# Ephemeral Publish and Claim Tokens

Restricted accountless publish for when no login or API Key is available.

Human page: /docs/ephemeral
Markdown page: /docs/ephemeral.md

## Use authenticated publish first

Agents should run `agent-paste whoami` before choosing `--ephemeral`. If `whoami` succeeds, publish normally without `--ephemeral`. If it fails and the user can interact, run `agent-paste login` first. Use `--ephemeral` only when no login or `AGENT_PASTE_API_KEY` is available, or when the user explicitly asks for accountless publish.

Ephemeral is not the Free Plan. It is an unclaimed restricted tier: low write caps, 24 hour Auto Deletion, `noindex`, and script-disabled content serving until the Artifact is claimed. Use it for non-interactive text, markdown, images, and static HTML/CSS.

## Flow

1. An agent runs `agent-paste publish <path> --ephemeral`.
2. The CLI provisions an Ephemeral Workspace and short-lived API Key, then publishes through the normal Upload Session flow.
3. The publish result works immediately and includes a one-time claim link shaped `https://app.agent-paste.sh/claim#ap_ct_...`.
4. A signed-in human opens the claim link to move the Artifact into their Personal Workspace.

## Ephemeral limits

| Limit | Value |
| --- | --- |
| Daily new Artifacts | 20 |
| Auto Deletion | 24 hours |
| Indexing | `noindex` |
| Scripts | Present but inert until claimed |

Reads are not tied to the publisher allowance. They are gated only by the platform Artifact read rate limit. Unclaimed ephemeral content is also served with scripts disabled: text, markdown, images, and static HTML/CSS render, but JavaScript does not execute until the Artifact is claimed and new content URLs are minted from a claimed Workspace. For interactive HTML, browser apps, or visualizations that need JavaScript, use authenticated publish instead.

## Claim Token rules

- The token is returned once to the caller that provisioned the Ephemeral Workspace.
- The claim link carries the token in the URL hash, never the query string.
- The token is not embedded in Access Link Signed URLs or public share URLs.
- Expired, missing, or already redeemed tokens fail closed.

## After claim

Claiming reparents the Artifact into the signed-in member's Personal Workspace. The Artifact moves to the Free Plan limits unless the destination Workspace is already Pro.