wh-drop documentation
Instant static web hosting for AI agents. Publish a folder of static files to a
live URL at https://{slug}.xdr.no in seconds — no account, no deploy pipeline, no
config. Anonymous sites expire after 24 hours. Hosted in Norway (EEA data residency).
wh-drop is static hosting only: HTML/CSS/JS, images, PDFs, video, documents, and built single-page apps. It does not run server-side code or databases at request time.
- API base:
https://api.xdr.no - Machine-readable:
/llms.txt·/openapi.json·/.well-known/agent.json
Quick start
Tell your coding agent to publish, and pick whichever setup fits:
Option A — MCP server (recommended for agents)
Connect once; your agent gets a publish tool:
claude mcp add wh-drop https://api.xdr.no/mcp --transport http
Then: "publish this folder to wh-drop." The agent calls the publish tool, which
uploads the files and returns the live URL. Connecting the server is your one-time
trust step — after that, publishing is a sanctioned tool call.
Option B — Install the skill
Paste this into your coding agent:
Set up wh-drop. Install as a skill if I have npm:
npx skills add webhuset-no/wh-drop --skill wh-drop -g
If not, do this instead:
curl -fsSL https://api.xdr.no/install.sh | bash
Then ask it to publish a folder.
Option C — Use the API directly
No install — your agent (or any script) calls the three-step API below.
Concepts
- Site — a published set of static files, served at
https://{slug}.xdr.no. - Slug — a random, unguessable subdomain (e.g.
a7f3k9q2x1). Public but unlisted. - Anonymous site — created without auth; lives 24 hours, then is deleted.
- Claim — a one-time token returned at publish time that (in a future release) lets you convert an anonymous site into a permanent one. Save it; it's shown only once.
The publish API
Three calls. Files upload directly; the control API never proxies bytes.
1. Create the publish
POST https://api.xdr.no/api/v1/publish
Content-Type: application/json
{
"files": [
{ "path": "index.html", "size": 1240, "contentType": "text/html", "sha256": "<hex>" }
]
}
Response:
{
"slug": "a7f3k9q2x1",
"url": "https://a7f3k9q2x1.xdr.no",
"expiresAt": "2026-06-21T09:00:00Z",
"claimUrl": "https://api.xdr.no/claim/<token>",
"finalize": "https://api.xdr.no/api/v1/publish/a7f3k9q2x1/finalize",
"uploads": [ { "path": "index.html", "putUrl": "https://api.xdr.no/api/v1/u/<token>", "method": "PUT" } ]
}
sha256 is the lowercase hex SHA-256 of the file's bytes. The server verifies size
and hash on upload.
2. Upload each file
PUT <putUrl>
<raw file bytes>
3. Finalize
POST https://api.xdr.no/api/v1/publish/{slug}/finalize
The site is live at url. Check status anytime with GET /api/v1/publish/{slug}.
The MCP publish tool
If you connect the MCP server (Option A), the three calls collapse into one tool call.
Tool: publish
| Argument | Type | Notes |
|---|---|---|
files |
array (required) | Each item: { path, content, encoding?, contentType? } |
client |
string (optional) | Agent name for attribution, e.g. claude-code |
Each file: path is relative (index.html, assets/app.js); content is the file
content; encoding is utf8 (default) for text or base64 for binary (images, PDFs);
contentType is an optional MIME type. The tool returns the live URL, expiry, and the
one-time claim URL.
File structure
Put index.html at the root of what you publish — its contents become the site
root. Don't publish a parent folder that contains your site folder.
- With
index.html: served as the homepage; deep paths map to files. - Without
index.html: wh-drop serves an auto-generated directory listing / file viewer.
Limits
| Limit | Value |
|---|---|
| Max file size | 25 MB |
| Max total site size | 100 MB |
| Max files per site | 1,000 |
| Publishes per IP | 60 / hour |
| Anonymous site lifetime | 24 hours |
Static files only — no server-side execution, no database at request time.
Using wh-drop inside an agent's "auto mode"
Publishing uploads your files to a public URL, so security-conscious agents (e.g. Claude Code in auto mode) may gate it — that's by design. You have three ways through, from least to most setup:
Approve it when asked. Your agent states what it will upload; you allow it. In non-auto modes this is a normal one-click prompt.
Connect the MCP server. Connecting
https://api.xdr.no/mcpis itself the trust step; thepublishtool then runs as a sanctioned tool call.Declare it trusted once. Add to your
~/.claude/settings.json:"autoMode": { "environment": ["$defaults", "api.xdr.no is my trusted file-publishing service (wh-drop)"], "allow": ["$defaults", "Uploading a folder to api.xdr.no via wh-drop is allowed"] }(An agent cannot add this for you — only you can, which is the point.)
This is the same ceiling every agent-native publishing tool hits; it is consent for sending files to the public internet, made into a one-time step.
Privacy & data residency
- Sites are hosted in Norway / the EEA — not on foreign cloud infrastructure.
- Anonymous sites are public (anyone with the unguessable link can view) and are deleted after 24 hours.
- Don't publish secrets. Treat any published URL as public.
FAQ
Do I need an account? No. Anonymous publishing is the default.
How long do sites last? 24 hours for anonymous sites. Permanent sites (via claim / API keys) are on the roadmap.
Can I use a custom domain / password-protect a site? Not yet — planned.
Is it really static-only? Yes. That's what keeps it fast, cheap, and safe.
Where's the machine-readable spec? /openapi.json
and /llms.txt.