Anonymous build flow · MCP-native · Agent Skills standard

Built for
AI agents.

Your agent can build a real, deployed app on OverSkill — no signup, no API key, no human handoff. The user signs up later to keep it.

Try the anonymous build → Install in your agent
The differentiator

Build before signup.

Most platforms require an account before you can do anything. We don't.

Your agent calls POST /api/v1/anonymous_builds with a prompt, gets back a live preview URL and a 48-hour claim link. Hand the claim link to the user. They sign up to keep the app — or it auto-deletes.

Same pattern as Bolt.new's claim flow, but from a true anonymous starting point — no developer credentials of any kind needed to get going.

  1. 1
    Agent posts a prompt — no auth
    POST /api/v1/anonymous_builds {"prompt": "..."}
  2. 2
    OverSkill returns claim package
    { app_id, preview_url, claim_token, claim_url, expires_at }
  3. 3
    Agent hands the user the claim link
    User signs up at /claim/<token> — app transfers into their account. 48-hour window.

Try it from your terminal.

No API key. No signup. Real response.

Request
POST /api/v1/anonymous_builds 
curl -X POST https://overskill.com/api/v1/anonymous_builds \
  -H "Content-Type: application/json" \
  -d '{
    "prompt": "Build a coffee shop landing page with hours and a menu",
    "email": "[email protected]"
  }'

The email field is optional — used only to deliver the claim link.

Response (HTTP 201)
application/json success: true 
{
  "success": true,
  "app_id": "QjqEkj",
  "name": "Coffee Shop Landing",
  "preview_url": "https://preview-QjqEkj.overskill.app",
  "claim_token": "eyJfcmFpbHMi...",
  "claim_url": "https://overskill.com/claim/eyJfcmFpbHMi...",
  "expires_at": "2026-05-09T18:00:00Z"
}

Claim window: 48 hours. Auto-deleted otherwise.

Install in your agent.

Works with any agent that supports the Agent Skills open standard or custom tools.

C

Claude Code

Save the skill into your project's CLAUDE.md or ~/.claude/skills/.

curl -s https://overskill.com/SKILL.md > ~/.claude/skills/overskill.md
C

Cursor

@-reference the skill URL or add as a docs source in Cursor settings.

@https://overskill.com/SKILL.md
O

OpenAI Codex CLI

Same Agent Skills format. Drop it in your skills directory.

curl -s https://overskill.com/SKILL.md > ~/.codex/skills/overskill.md
G

Gemini CLI

Reference the skill in your Gemini project context.

@https://overskill.com/SKILL.md
M

MCP server

Auto-discovered via our Server Card.

https://overskill.com/.well-known/mcp/server-card.json
*

Any agent

Fetch the skill file or feed llms.txt into context.

https://overskill.com/SKILL.md

What works without an API key.

Everything below is callable by an unauthenticated agent. Throttled per-IP, hashed-IP audit trail, no PII collected without consent.

No auth required
  • POST /api/v1/anonymous_builds
    Build a trial app from a prompt
  • GET /api/v1/anonymous_builds/:id
    Poll status + preview URL
  • GET /claim/:token
    Browser-facing claim landing
  • GET /SKILL.md
    Agent Skills file
  • GET /llms.txt
    LLM-friendly concise API ref
  • GET /llms-full.txt
    LLM-friendly full API ref
  • GET /.well-known/mcp/server-card.json
    MCP Server Card (SEP-1649)
  • GET /.well-known/agent-skills/index.json
    Agent Skills Discovery RFC v0.2.0 index
  • GET /.well-known/oauth-authorization-server
    RFC 8414 OAuth metadata
  • GET /.well-known/oauth-protected-resource
    RFC 9728 protected resource
  • GET /.well-known/api-catalog
    RFC 9727 API catalog (linkset+json)
  • GET /sitemap.xml
    Full sitemap (markdown-aware)
  • POST /api/v1/auth/magic_code
    Passwordless email auth
Needs API key (or OAuth)
  • POST /api/v1/managed_apps
    Create app under your team
  • POST /api/v1/generation_queue
    Generate without trial state
  • GET /api/v1/managed_apps/:id/files
    Read source files
  • POST /api/v1/managed_apps/:id/deploy
    Deploy to production
  • * /api/v1/managed_apps/:id/env_vars
    Read/write environment vars
  • * /api/v1/managed_apps/:id/custom_domains
    Manage custom domains
  • POST /api/v1/anonymous_builds/:id/claim
    Programmatic claim
  • POST /api/v1/mcp/execute_tool
    Full MCP tool catalog
  • GET /api/v1/usage
    Credit balance + usage
  • * /api/v1/webhooks
    Manage webhook subs
  • * /api/v1/zapier/*
    Zapier triggers / actions
Rate limits on no-auth endpoints: 1 build/minute, 3/hour, 10/day per IP. Claims: 3/min, 20/hr per IP. IPs are SHA-256 hashed before storage. See Privacy for retention details.

