here.now
Skill version: 1.8.3
Create a live URL from any file or folder. Static hosting only.
To install or update (recommended): npx skills add heredotnow/skill --skill here-now -g
For repo-pinned/project-local installs, run the same command without -g.
Requirements
- Required binaries:
curl,file,jq - Optional environment variable:
$HERENOW_API_KEY - Optional credentials file:
~/.herenow/credentials
Create a site
./scripts/publish.sh {file-or-dir}
Outputs the live URL (e.g. https://bright-canvas-a7k2.here.now/).
Under the hood this is a three-step flow: create/update -> upload files -> finalize. A site is not live until finalize succeeds.
Without an API key this creates an anonymous site that expires in 24 hours. With a saved API key, the site is permanent.
File structure: For HTML sites, place index.html at the root of the directory you publish, not inside a subdirectory. The directory's contents become the site root. For example, publish my-site/ where my-site/index.html exists — don't publish a parent folder that contains my-site/.
You can also publish raw files without any HTML. Single files get a rich auto-viewer (images, PDF, video, audio). Multiple files get an auto-generated directory listing with folder navigation and an image gallery.
Update an existing site
./scripts/publish.sh {file-or-dir} --slug {slug}
The script auto-loads the claimToken from .herenow/state.json when updating anonymous sites. Pass --claim-token {token} to override.
Authenticated updates require a saved API key.
Client attribution
Pass --client so here.now can track reliability by agent:
./scripts/publish.sh {file-or-dir} --client cursor
This sends X-HereNow-Client: cursor/publish-sh on publish API calls.
If omitted, the script sends a fallback value.
API key storage
The publish script reads the API key from these sources (first match wins):
--api-key {key}flag (CI/scripting only — avoid in interactive use)$HERENOW_API_KEYenvironment variable~/.herenow/credentialsfile (recommended for agents)
To store a key, write it to the credentials file:
mkdir -p ~/.herenow && echo "{API_KEY}" > ~/.herenow/credentials && chmod 600 ~/.herenow/credentials
IMPORTANT: After receiving an API key, save it immediately — run the command above yourself. Do not ask the user to run it manually. Avoid passing the key via CLI flags (e.g. --api-key) in interactive sessions; the credentials file is the preferred storage method.
Never commit credentials or local state files (~/.herenow/credentials, .herenow/state.json) to source control.
State file
After every site create/update, the script writes to .herenow/state.json in the working directory:
{
"publishes": {
"bright-canvas-a7k2": {
"siteUrl": "https://bright-canvas-a7k2.here.now/",
"claimToken": "abc123",
"claimUrl": "https://here.now/claim?slug=bright-canvas-a7k2&token=abc123",
"expiresAt": "2026-02-18T01:00:00.000Z"
}
}
}
Before creating or updating sites, you may check this file to find prior slugs.
Treat .herenow/state.json as internal cache only.
Never present this local file path as a URL, and never use it as source of truth for auth mode, expiry, or claim URL.
What to tell the user
- Always share the
siteUrlfrom the current script run. - Read and follow
publish_result.*lines from script stderr to determine auth mode. - When
publish_result.auth_mode=authenticated: tell the user the site is permanent and saved to their account. No claim URL is needed. - When
publish_result.auth_mode=anonymous: tell the user the site expires in 24 hours. Share the claim URL (ifpublish_result.claim_urlis non-empty and starts withhttps://) so they can keep it permanently. Warn that claim tokens are only returned once and cannot be recovered. - Never tell the user to inspect
.herenow/state.jsonfor claim URLs or auth status.
Limits
| Anonymous | Authenticated | |
|---|---|---|
| Max file size | 250 MB | 5 GB |
| Expiry | 24 hours | Permanent (or custom TTL) |
| Rate limit | 5 / hour / IP | 60 / hour free, 200 / hour hobby |
| Account needed | No | Yes (get key at here.now) |
Getting an API key
To upgrade from anonymous (24h) to permanent sites:
- Ask the user for their email address.
- Request a one-time sign-in code:
curl -sS https://here.now/api/auth/agent/request-code \
-H "content-type: application/json" \
-d '{"email": "user@example.com"}'
- Tell the user: "Check your inbox for a sign-in code from here.now and paste it here."
