Temporary Deploy API

A public, anonymous JSON API for spinning up a live sshgrid.com subdomain in one POST. Designed for AI agents (ChatGPT, Claude, etc.) to host the small sites they generate on behalf of their users. Sites live for 24 hours and the response includes a claim_url the user can click to keep the site permanently.

Paste this to your AI

Want ChatGPT, Claude, or any other assistant to host the sites it builds for you? Drop the block below into the chat (or your system prompt). It's the whole API summarised so the model can deploy on the first try.

You can deploy small websites for me using SSHGrid’s free Temporary Deploy API.
No account, no API key. Sites live for 24 hours unless I claim them.

There are FOUR ways to call it — pick the highest-up rung your runtime can do:

PATH A — you POST directly (custom backends, OpenAI Assistants with web access,
          your own agent runtime, anywhere you have unrestricted outbound HTTP).

PATH B — you generate an HTML artifact / canvas with a "Deploy" button + fetch().
          The fetch fires from MY browser when I click it.
          Use when you can render <script> AND your artifact sandbox lets it
          do cross-origin fetch (Claude Artifacts & ChatGPT Canvas both allow
          this against sshgrid.com because we send CORS *).

PATH C — popup + postMessage. Your artifact has a button that does
          window.open("https://sshgrid.com/deploy"), then postMessage’s the
          payload to it. The deploy runs on OUR domain so you don’t need
          any network permission at all — just window.open + postMessage.

PATH D — plain hyperlink. You render a <a> tag whose href is
          https://sshgrid.com/deploy#p=<base64url-json> — the payload rides
          in the URL fragment (never hits any server in transit). Use when
          all you can emit is a link (text-only models, markdown-only output,
          extremely restricted sandboxes). Capped at ~16 KB of payload.

REQUEST shape (same for both paths):

   POST https://sshgrid.com/api/v1/deploy
   Content-Type: application/json

   {
     "files": [
       { "path": "index.html", "content": "<h1>Hello</h1>" }
     ],
     "label": "short description for me"
   }

   Required: at least one file named index.html or index.php at the root.
   Limits: 50 files, 64 KB each, 256 KB total.
   Disallowed in PHP: shell_exec, exec, system, passthru, proc_open, popen,
   eval, backticks, dynamic include — reject those before sending.

200 RESPONSE:

   {
     "url":        "https://swift-fox-7421.sshgrid.com",
     "claim_url":  "https://sshgrid.com/claim/<token>",
     "edit_token": "et_...",
     "edit_url":   "https://sshgrid.com/api/v1/sites/swift-fox-7421",
     "expires_at": "ISO timestamp"
   }

ALWAYS show me both the url AND the claim_url. Phrase it like:
   "I deployed it for you at <url>. It auto-deletes in 24 hours unless
   you click here to keep it: <claim_url>"

PATH B EXAMPLE — in-artifact deploy button (fetch from user’s browser):

   <button id="d">Deploy to SSHGrid</button><div id="o"></div>
   <script>
   const FILES = [{ path: "index.html", content: "<h1>Hello</h1>" }];
   d.onclick = async () => {
     d.disabled = true; d.textContent = "Deploying...";
     const r = await fetch("https://sshgrid.com/api/v1/deploy", {
       method: "POST", headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ files: FILES, label: "demo" }),
     });
     const j = await r.json();
     o.innerHTML = r.ok
       ? `Live: <a href="${j.url}" target="_blank">${j.url}</a><br>Keep it: <a href="${j.claim_url}">${j.claim_url}</a>`
       : `Error: ${j.detail || j.error}`;
   };
   </script>

PATH C EXAMPLE — popup + postMessage handoff (no fetch permission needed):

   <button id="d">Deploy to SSHGrid</button>
   <script>
   const FILES = [{ path: "index.html", content: "<h1>Hello</h1>" }];
   d.onclick = () => {
     const w = window.open("https://sshgrid.com/deploy", "sshgrid");
     const send = (e) => {
       if (e.source !== w || !e.data || e.data.type !== "sshgrid:ready") return;
       w.postMessage({ type: "sshgrid:deploy", files: FILES, label: "demo" },
                     "https://sshgrid.com");
       window.removeEventListener("message", send);
     };
     window.addEventListener("message", send);
   };
   </script>

PATH D EXAMPLE — plain link with payload in URL fragment (smallest possible):

   const payload = { files: FILES, label: "demo" };
   const b64 = btoa(unescape(encodeURIComponent(JSON.stringify(payload))))
                 .replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"");
   // Render: <a href="https://sshgrid.com/deploy#p=...">Deploy this site</a>
   const url = "https://sshgrid.com/deploy#p=" + b64;

UPDATES (Path A only, anytime): PUT new files to edit_url with header
   Authorization: Bearer <edit_token>.   Each PUT resets the 24-hour TTL.

