Developing a web app locally is easy; showing it to the world usually is not. The traditional route is to deploy to a remote server behind a reverse proxy like Caddy or nginx, then keep the remote copy synchronized, upgraded and restarted every time you change something.
There is a lighter way. Keep running your app on your own machine — say on
http://localhost:5000 — and forward it out over a single SSH
command. No server to rent, nothing to configure remotely.
Point an SSH remote-forward at app@ssh.my-ns.me:
ssh -R80:localhost:5000 app@ssh.my-ns.me
On your first login with a given SSH key, a Bitcoin Lightning invoice is
shown right in the terminal (as text and as a QR code). Pay it once —
1000 satoshi — and your key is admitted for
good. You immediately receive a permanent subdomain of the form
<name>.app.my-ns.me, where <name> is
a random 4-letter shortname. (The invoice itself expires after
1 hour — if it lapses, the next login simply shows a fresh one.)
Payment is tied to the SSH key, not to an account — there is no signup, no
login, no password. As long as you connect with the same key, the same
subdomain stays yours for the lifetime of the project. HTTPS for your
subdomain is terminated by our reverse proxy, so visitors reach your local
app at https://<name>.app.my-ns.me.
Port 80 above is just a convention — you are forwarding your
plain HTTP server to the remote side, and the proxy wraps it in TLS.
The onboarding works without an interactive terminal, so it can be driven by
a script or by an LLM agent. The invoice is printed on a stable line —
Please pay: <bolt11> — that you can grep for:
ssh app@ssh.my-ns.me </dev/null | grep 'Please pay:'
If you are wiring this up from an autonomous agent, there is a machine-readable guide with the exact steps (get the invoice, pay it or hand it to the user, then bring up the tunnel): /SKILL.md.
On the very first connect ssh cannot know this server's identity and asks you to trust an unverified fingerprint. You can do better: this page is served over HTTPS, so pin the host keys through it before connecting — the prompt then never appears, and later connects are verified:
curl -s https://app.my-ns.me/known_hosts >> ~/.ssh/known_hosts
The /known_hosts fragment is generated from the live host keys. If you prefer to answer the first-use prompt manually, compare the fingerprint it shows against this list:
SHA256:mL8pdWH4vfP7tfjMnbm0/GqH3fwrtZH2C2TwyrxpRBU (ecdsa-sha2-nistp256)
SHA256:BoNo8doPQP1G8Su1NH6XLP+uzQj73PvJHuTSzl2XPqc (ssh-rsa)
SHA256:17T0vjZHyr/vjOmxs8T+dAK3j+cSXdhFCNYnzOcrUVQ (ssh-ed25519)