Bauta - Share Artifacts

Deploy HTML/React artifacts from your AI client to hosted, share-gated URLs. Private by default, password or email gates, EU hosting. Remote MCP: https://bauta.app/mcp

Documentation

Docs

Connect, deploy, share.

Everything you need to connect an agent to Bauta and deploy your first artifact — the MCP endpoint, authentication, every tool, the sharing modes, and the gated-by-default posture.

Connect

Bauta is a remote MCP server. The endpoint (Streamable HTTP) is:

https://bauta.app/mcp

Claude (web or desktop): Customize → Connectors →Add custom connector, paste the endpoint URL, and complete the sign-in flow when prompted.

Free to start — no separate signup. Connecting is the signup: the first time you authenticate, your Bauta account is created automatically (sign in with Google or email, no credit card). The free tier lets you deploy and share right away; paid plans add a branded subdomain, custom slugs, email-OTP viewer gates, and longer history.

Claude Code (CLI):

claude mcp add --transport http bauta https://bauta.app/mcp

Authentication. Bauta uses standard MCP OAuth: the server is its own OAuth authorization server and supports bothDynamic Client Registration (RFC 7591) andClient ID Metadata Documents (CIMD), so both pre-registered and self-identifying MCP clients work without manual client setup. CLI and desktop clients may use loopback redirect URIs onlocalhost or 127.0.0.1 with any port. Discovery metadata is served at the standard/.well-known/oauth-authorization-server location.

Tools

Every tool declares whether it is read-only or destructive, and read and write operations are always separate tools.

ToolWhat it does
deploy_artifactDeploy an HTML or React artifact to a hosted URL (or publish a new revision of one you already own). Deploys are owned by you, unlisted, and permanent by default — served only via the secret access-token link the deploy returns. (An optional ephemeral flag makes a temporary/demo deploy that auto-deletes after a few days unless you keep it.)
update_artifactPublish a new revision of an existing artifact; the URL stays the same.
list_artifactsList the artifacts you own: slug, title, sharing mode, published revision, timestamps. Read-only.
rollbackMove an artifact's live version back to a prior revision — nothing is created or deleted, only the published pointer moves.
rename_slugRename an artifact. Paid (org) artifacts pick a new slug and old links redirect (301) for a grace period; free artifacts re-roll a fresh random id and the old link stops working immediately.
set_sharingChange who can view an artifact: private, unlisted, public, password, or email_otp.
share_via_emailGrant a specific email address access to an artifact and send them an invite.
list_share_recipientsList the addresses you have previously shared artifacts with. Read-only.
bind_data_sourceAttach a data snapshot to an artifact, served back to the artifact's own code at a stable /data URL; binding again replaces the snapshot.
get_analyticsAggregate view and deploy counts for one of your artifacts — cookieless, sampling-corrected estimates. Read-only.
export_artifactExport everything stored for one of your artifacts: metadata, every revision's original source, and the sharing configuration. Read-only.
delete_artifactPermanently delete an artifact — all revisions, sharing settings, and share grants; serving stops immediately at every URL.
request_email_verificationEmail a one-time code to an address you control, to attach it to your account as a verified email.
verify_email_codeComplete email verification by submitting the one-time code.
whoamiShow the caller's identity: the stable MCP subject and the linked Bauta account. Read-only.
pingLiveness check — answers "pong". No side effects.

URLs

  • Free artifacts serve at share.bauta.app/<random-id>, owned by you and permanent. Renaming re-rolls a fresh random id (the old link stops working immediately).
  • Organizations (paid plans) get vanity URLs on their own subdomain: your-org.bauta.app/artifact-name/. On upgrade or downgrade the old links 301-redirect forever.

Artifact code never runs on bauta.app itself: content executes inside a sandboxed iframe served from a separate registered domain (bauta-usercontent.com), which carries no cookies and is excluded from search-engine indexing.

Sharing modes

ModeWho can view
privateNobody — visitors are blocked instantly, even with the access-token link.
unlistedReachable only via the secret access-token link the deploy returns. The bare URL is an existence-blind 404. This is the default for every deploy.
publicAnyone with the link — no password, code or token.
passwordAnyone with the link who enters the password you set. Viewers need no account.
email_otpViewers verify their email with a one-time code. With email grants (via share_via_email) only granted addresses get a code; without grants, any address that completes verification may view, and every verified view is recorded in the audit log.

Gated by default

Bauta's security posture, in one list:

  • Private by default. Every deploy is owned by you and unlisted the moment it lands — reachable only with the secret access-token link, and a blind 404 to everyone else. It will never be made public without an explicit set_sharing action by you.
  • Sandboxed execution. All artifact code runs in an iframe with sandbox="allow-scripts" and nothing else, on a separate registered domain with no cookies — it cannot reach your session, other artifacts, or the parent page.
  • Deploy-time scanning. Outbound links in deployed content are checked against Google Safe Browsing before anything is stored; known-bad links reject the deploy.
  • Rate limits. Deploys, gate attempts, verification emails, and abuse reports are all rate-limited.
  • Report and takedown. Every served artifact page links to the abuse report form; taken-down content stops serving on every origin immediately.
  • Audit log. Deploys, sharing changes, and email-verified views are recorded append-only.
  • EU-hosted content, cookieless analytics. Artifact content lives in an EU-jurisdiction bucket; view counting uses no cookies and no third-party scripts. See the privacy policy and terms of service.

FAQ

What is Bauta?

Bauta is an MCP server that lets Claude — and any MCP client, including ChatGPT, Codex and Cursor — deploy AI-generated HTML and React artifacts (presentations, reports, dashboards, mini-apps) to hosted, share-gated URLs. You say “share this” in your AI client; Bauta returns a real, permanent link.

How do I connect Bauta to Claude?

In Claude (web or desktop): Customize → Connectors →Add custom connector → pastehttps://bauta.app/mcp. In Claude Code:claude mcp add --transport http bauta https://bauta.app/mcp. Authentication happens in the browser on first use; connecting creates your account — there is no separate signup.

What tools does the Bauta MCP server expose?

Sixteen tools: deploy_artifact, update_artifact,list_artifacts, rollback,rename_slug, set_sharing,share_via_email, list_share_recipients,bind_data_source, get_analytics,export_artifact, delete_artifact,request_email_verification, verify_email_code,whoami and ping — each described in the tool table above.

Do viewers need an account?

No. Viewers never sign up. Depending on the sharing mode they open the link directly (public), use the secret token link (unlisted), enter a password, or verify their email with a one-time code (email_otp).

Is a deploy public?

No — every deploy is unlisted by default: reachable only via the secret access-token link returned to you, and an existence-blind 404 for everyone else. Content becomes public only through an explicitset_sharing call by the owner.

Where is content hosted?

Artifact content is stored in an EU-jurisdiction bucket and served from a separate sandbox domain (bauta-usercontent.com) inside an iframe with sandbox="allow-scripts" — never onbauta.app itself.