Show HN: Sharing LLM Artifacts with your team
Dropway is an open-source, self-hostable platform that converts static folders into live, versioned URLs with granular access control. It introduces LLM-friendly features, including automatic `llms.txt` indexing for public sites and secure MCP server integration for gated content. The architecture leverages Next.js for the dashboard, Go for the backend API, Cloudflare Workers for edge serving, and Postgres for data management. Security is prioritized through multi-tenant isolation, immediate acc
Analysis
TL;DR
- Dropway is an open-source, self-hostable platform that converts static folders into live, versioned URLs with granular access control.
- It introduces LLM-friendly features, including automatic
llms.txtindexing for public sites and secure MCP server integration for gated content. - The architecture leverages Next.js for the dashboard, Go for the backend API, Cloudflare Workers for edge serving, and Postgres for data management.
- Security is prioritized through multi-tenant isolation, immediate access revocation, and serving untrusted content on separate Public-Suffix-List domains.
- It solves the friction of sharing static assets by providing four distinct sharing tiers: public, password-protected, email allowlist, and organization-only.
Why It Matters
This tool addresses a critical gap in the developer workflow where creating static content is easy, but securely sharing and managing access to it remains complex. By integrating native support for AI agents via MCP and LLM crawlers, Dropway prepares static infrastructure for the emerging era of autonomous web interaction, ensuring that access controls apply equally to human users and AI bots.
Technical Details
- Architecture: Built with a Next.js dashboard (using Better Auth for identity), a Go API for the system of record and authorization, Cloudflare Workers for edge content delivery, and Postgres with Row-Level Security for multi-tenancy.
- Deployment: Supports both managed SaaS and self-hosting via Docker Compose, bundling Go, Next.js, Postgres, and MinIO (as an S3/R2 stand-in) for easy local development and private deployment.
- Access Control: Implements four sharing tiers (public, password, allowlist, org-only) with immediate revocation capabilities and audit logs for compliance and security monitoring.
- AI Integration: Automatically serves
llms.txtfor public sites to enable discovery by AI crawlers (GPTBot, ClaudeBot, etc.), while restricting gated content to authenticated access via OAuth 2.1 MCP servers. - Security Isolation: Untrusted tenant HTML/JS is served from distinct subdomains based on the Public-Suffix List to prevent cross-site scripting and session hijacking between tenants.
Industry Insight
- AI Infrastructure Evolution: As AI agents begin to browse and interact with web content natively, platforms must provide standardized mechanisms (like
llms.txt) and secure programmatic access (via MCP) to manage AI traffic and permissions effectively. - Shift in Static Hosting: Traditional static hosts focus on performance and uptime; next-generation tools must prioritize governance, auditability, and granular permission models to meet enterprise security requirements for internal and external sharing.
- Self-Hosted AI Readiness: The availability of self-hostable solutions with built-in AI agent support allows organizations to maintain data sovereignty while enabling their internal tools and reports to be consumed by private AI assistants securely.
Disclaimer: The above content is generated by AI and is for reference only.