An AI app you can actually open: how mk0r turns a build into a real URL

When mk0r finishes building you, it gives you a URL of the form https://<vmId>.mk0r.com. The vmId is a 15-30 character lowercase alphanumeric string assigned by the E2B sandbox. You can paste that URL into Safari on your phone, into a Slack message, into a tweet, or into a friend's WhatsApp, and it loads the running app over HTTPS. There is no extra deploy step between the build finishing and the URL being live, because the same VM that built the app is serving it.

There is no separate deploy. The VM that the agent uses to write your code is the same VM that hosts the dev server on port 3000. mk0r owns a wildcard DNS record (the A record `*` → 35.186.212.31 in the mk0r-com Cloud DNS zone) and a wildcard TLS certificate named appmaker-wildcard-cert that covers *.mk0r.com. When a request hits <vmId>.mk0r.com, the Next.js middleware in src/proxy.ts validates the subdomain against the regex /^[a-z0-9]{15,30}$/ and rewrites it to https://3000-<vmId>.e2b.app. The whole chain is alive the second the sandbox is alive.

Yes. The wildcard subdomain proxy does not require any authentication. If you can read the URL, you can open the app. That is the whole point. Your friend on a 4-year-old Android phone, your designer on Safari, your VC on a hotel laptop, all just open the link and see the running app. The only place sign-in is required on mk0r is the dashboard where you manage projects and the publish flow that points a custom domain at the VM. The preview URL itself is public.

Quick mode generates a complete standalone HTML, CSS, and JavaScript document and streams it directly into the preview iframe. It is openable in a different sense: the entire app is a single self-contained document you can copy out, save as index.html, double-click, and watch run in your browser with no server at all. There is no link in Quick mode because there is no server to point at, but the app is still openable from any browser on any machine, offline, with one file.

It survives. The vmId is persisted in two places: the in-memory active session map keyed by your sessionKey (see activeSessions in src/core/e2b.ts), and Firestore under the app_sessions collection. When you reload mk0r, the auth provider rehydrates your anonymous Firebase user, the session is reloaded by sessionKey, and the same vmId comes back. The URL is the same. If E2B has paused the sandbox in the meantime, the next request to the URL triggers an autoResume on the lifecycle config so the VM warms back up and serves the app again.

Both. The preview URL is a normal HTTPS URL with no client-side requirements beyond a browser that speaks TLS. There is no native app, no install prompt, no PWA registration step required. mk0r itself ships a phone-frame preview component that wraps an iframe of the same URL, so you can see how the build looks in mobile dimensions before you ever paste the link into a chat.

Every preview URL is HTTPS. The wildcard cert appmaker-wildcard-cert is provisioned via Google Cloud Certificate Manager with DNS authorization, mapped onto the load balancer through cert map entries (appmaker-cert-wildcard-entry for *.mk0r.com), and terminates TLS at the static IP 35.186.212.31. The E2B sandbox itself also serves over HTTPS at 3000-<vmId>.e2b.app, so the rewrite hop never drops out of TLS.

Many AI app builders advertise built-in hosting but route you through a separate deploy step: build first, then click Deploy, then wait for the worker or container to spin up, then receive a URL. In that model the artifact you tested is not the artifact you shared, and the URL only exists after the deploy succeeds. mk0r collapses build and serve into one VM, so the URL is live from the moment the agent starts writing code. You can refresh the link mid-build and watch the app appear.