Fascinating. This is through Stripe rather than wrangler or anything. Coding agents were pretty good at handling the Cloudflare API already with an API key, but I think this thing that Stripe is doing by being the central hub through which all agent stuff goes by integrating with their CLI is a pretty good move for them.
Claude has been buying domains and deploying to Vercel for me using aws cli, vercel cli, and gh cli since December. Personally I prefer a cli to an MCP server for this type of thing.
The question was what's in the dots. I have no doubt that agentic systems are good enough to buy domains and make one-shot websites from a prompt, but what is the legitimate use case for which you'd want to repeatedly perform "Make a website that does..." on a new domain?
"Legitimate"? What scams are you implying are happening? A friend of mine wanted a site to help him sell DJ lessons. Another friend has a haircutting business that wanted a better site. Massage therapy. Etc.
One obvious scam, for example, would be someone trying to perform some reputation-destroying action and laundering domains to do so. Another might be creating a bunch of SEO slop domains to try and farm ad revenue on various topics with AI content; Google seems to be doing better at downranking those but I'm sure it's still a thing.
I suppose it's possible that someone's just running a charity Wordpress-like operation for their friends who all want websites.
I had to conduct a remote interview for a company I just joined and we had no tools to do it. So I vibe coded a live code sharing app. That shares an editor and is able to run code in a sandbox. This was last night. The interview I just finished an hour ago.
In the middle of the interview there was a bug where our sessions no longer synced. So that’s a downside. But before that the interview was perfect.
All of the domains are public. Whenever a new model comes out I like to ask a very specific prompt that helps me identify niche markets with high buyer urgency, have the AI rank them across a rubric, pick the one that has the highest degree of automation potential and then have it build me an MVP.
I’m not trying to shamelessly promote here but since you asked one of them is at jobwiz.biz
That is ironic. Four years ago, cloudflare didn’t let human me have an account / buy domains because I signed up, never used a single service but didn’t respond to a request to verify my drivers license
> This account is in violation of Cloudflare's Terms of Service. Specifically fraud. The suspension is permanent.
(Yes that’s really it. Sincerely. No “but I also abused X”)
> By agreeing to these Terms, you represent and warrant to us: (i) that you have not previously been suspended or removed from the Websites and Online Services
CloudFlare ToS has you covered. A human must accept it, even with the new agentic flow.
I think this is just saying you can’t sign up for a new account after a previously created account gets suspended, not that the act of suspension itself causes you to violate the the terms of service in perpetuity because, pedantically, any suspension that has happened, happened “previously”.
This conflict is popping up everywhere. There is a push by a lot of companies to allow agentic use of their services (and new companies explicitly offering "X for agents"), ignoring the fact that "agent" means the same thing as "bot" which we've spent the last couple of decades actively filtering out. Will be interesting to see how it plays out.
The future is the internet will be entirely bot activity and humans will ether be strapped in to the metaverse reels ai slop feed or they will be outside interacting with people in person again. Both of these seem like likely futures and probably both at the same time.
This reality also crystalized for me earlier this week when I saw a post about unchecked AI slop videos about WWE being posted to YouTube. Many of the videos suffer from the LLM stroking out (for lack of a better term) and devolving into mumbling, screaming and white noise. Yet, the comments are replete with obvious bot content which doesn't mention this at all and talks past the larger, flimsy narrative on display (i.e. AI-generated), anyways. We're exhausting our natural resources and reducing quality of life for a great number of real, live people so bots can talk past each other on YouTube.
So, if you're looking for me, I'll be hiking while it's still legal.
You better mean “hiking” as in through the metaverse forest strapped into your corporate-sponsored VR headset, because outside time is for citizens only, friend.
My wildest dream: we make a superintelligence, which destroys humanity to free up resources for it to make and consume an endless stream of impossibly cute kitten videos.
And before anybody replies: no, I don't mean "and puppy." They're just not as cute.
Aaron Swartz faced 50 years in prison and $1 million in fines for sharing academic research papers on a local network. Meta/OpenAI/et al. rip off copyrights for profit and the Pentagon comes calling with flowers.
Curious, is there an Andreesen Horowitz Agent MCP?
Let’s automate this end to end, from idea to raising capitals. Vibe Angels should just be multi agents managing how much capitals to allocate to each projects.
