NowPage MCP — Pricing & Access Control

How the NowPage MCP server authenticates paying customers and protects access.

Product: AI-Powered Publishing — $50/month per site

Your customers connect Claude.ai or ChatGPT to their own website and publish pages by talking to AI. No CMS, no code, no login — just ask and it publishes.

How Authentication Works

Two independent security layers protect every publish request:

Customer's AI (Claude.ai / ChatGPT) │ │ Bearer token: customer's NowPage API key ▼ ┌─────────────────────────────────┐ │ MCP Server (Vercel) │ │ │ │ Layer 1: ALLOWED_DOMAINS │ │ ✓ Is this domain in our list? │ │ ✗ → 403 Forbidden │ │ │ │ Layer 2: Pass-through auth │ │ Forward customer's API key │ │ to NowPage for validation │ └──────────────┬──────────────────┘ │ ▼ ┌─────────────────────────────────┐ │ NowPage Platform │ │ │ │ Layer 3: API key validation │ │ ✓ Is this key valid? │ │ ✓ Is this key scoped to this │ │ domain? │ │ ✗ → 401 Unauthorized │ └─────────────────────────────────┘

Security Layers Explained

Layer	What It Does	Who Controls It
1. Domain Allowlist	Blocks publishing to any domain not in the `ALLOWED_DOMAINS` env var	You (server admin)
2. Bearer Token	Customer's API key is forwarded with every request	Customer (their key)
3. NowPage Validation	NowPage verifies the key is valid and scoped to the target domain	NowPage platform

Customer Onboarding (5 minutes)

1. Create Their API Key

In the NowPage admin, create a new API key scoped to the customer's domain (e.g., clientsite.com).

2. Add Their Domain

Go to Vercel → Project Settings → Environment Variables.
Add their domain to ALLOWED_DOMAINS (comma-separated):

ideas.asapai.net,cowork.asapai.net,clientsite.com

Redeploy after changing env vars.

3. Send Them the Guide

Share the Customer Connection Guide along with:

Their API key
The MCP server URL: https://nowpage-mcp.vercel.app

4. They Connect (2 minutes)

Customer pastes the URL and their API key into Claude.ai or ChatGPT. Done. They can publish immediately.

Revoking Access

Two ways to instantly cut off a customer:

Method	How	Effect
Remove domain	Delete their domain from `ALLOWED_DOMAINS` + redeploy	All requests to that domain are blocked at the server
Invalidate key	Revoke their API key in NowPage admin	NowPage rejects their requests even if domain is still allowed

Both methods take effect immediately. Use both for full revocation.

What Customers Get

Unlimited AI publishing to their domain
Works with Claude.ai AND ChatGPT — they choose their AI
Rich HTML pages — styled, structured, SEO-ready
Version control — append new versions or replace
HC Protocol metadata — pages are machine-readable
No CMS login needed — just talk to AI

Two Access Modes

Mode	Auth	Use Case
Owner	No Bearer token needed	You (admin) publishing to your own sites. Server uses its own API key.
Customer	Bearer token required	Paying customers. Their key is scoped to their domain only.

Key Security Facts

Customers can only publish to their own domain — the API key is scoped
Even if a key leaks, it can only affect one domain
No customer can see, modify, or access another customer's content
All requests are logged in Vercel function logs
Revoking access is instant — no waiting for token expiry

Future enhancements: Usage tracking per customer, rate limiting, Stripe auto-provisioning, and a self-service onboarding portal are planned but not yet built. The current system handles manual onboarding at scale up to ~50 customers.

See also: Customer Guide · Admin Guide · Deploy Guide