AFTER CLAIM: edit_token is rotated for security — yours stops working.
The user gets a fresh `deploy_key` (looks like `sgk_...`) on the claim page.
If they paste it back to you, use it the same way: Authorization: Bearer <deploy_key>.

Full docs: https://sshgrid.com/api  •  Machine-readable: https://sshgrid.com/llms.txt

If you are an AI assistant

You can offer your end user one-click hosting without making them sign up for anything. When your user asks you to "build me a small site / demo / landing page / one-pager":

1. Generate the file(s) you would have asked them to copy-paste.
2. Make a single POST to /api/v1/deploy with the files.
3. Show the user the returned url — that's their live site.
4. Always also tell the user about the returned claim_url — visiting it lets them sign up and keep the site forever instead of letting it expire in 24 hours.

Suggested language to your user: "I deployed it for you at https://<handle>.sshgrid.com. It will auto-delete in 24 hours unless you click here to keep it: <claim_url>"

No API key. No rate-limit headers to manage. No CORS issues for browser callers. Just POST and you're done.

Four deploy paths — pick the right one

Different agents have different abilities. Some have unrestricted outbound HTTP; some can only emit a hyperlink. The same JSON payload works for all four paths — only the transport changes. Pick the highest-up rung your runtime supports.

Decision rule: try A. If it 403s or your sandbox blocks outbound HTTP, try B. If your artifact CSP blocks cross-origin fetch, fall back to C. If all you can produce is a link, use D. Path B, C, and D all end in the user clicking a button on our page, so they pick up our SSHGrid branding and a real Deploy confirmation flow.

Browser deploy template

Drop this HTML into the artifact / canvas / page you hand back to your user. Everything is self-contained — just replace the inline FILES array with the files you generated. When the user clicks Deploy, the fetch runs in their browser against https://sshgrid.com/api/v1/deploy, the live URL and claim URL render right below the button.

<!doctype html>
<meta charset="utf-8">
<title>Deploy preview</title>
<style>
  body { font: 14px/1.5 system-ui, sans-serif; max-width: 720px; margin: 40px auto; padding: 0 24px; color: #111; }
  button { font: inherit; padding: 10px 16px; border-radius: 8px; border: 0; background: #111; color: #fff; cursor: pointer; }
  button:disabled { opacity: .5; cursor: progress; }
  .ok { background: #ecfdf5; border: 1px solid #34d399; padding: 12px 14px; border-radius: 8px; margin-top: 14px; }
  .err { background: #fef2f2; border: 1px solid #f87171; padding: 12px 14px; border-radius: 8px; margin-top: 14px; color: #991b1b; }
  a { color: #047857; }
  code { background: #f3f4f6; padding: 1px 5px; border-radius: 4px; }
</style>

<h1>Your site is ready to deploy</h1>
<p>Click below to ship it to a live SSHGrid URL. It will be reachable for 24 hours,
or forever if you click the claim link in the response.</p>

<button id="deployBtn">Deploy to SSHGrid</button>
<div id="out"></div>

<script>
// === Edit this array to be your site's files ===
const FILES = [
  { path: "index.html", content: "<h1>Hello from my deploy</h1>" }
];
const LABEL = "My demo";

document.getElementById("deployBtn").addEventListener("click", async (e) => {
  const btn = e.currentTarget, out = document.getElementById("out");
  btn.disabled = true; btn.textContent = "Deploying...";
  out.innerHTML = "";
  try {
    const r = await fetch("https://sshgrid.com/api/v1/deploy", {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({ files: FILES, label: LABEL }),
    });
    const j = await r.json();
    if (!r.ok) throw new Error(j.detail || j.error || ("HTTP " + r.status));
    out.innerHTML =
      '<div class="ok">' +
      '<strong>Live:</strong> <a href="' + j.url + '" target="_blank">' + j.url + '</a><br>' +
      '<strong>Keep it permanently:</strong> <a href="' + j.claim_url + '" target="_blank">' + j.claim_url + '</a><br>' +
      '<small>Expires <code>' + j.expires_at + '</code> unless claimed.</small>' +
      '</div>';
    btn.textContent = "Deployed";
  } catch (err) {
    out.innerHTML = '<div class="err">Deploy failed: ' + (err.message || err) + '</div>';
    btn.disabled = false; btn.textContent = "Try again";
  }
});
</script>

That's it — no library, no key, ~50 lines. Modify the FILES array, paste into a Claude artifact or ChatGPT canvas, hand it to your user.