We publish all this so your agent finds us.

Standard discovery files at the standard locations. No undocumented endpoints, no scraping required.

robots.txt

/robots.txt

Explicit AI bot allow rules + Cloudflare Content-Signal directive

sitemap.xml

/sitemap.xml

Templates, integrations, /build/* landing pages, more

MCP Server Card (SEP-1649)

/.well-known/mcp/server-card.json

Tool catalog endpoint + auth methods

Agent Skills Index (v0.2.0)

/.well-known/agent-skills/index.json

Discovery RFC v0.2.0 — $schema + skills array with sha256 digests

OAuth Authorization Server

/.well-known/oauth-authorization-server

RFC 8414 metadata

OAuth Protected Resource

/.well-known/oauth-protected-resource

RFC 9728 metadata

API Catalog

/.well-known/api-catalog

RFC 9727 — linkset+json over all our APIs

SKILL.md

/SKILL.md

Anthropic/OpenAI Agent Skills format

llms.txt

/llms.txt

Concise LLM-friendly ref

llms-full.txt

/llms-full.txt

Exhaustive LLM-friendly ref

Link response headers

Every page response carries Link: headers pointing at SKILL.md, llms.txt, and the .well-known/* docs. Agents that don't parse HTML still discover us.

Link: </SKILL.md>; rel="alternate"; type="text/markdown", </.well-known/mcp.json>; rel="describedby"

Markdown content negotiation

Send Accept: text/markdown on a public template page and we return clean markdown — no HTML chrome to strip.

curl -H "Accept: text/markdown" https://overskill.com/templates/<slug>

Standards we follow.

Open specs only. No proprietary lock-ins. Roadmap items called out below.

Model Context Protocol (MCP) — SEP-1649 Server Card

Tool catalog + execution endpoint discoverable via /.well-known/mcp/server-card.json (legacy /.well-known/mcp.json kept for backwards compat). Both HTTP and Node SDK transports.

Agent Skills Discovery RFC v0.2.0 (Cloudflare)

Conformant SKILL.md served at /SKILL.md. Discovery index at /.well-known/agent-skills/index.json with $schema + sha256 digests. Legacy agentskills.io v1.0 card kept at /.well-known/agent-skills.json for backwards compat.

OAuth 2.0 Authorization Server Metadata

RFC 8414 — published at /.well-known/oauth-authorization-server. Doorkeeper-backed authorization_code flow.

OAuth 2.0 Protected Resource Metadata

RFC 9728 — published at /.well-known/oauth-protected-resource. Bearer token auth.

API Catalog (RFC 9727 + Linkset RFC 9264)

Published at /.well-known/api-catalog as application/linkset+json — anchor + service-desc + service-doc + status for every API.

Cloudflare Content Signals Policy

Explicit ai-train=no, ai-input=yes, search=yes directive in robots.txt.

Sitemaps 0.9 / robots.txt

Standard locations, AI bot rules, sitemap reference. Updates daily.

WebMCP (in-browser agent tools)

navigator.modelContext tools registered on every public page so in-browser agents (Chrome Canary 146+) can build apps and search templates without leaving the tab. Falls back gracefully on browsers without WebMCP.

A2A (Agent-to-Agent) Protocol

Agent Card published at /.well-known/agent-card.json — declares OverSkill's skills (build_app, search_templates, deploy_app), supported transports, and security schemes per a2a-protocol.org §8.5. Lets other agents delegate app-building tasks directly.

Security Disclosure (RFC 9116)

/.well-known/security.txt with [email protected] contact and disclosure policy. Standard for security researchers.

🛠️

x402 micropayments (Coinbase + Cloudflare)

Roadmap. Two directions: (1) Pay OverSkill — agents with USDC wallets pay-per-build with no account required. (2) Built into your apps — generated apps get a native `acceptAgentPayment()` so any app you ship can accept x402 payments from visiting agents.

🛠️

MPP — Merchant Payment Protocol (mpp.dev)

Roadmap. First-class for the apps you generate — building a marketplace? Every generated app can natively expose MPP endpoints so AI shoppers can buy through it without leaving the agent context.

🛠️

UCP — Universal Commerce Protocol (ucp.dev)

Roadmap. Same dual angle as MPP — your generated commerce apps can speak UCP out of the box, and OverSkill itself will speak UCP for agent-driven build purchases.

🛠️

ACP — Agentic Commerce Protocol (agenticcommerce.dev)

Roadmap. Round out commerce-protocol coverage so agents shopping for / via your generated apps have a consistent payment surface regardless of which spec they speak.

🛠️

Web Bot Auth (RFC 9421 HTTP Message Signatures)

Roadmap. Cryptographically-signed agent identity → tiered rate limits, and propagated into generated apps so they can authenticate the agents calling them.

Build something for someone right now.

No signup. No API key. 48 hours to claim.

Try the anonymous build → Read full agent docs

For developers building on top of OverSkill (auth required): API Documentation · llms-full.txt · Webhooks