://openrouter.ai/api/v1/chat/completions` | `Authorization: Bearer ${OPENROUTER_API_KEY}` |391| Supabase | `https://xyz.supabase.co/rest/v1` | `apikey: ${SUPABASE_KEY}` |392| Resend | `https://api.resend.com/emails` | `Authorization: Bearer ${RESEND_API_KEY}` |393| Stripe | `https://api.stripe.com/v1` | `Authorization: Bearer ${STRIPE_SECRET_KEY}` |394| Airtable | `https://api.airtable.com/v0` | `Authorization: Bearer ${AIRTABLE_API_KEY}` |395 396### Notes397 398- Proxy routes require an authenticated site (anonymous sites return 403 on proxy requests).399- Streaming (SSE) works out of the box for LLM responses.400- Rate limiting: 100 requests/hour/IP by default. Override per route with `"rateLimit": "20/hour/ip"` in the manifest.401- Request body size limit: 10 MB.402- The `.herenow/proxy.json` file is never served to site visitors.403- Variable changes propagate within about a minute. Proxy route config changes propagate within about 10 seconds.404 405## Handle406 407Handles are user-owned subdomain namespaces on `here.now` (for example, `yourname.here.now`) that route paths to your sites. Claiming a handle requires a paid plan (Hobby or above).408 409- Handle endpoints: `/api/v1/handle`410- Handle format: lowercase letters/numbers/hyphens, 2-30 chars, no leading/trailing hyphens411 412## Custom domains413 414Bring your own domain (e.g. `example.com`) and serve sites from it. Custom domains: 1 on Free, up to 5 on Hobby.415 416- Domain endpoints: `/api/v1/domains` and `/api/v1/domains/:domain`417 418### Add a custom domain419 420```bash421curl -sS https://here.now/api/v1/domains \422  -H "Authorization: Bearer {API_KEY}" \423  -H "Content-Type: application/json" \424  -d '{"domain": "example.com"}'425```426 427The response includes `is_apex` and `dns_instructions` (each with `type`, `host`, and `value` fields) with the DNS records to add. For apex domains, we automatically set up both `example.com` and `www.example.com`.428 429**DNS setup by domain type:**430 431- **Subdomains** (e.g. `docs.example.com`): Add a **CNAME** record. The `host` field shows the subdomain part (e.g. `docs`), and the `value` is `fallback.here.now`.432- **Apex domains** (e.g. `example.com`): Add the records from `dns_instructions` at the DNS provider. The `host` field uses `@` to mean the root domain (some providers use a blank field instead). Typically this is two **A** records with `host: "@"`, plus a **CNAME** with `host: "www"` pointing to `fallback.here.now`. Visitors to `www.example.com` are automatically redirected to `example.com`.433 434SSL is provisioned automatically once DNS is verified.435 436### Check domain status437 438```bash439curl -sS https://here.now/api/v1/domains/example.com \440  -H "Authorization: Bearer {API_KEY}"441```442 443Status is `pending` until DNS is verified and SSL is active, then becomes `active`.444 445### List custom domains446 447```bash448curl -sS https://here.now/api/v1/domains \449  -H "Authorization: Bearer {API_KEY}"450```451 452### Remove a custom domain453 454```bash455curl -sS -X DELETE https://here.now/api/v1/domains/example.com \456  -H "Authorization: Bearer {API_KEY}"457```458 459Removes the domain and all links under it.460 461## Links462 463Links connect a site to a location on your handle or a custom domain. The same endpoints work for both — omit the `domain` parameter to target your handle, or include it to target a custom domain.464 465- Link endpoints: `/api/v1/links` and `/api/v1/links/:location`466- Root location sentinel for path params: `__root__`467- Changes propagate globally in up to 60 seconds (Cloudflare KV)468 469Link to your handle:470 471```bash472curl -sS https://here.now/api/v1/links \473  -H "Authorization: Bearer {API_KEY}" \474  -H "Content-Type: application/json" \475  -d '{"location": "docs", "slug": "bright-canvas-a7k2"}'476```477 478Link to a custom domain:479 480```bash481curl -sS https://here.now/api/v1/links \482  -H "Authorization: Bearer {API_KEY}" \483  -H "Content-Type: application/json" \484  -d '{"location": "", "slug": "bright-canvas-a7k2", "domain": "example.com"}'485```486 487An empty `location` makes it the homepage (e.g. `https://example.com/`). Use `"location": "docs"` for `https://example.com/docs/`.488 489Full docs: https://here.now/docs