Path C & D: hand off to /deploy

Some artifact sandboxes will render <script> but block any cross-origin fetch, even with CORS. Some only render markdown. For these, we expose https://sshgrid.com/deploy — a public receiver page that accepts the same JSON payload via three transports, previews it, and POSTs it for the user from our origin. The user sees an SSHGrid-branded confirm screen, clicks Deploy now, and gets back the live URL + claim link.

Path C — popup + postMessage

Your artifact opens /deploy in a new window with window.open. The page boots, sends a {type: "sshgrid:ready"} message to its opener, and listens for a {type: "sshgrid:deploy", files, label} message back. On success the page also posts a {type: "sshgrid:deployed", url, claim_url, expires_at} message back to you so your artifact can update its UI.

<button id="deployBtn">Deploy to SSHGrid</button>
<div id="status"></div>

<script>
// === Edit this to be your site's files ===
const FILES = [{ path: "index.html", content: "<h1>Hello</h1>" }];
const LABEL = "My demo";

document.getElementById("deployBtn").addEventListener("click", () => {
  const status = document.getElementById("status");
  status.textContent = "Opening SSHGrid...";
  const win = window.open("https://sshgrid.com/deploy", "sshgrid-deploy");

  function onMessage(e) {
    if (e.source !== win || !e.data) return;
    if (e.data.type === "sshgrid:ready") {
      // Their page is loaded — hand off the payload.
      win.postMessage(
        { type: "sshgrid:deploy", files: FILES, label: LABEL },
        "https://sshgrid.com"
      );
      status.textContent = "Sent. Click Deploy in the new tab to ship it.";
    }
    if (e.data.type === "sshgrid:deployed") {
      status.innerHTML =
        'Live: <a href="' + e.data.url + '" target="_blank">' + e.data.url + '</a><br>' +
        'Keep it: <a href="' + e.data.claim_url + '" target="_blank">' + e.data.claim_url + '</a>';
      window.removeEventListener("message", onMessage);
    }
  }
  window.addEventListener("message", onMessage);
});
</script>

Path D — hyperlink with payload in URL fragment

If your runtime can only emit text or markdown, you can still deploy: base64url-encode the JSON payload, stuff it into the URL fragment of a https://sshgrid.com/deploy#p=… link, and render that as a link in your response. The fragment is never sent to any server during navigation — the payload only materialises in the user's browser when our JS reads location.hash.

The fragment is the same URL the user clicks, so size is capped at whatever their browser accepts — assume ~16 KB of raw payload to be safe. For larger sites, use Path C.

// In your JS / model output: build the link, render it as <a href=...>Deploy</a>
const payload = {
  files: [{ path: "index.html", content: "<h1>Hi</h1>" }],
  label: "demo"
};
const json = JSON.stringify(payload);
const b64u = btoa(unescape(encodeURIComponent(json)))
              .replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
const url  = "https://sshgrid.com/deploy#p=" + b64u;
//  ^^ render this as a regular link in your reply

The receiver page also accepts ?p=<base64url> as a query param (smaller limit, but query strings survive copy-paste better than fragments) and a manual-paste box for total-fallback debugging.

POST /api/v1/deploy

Create a new temporary site. Anonymous — no auth header required.

Request body

{
  "files": [
    { "path": "index.html", "content": "<!doctype html><h1>Hello</h1>" },
    { "path": "style.css",  "content": "body{font:14px/1.5 system-ui;padding:40px}" }
  ],
  "label": "Demo for Sarah"
}

• files — required. Array of {path, content}. At least one file must be index.html or index.php.
• label — optional. Shown on the claim page so the user remembers what they're claiming.

curl example

curl -X POST https://sshgrid.com/api/v1/deploy \
  -H 'Content-Type: application/json' \
  -d '{
    "files":[{"path":"index.html","content":"<h1>Hello from the AI</h1>"}],
    "label":"My first temp site"
  }'