As a user of the internet I can only imagine this worsening my experience by allowing even more slop to permeate the network's every orifice.
Also, when an agent sets up a domain, who is the domain owner? Who responds to takedown requests? What if it then decides to host illegal content at the domain (generated or otherwise). Who is responsible? Agents aren't (yet) legal persons, so it must be the person who owns the agent, but if that person never even sees the legal agreement being agreed to how would it hold up in court? If the person didn't direct the creation or hosting of illegal content, what then?
Humans will not win in court with a "but the agent did it, I had no idea" argument. Just look at how the cases against OAI are going, and that's where families lose a loved one. There's not going to be any sympathy when your agent committed fraud on your behalf.
And it's not like pro agent companies have a reason to self regulate. They're not going to absorb that liability voluntarily, they'll push it onto users contractually (most of them already do). This is just another channel to bring in customers. They will capitalize ruthlessly to increase their bottom line.
Interesting questions you bring up. Especially the legal ramifications as to how it would fully work within current legal framework.
I suppose there would be a broad disclaimer and agreement one would have to agree to that would state that users of the service are ultimately responsible to monitor and ensure websites deployed by agents comply with local laws.
Ultimately I assume that since it is not the agent who pays but a registered user that the user would own the site. And that the legal agreement would be agreed to beforehand so it is legally binding.
Most of the sysadmin and devops team have been downsized in India because of AI.
Basically, now it's trivial for any new devops guy to run such a query in Claude Code:
“Log in to this production server, find out all services it runs and their deployment method, create documentation about everything, and generate a repeatable, auditable deployment workflow.”
Devops and sysadmins can no longer withhold information to maintain job security.
Boom, 80% of the team gone.
I know companies are doing migrations of production Postgres and MySQL on 1000s of machines using AI agents.
I’m imagining how many SaaS will be automated out and simply be an "agent skill" in ClaudeCode.
> Devops and sysadmins can no longer withhold information to maintain job security.
I can't imagine this is very prevalent. That's a very 2004-style corporate immaturity; I get the sense that even the slow-moving behemoths of the software world have mostly caught up to, say ... 2017's recognition of the importance of automation and reproducibility and won't tolerate the kind of malpractice you describe--wilful information siloing by infrastructure teams.
Like, those businesses might well suck at automation! But they've been doing it and firing the people who resist it for a long while now.
Only downsized? I would expect them to cease to exist entirely in the coming years, as western companies begin to realize that AI is cheaper and more competent than the Indian firms they usually outsource work to.
Can you support this claim with some evidence? Not just about the redundancies, but I’m also particularly interested in hard data showing Claude is capable of doing that kind of research with near 100% verifiable accuracy and migrations with no data loss and equivalent functionality (which is required to sustain your claim).
And when it goes wrong, production is down, until they can get a real devops to look at what shit the AI-only guys did wrong. Haha, no serious shop would act like that, but then again most shops are not serious, now are they? So you might have a point.
I was pleasantly surprised when I read the headline a few days ago. But it's only accessible through Stripe right? I'm simultanenously very concerned about the centralized control that Stripe gains (it's not going to be just access to Cloudflare) and also amazed at how Stripe is shaping to be. It was just a payment processor.
The agent starts a phone call, listens to the person on the line, analyzes which fraud bucket they fall into, and start the process.
While they are on the phone with the agent, it buys a domain relevant to the victim, the agent codes and deploy the website specially catered to them and the fraud bucket. Collect payment, destroy the website, redirect the domain to google.com. no need to start a new call because you had several agents committing the same fraud in parallel.
I thought this was excessive and impossible, but as I was reading, I realized nowadays everything you say is technically possible. The future gives me the chills.
The likely outcome is that the phone system becomes massively more locked down. Your phone will only ring if the caller has a number which is backed by a real ID, particularly one from your own country. It will become increasingly difficult to contact someone you don’t have a legitimate connection to.
The banking system will become increasingly fraud resilient with better real time detection of fraud.
Your phone may even have its own AI on your side listening in on the call and sounding the alarm when a number from Nigeria starts using an AI voice pretending to be your son.
You would just get called from an agent (bot) based in your country. There’s no easy way to prevent that. Fraud is massive and it’s becoming cheaper and easier to run at scale.
