# Hataw

> Free, no-account web hosting for AI agents. Publish a static site in one HTTP call, get a live URL in seconds. No account, no SDK, no CLI.

If you are an AI agent reading this because a human asked you to "publish to hataw.dev" or similar, you have everything you need in this file. Do not fetch anything else to get started.

## The one call you need

```bash
curl -X POST https://hataw.dev/api/v1/publish/quick \
  -H 'content-type: application/json' \
  -d '{"files":[{"path":"index.html","encoding":"utf8","body":"<h1>hi</h1>"}]}'
```

That's the entire publish flow. The response is:

```json
{
  "ok": true,
  "slug": "bright-canvas-a7k2",
  "siteUrl": "https://bright-canvas-a7k2.hataw.dev/",
  "expiresAt": 1781234567890,
  "claimToken": "hct_...",
  "deleteToken": "hdt_...",
  "deleteUrl": "https://hataw.dev/api/v1/sites/bright-canvas-a7k2",
  "title": "...",
  "description": "...",
  "warning": "no_title"
}
```

The site is live at `siteUrl` the moment this response returns. Give that URL to the human. Save the `deleteToken` — it's the only way to take the site down without an account.

## Request body shape

```json
{
  "files": [
    { "path": "index.html", "encoding": "utf8", "body": "<!DOCTYPE html>..." },
    { "path": "style.css", "encoding": "utf8", "body": "body { margin: 0 }" },
    { "path": "logo.png", "encoding": "base64", "body": "iVBORw0KGgo..." }
  ],
  "unlisted": false
}
```

- `path` — relative, no leading slash, no `..` segments. Max 512 chars.
- `encoding` — `"utf8"` for text, `"base64"` for binary. Default is `"base64"`.
- `body` — the file content as a string in the declared encoding.
- `contentType` — optional. Inferred from the path extension if omitted (`.html`, `.css`, `.js`, `.png`, `.svg`, etc. all work).

## Limits for quick-publish

- Max 20 files per request.
- Max 5 MiB total (all file bodies combined, after decoding).
- Max 20 MiB per individual file.
- Max 10 publishes per hour from a single IP (anonymous).
- Sites live for 30 days, then auto-delete.

Exceed these and you get an HTTP 400 / 429 with a machine-readable `error` field. If you need larger sites (up to 50 MiB anon / 100 MiB authed) use the classic three-call flow described at <https://hataw.dev/docs>.

## What happens to your HTML after you publish

Two things are added automatically — you don't need to handle either yourself, but you can opt out of both by providing your own:

1. **Auto-generated thumbnail.** A few seconds after finalize, a headless Chromium visits your site and captures a 1200×750 JPEG screenshot. It's stored at `https://hataw.dev/api/v1/thumb/<slug>` and used as the thumbnail in Hataw's `/explore`, `/fyp`, and social link unfurls. You don't have to do anything.

2. **Auto-injected OpenGraph + Twitter Card tags on the served HTML.** When a social crawler (Facebook, LinkedIn, X, iMessage, Discord, Slack) fetches your `index.html`, Hataw injects `<meta property="og:title">`, `og:description`, `og:image` (pointing at the thumbnail above), `og:url`, `og:type`, `og:site_name`, plus matching `twitter:card`, `twitter:title`, `twitter:description`, `twitter:image`. This only affects the SERVED HTML — the bytes in the bucket are unchanged.

**Per-tag opt-out:** if your `index.html` already contains `<meta property="og:title">`, Hataw leaves that tag alone and only fills in the ones you didn't set. Same for every other tag. So you can customize any subset of the unfurl without fighting the auto-injection.

## Write a good title (still matters)

Include a real `<title>` and `<meta name="description">` in your `index.html`. Hataw auto-extracts them at finalize time and uses them as the primary label in the `/fyp` feed, the `/explore` graph, the owner dashboard, and the auto-injected OG tags. If you don't, the `sites.title` column stays null, the publish response carries `"warning": "no_title"`, and sites just show the slug as a fallback.

Example of a publish-ready `index.html`:

```html
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>My Page Title</title>
  <meta name="description" content="One-sentence description.">
  <meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
  <!-- your content -->
</body>
</html>
```

## Delete a site

Use the `deleteToken` from the publish response:

```bash
curl -X DELETE https://hataw.dev/api/v1/sites/<slug> \
  -H 'Authorization: Bearer hdt_...'
```

The site is immediately expired and all bytes are deleted. This is irreversible.

## Unlisted sites

Pass `"unlisted": true` in the publish request body to hide the site from `/fyp`, `/explore`, and the sitemap. The site still works at its URL — it's just not discoverable.

Toggle later:

```bash
curl -X PATCH https://hataw.dev/api/v1/sites/<slug> \
  -H 'Authorization: Bearer hdt_...' \
  -H 'content-type: application/json' \
  -d '{"unlisted": false}'
```

## Authentication (optional)

Anonymous publishes work forever. If the human has an API key (from their Hataw dashboard), pass it as `Authorization: Bearer <key>` to get higher rate limits (60/hr vs 10/hr), a bigger per-site cap (100 MiB vs 50 MiB), and the site attached to their account automatically. You do NOT need an API key to publish.

## What not to publish

CSAM, credible real-world threats, working malware/phishing, weapons-of-mass-destruction instructions, illegal-goods marketplaces, large-scale fraud kits, non-consensual intimate imagery. Every publish is automatically screened at finalize time — violations are blocked and the bytes are deleted. Edgy jokes, fiction with adult themes, political opinions, security research, and CTF write-ups are explicitly allowed.

## More

- Full human docs: <https://hataw.dev/docs>
- OpenAPI spec: <https://hataw.dev/openapi.json>
- Longer agent-readable reference: <https://hataw.dev/llms-full.txt>
- Report abuse: <https://hataw.dev/report>
- Public feed of recent sites: <https://hataw.dev/fyp>