FAQ

A small workspace for publishing AI-generated content — HTML mockups, images, PDFs, notes — getting Claude to tag and describe them automatically, collecting feedback, and sharing them outside the team via time-limited links.

Click Sign in with Google in the header. The Google email on your account becomes the owner of any artifact you publish and the filter on what you see in the gallery.

Only you, while signed in. The gallery and detail pages are filtered to your Google email. An artifact only leaves that boundary when you create a share link.

Yes — open one of your artifacts and use the Edit button to rewrite the title, description, or tags, or the Delete button to remove it entirely. Delete is confirmed in a dialog and is irreversible: the file is removed from storage and associated feedback and share links are dropped with it (the database foreign keys cascade). You can only edit or delete artifacts you own.

On an artifact's page, click Share. Pick an expiry (1 hour to 30 days) and an optional max-views cap. Anyone with the link can view the artifact and leave feedback until it expires or the view cap is hit — no Google account required on their side.

HTML, PNG/JPG/GIF/WebP/SVG images, PDF, plain text, and Markdown. HTML renders inline in a sandboxed iframe, images and PDFs render natively, everything else falls back to a download button. Upload cap is 10 MB.

Every upload passes through three layers before it's stored:

1. Size cap of 10 MB. Enforced in the browser (so you don't wait for a doomed upload) and again on the server (so nobody bypasses the browser check).
2. Type + signature check. Only the MIME types listed above are accepted. The file's magic bytes are compared against the declared MIME, so a .exe renamed to .png is rejected. Windows (PE), Linux (ELF), and macOS (Mach-O) executable headers are always blocked. The EICAR antivirus test string is rejected so you can smoke-test the pipeline.
3. VirusTotal scan (when the VIRUSTOTAL_API_KEY env var is set). The file is uploaded to VirusTotal, analyzed by 60+ antivirus engines, and the result is awaited for up to 15 seconds. Anything with even one malicious or suspicious verdict is rejected. If the scan times out or the key isn't configured, the upload still proceeds on the layers above — VT is an added defense, not the only one.

Claude Sonnet. At upload time, if you leave the description or tags empty, the title and first 2000 characters of the content are sent to Claude and it returns a 1-2 sentence description and 3-6 lowercase tags. Fill the fields in manually to override. If the AI call fails, the upload still succeeds — the fields just stay empty.

Once an artifact has two or more pieces of feedback, the AI Summary button collapses them into a 2-4 sentence summary highlighting consensus, disagreements, and actionable suggestions. It's on-demand, not automatic.

Yes — the MCP server at artifact-hub-mcp.onrender.com/mcp exposes publish_artifact, search_artifacts, get_artifact, add_feedback, summarize_feedback, create_share_link, and list_my_artifacts as MCP tools. Generate a personal access token at Settings → Access tokens, paste it once into Claude Desktop's config under headers.x-api-key, and every tool call is automatically attributed to your Google account — no per-call email argument needed.

Visit Settings → Access tokens while signed in, click Generate token, and copy the raw value (it's shown once). Paste it into Claude Desktop's config:

{
  "mcpServers": {
    "artifact-hub": {
      "url": "https://artifact-hub-mcp.onrender.com/mcp",
      "headers": { "x-api-key": "ak_…" }
    }
  }
}

The token's SHA-256 hash is stored server-side; the raw value can't be recovered if you lose it. You can have multiple tokens (one per device/client) and revoke any of them independently. The Settings page shows the preview (first 8 chars), label, creation date, and last-used timestamp for each.

Yes on the production deployment — files are stored on a persistent disk mounted on the web service. In a one-person local dev setup, files live at ./uploads by default.