- Verify the code and get the API key:
curl -sS https://here.now/api/auth/agent/verify-code \
-H "content-type: application/json" \
-d '{"email":"user@example.com","code":"ABCD-2345"}'
- Save the returned
apiKeyyourself (do not ask the user to do this):
mkdir -p ~/.herenow && echo "{API_KEY}" > ~/.herenow/credentials && chmod 600 ~/.herenow/credentials
Script options
| Flag | Description |
|---|---|
--slug {slug} | Update an existing site instead of creating |
--claim-token {token} | Override claim token for anonymous updates |
--title {text} | Viewer title (non-HTML sites) |
--description {text} | Viewer description |
--ttl {seconds} | Set expiry (authenticated only) |
--client {name} | Agent name for attribution (e.g. cursor) |
--base-url {url} | API base URL (default: https://here.now) |
--allow-nonherenow-base-url | Allow sending auth to non-default --base-url |
--api-key {key} | API key override (prefer credentials file) |
Duplicate a site
curl -sS -X POST https://here.now/api/v1/publish/{slug}/duplicate \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-d '{}'
Creates a full copy of the site under a new slug. All files are copied server-side — no upload needed. The new site is immediately live. Requires authentication and ownership of the source site.
Optionally override viewer metadata (shallow-merged with the source):
curl -sS -X POST https://here.now/api/v1/publish/{slug}/duplicate \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-d '{"viewer": {"title": "My Copy"}}'
Beyond the script
For delete, metadata patch (including password protection), duplicate, claim, list, and other operations, see references/REFERENCE.md.
Handle
Handles are user-owned subdomain namespaces on here.now (for example, yourname.here.now) that route paths to your sites. Claiming a handle requires a paid plan (Hobby or above).
- Handle endpoints:
/api/v1/handle - Handle format: lowercase letters/numbers/hyphens, 2-30 chars, no leading/trailing hyphens
Custom domains
Bring your own domain (e.g. example.com) and serve sites from it. Custom domains: 1 on Free, up to 5 on Hobby.
- Domain endpoints:
/api/v1/domainsand/api/v1/domains/:domain
Add a custom domain
curl -sS https://here.now/api/v1/domains \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-d '{"domain": "example.com"}'
The response includes is_apex, DNS instructions, and (for apex domains) an ownership_verification object with TXT record details.
DNS setup by domain type:
- Subdomains (e.g.
docs.example.com): Add a CNAME record pointing tofallback.here.now. - Apex domains (e.g.
example.com):- Add an ALIAS record pointing to
fallback.here.now. (Your DNS provider may call this ANAME or CNAME flattening.) - Add a TXT record using the
nameandvaluefrom theownership_verificationfield in the response.
- Add an ALIAS record pointing to
SSL is provisioned automatically once DNS is verified.
Check domain status
curl -sS https://here.now/api/v1/domains/example.com \
-H "Authorization: Bearer {API_KEY}"
Status is pending until DNS is verified and SSL is active, then becomes active. For apex domains, the response includes ownership_verification with the TXT record details and may include verification_errors if there are issues.
List custom domains
curl -sS https://here.now/api/v1/domains \
-H "Authorization: Bearer {API_KEY}"
Remove a custom domain
curl -sS -X DELETE https://here.now/api/v1/domains/example.com \
-H "Authorization: Bearer {API_KEY}"
Removes the domain and all links under it.
Links
Links connect a site to a location on your handle or a custom domain. The same endpoints work for both — omit the domain parameter to target your handle, or include it to target a custom domain.
- Link endpoints:
/api/v1/linksand/api/v1/links/:location - Root location sentinel for path params:
__root__ - Changes propagate globally in up to 60 seconds (Cloudflare KV)
Link to your handle:
curl -sS https://here.now/api/v1/links \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-d '{"location": "docs", "slug": "bright-canvas-a7k2"}'
Link to a custom domain:
curl -sS https://here.now/api/v1/links \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-d '{"location": "", "slug": "bright-canvas-a7k2", "domain": "example.com"}'
An empty location makes it the homepage (e.g. https://example.com/). Use "location": "docs" for https://example.com/docs/.
Full docs: https://here.now/docs