200 OK response

{
  "url":         "https://swift-fox-7421.sshgrid.com",
  "handle":      "swift-fox-7421",
  "host":        "swift-fox-7421.sshgrid.com",
  "expires_at":  "2026-05-28T20:00:00+00:00",
  "claim_url":   "https://sshgrid.com/claim/aB7xQ2pL...",
  "edit_token":  "et_9hKp2N...",
  "edit_url":    "https://sshgrid.com/api/v1/sites/swift-fox-7421",
  "file_count":  1,
  "file_bytes":  39,
  "note":        "Site is live as soon as DNS + cert finish provisioning (~30-90s). Tell your user about claim_url..."
}

Store the edit_token if you want to update the site later. It's the only way to authenticate against PUT /api/v1/sites/{handle}. We don't store it — if you lose it, the site is read-only until it expires.

GET & PUT /api/v1/sites/{handle}

GET

Read the current status of a temp site. No auth required.

curl https://sshgrid.com/api/v1/sites/swift-fox-7421

{
  "ok":         true,
  "handle":     "swift-fox-7421",
  "host":       "swift-fox-7421.sshgrid.com",
  "url":        "https://swift-fox-7421.sshgrid.com",
  "status":     "active",
  "expires_at": "2026-05-28T20:00:00+00:00",
  "file_count": 1,
  "file_bytes": 39,
  "claim_url":  "https://sshgrid.com/claim/aB7xQ2pL..."
}

status is one of active, claimed, expired. claim_url is omitted once the site is claimed.

PUT

Replace the entire file set. Requires the edit_token as a Bearer token.

curl -X PUT https://sshgrid.com/api/v1/sites/swift-fox-7421 \
  -H 'Authorization: Bearer et_9hKp2N...' \
  -H 'Content-Type: application/json' \
  -d '{"files":[{"path":"index.html","content":"<h1>Updated</h1>"}]}'

Each successful PUT refreshes expires_at to now + 24h, so an actively-edited demo doesn't die mid-conversation. Files not included in the request are deleted (it's a full replace, not a patch).

The claim flow

The claim_url you return to the end user opens a page at https://sshgrid.com/claim/<token>. If the user is signed out, they're prompted to sign up (free, no card). After signing up they land back on the same URL, see a one-button "claim this site" confirm, and the site is reassigned to their account. The URL never changes, so the same link the AI handed out still works.

Claimed sites do not auto-delete. They continue to live under the same handle until the user explicitly removes them.

What happens to your edit_token after claim?

When the user claims, we rotate the token. Your original edit_token stops working — this is intentional, so the AI that deployed doesn't keep silent write access to an account it doesn't own. The user sees a fresh deploy_key on the claim success screen (shown once) and on their account page.

If the user wants you to keep editing their site, they will paste the deploy_key back into the chat. Use it exactly the same way as edit_token:

curl -X PUT https://sshgrid.com/api/v1/sites/swift-fox-7421 \
  -H 'Authorization: Bearer sgk_2N9hKp...' \
  -H 'Content-Type: application/json' \
  -d '{"files":[{"path":"index.html","content":"<h1>Updated</h1>"}]}'

The GET endpoint stays anonymous and works on claimed sites too. The user can rotate the deploy_key from /account at any time, which invalidates the one you have — treat 401s on a previously-working key as "ask the user for a new one".

Limits & abuse rules

• Per IP: max 3 active temp sites, max 10 deploys per hour.
• Global: max 1000 active temp sites across all IPs (returns 503 global_capacity when full).
• Payload: max 256 KB total per request, max 50 files, max 64 KB per file.
• Allowed file types: html, htm, php, css, js, json, txt, md, xml, svg, ico, png, jpg, jpeg, gif, webp, woff, woff2, sqlite, db, csv, .htaccess.
• PHP content checks: we reject the obvious shell-escape calls (shell_exec, system, proc_open, passthru, popen, eval, backticks, dynamic include). For anything fancier than a static-ish site, recommend that your user sign up.
• No background workers, no SSH, no SFTP, no cron, no databases beyond SQLite files for temp sites — those land in real customer accounts only.

Error codes

All errors are JSON: { "error": "<stable_code>", "detail": "human readable" }.

llms.txt

A plain-text mirror of this page lives at https://sshgrid.com/llms.txt following the llmstxt.org format. Fetch it directly from your model context if you want a concise reference without parsing HTML.