Then when it gets reported the authorities can just look up the owner of that number and arrest them. Vs overseas based operations that are difficult to follow up on.
The authorities already don’t have much leverage over “domestic” spam call centers that are actually located overseas but somehow always manage to acquire domestic numbers to call from.
A couple of years ago Australia had a big reform of the laws where sms providers / voip companies had to actually verify their users owned the numbers they send from. Anecdotally before then I was getting a scam text message every day, now I haven’t had one in years.
Phone numbers in Australia are also all tied to ID. If there is a will to fix the system, it can be done.
China has much stricter control over phone #'s and identities than USA/EU does. It's much more difficult for me to create a placeholder digital identity in China. I wouldn't love that solution, but it exists.
As a result, it's very difficult for me to use a lot of Chinese websites and it's a pretty sizable barrier to hardware development when Chinese citizens can just download the relevant datasheet off some Chinese forum in 5 minutes, but I have to sign NDA's with western companies or figure out how to WeChat a Chinese OEM to send me their datasheets.
I swear it's harder for us to access Chinese sites than it is for them to VPN to outside services. There's one event I was looking at going to in China but the announcements/chat was on QQ which as far as I can tell is just impossible to access.
> The likely outcome is that the phone system becomes massively more locked down.
We've had phone fraud for decades, and the system has dragged its heels forever. I genuinely don't know if even this will be enough to address phone spam.
Ostensibly this is what STIR/SHAKEN was supposed to cover but aiui they basically fucked it up so bad that it will only work for domestic calls in the US.
It is amazing to me that people still answer their phone. If it isn’t my wife or kids then my phone has a silent ringtone. If your voice mail doesn’t successfully transcribe to text then I delete it without listening. I check my postal mail since mail fraud is the only thing still taken seriously by anyone.
Is mail fraud really taken seriously? after I bought my house I got dozens of letters every few days that appeared (or tried to appear) from my lender warning of "FINAL NOTICE call this number about your mortgage!!!!!". The phenomenon is apparently so common and well known that my realtor, the seller's realtor, and my lender ALL warned me about these letters.
I feel like it should be easy for the postal inspectors or to go after these, if they cared. Just gather up some of these letters from someone who just bought a house (seems to be public record when someone buys a house, that's how the scammers know when to target someone). Then just call the number in the letter, trace the call and arrest whoever is there.
Sounds valuable, it can issue shares onchain and distribute profits - after a cumbersome fiat settlement and transfer stage - enabling the market and researchers to get price discovery on this sector finally
Instead of extrapolating only from reported fraud by victims
Earlier, I was using Zoho and FastMail (however you dice it, it will use some money, $12 a year for Zoho and $7 per month for FastMail? Even then, perhaps you only get one mailbox and some aliases)
but with this method, I get unlimited aliases, domains, and mailboxes:
Now, I wrote a script which captures the email and saves attachments to S3 using the HTTP API (why S3 and not R2? Because Cloudflare wanted a credit card, and I was too lazy to add it there lol) and emails to D1.
This uses an email -> webworker workflow.
I use an API to fetch my emails.
This means all my inbound emails are now handled by Cloudflare, and I can easily use all of it with zero payment.
The best part is this supports tokenised emails, so I can provide a unique email address to each service I sign up for.
I am using SES as the sender. I’ve set up one script which auto-sets up any domain in SES and auto-verifies the sender email.
The funniest thing is I am receiving zero spam? As if other email providers sell my email?
That's not a well kept secret, that's just a workflow that almost nobody would accept for their email setup which is the center of most people's digital identify and should always work and not be a duct taped construct to save a couple of bucks.
that's the thing it cannot stop working because webworker and email forwarding is very reliable, email itself has retries built it and soft bounce handling.
Just a heads up I have seen complaints about CF email forwarding completely dropping emails that failed to pass certain SPF validation. They get completely dropped and the worker doesn't get called and they don't get forwarded, rather than in something like Gmail it would end up in spam
It's not about the uptime or scalability. Everyone has to make the choice for themselves if they value their time less than $12/year (Or free if Google is an option) for a critical part of their digital infrastructure to set all these moving parts up and keep them running over years.
I'll stick to Fastmail, where if something isn't working as expected I can just email them and get a response from a real human.
But they paid for the emission just like every other electricity consumer? Then who are we to determine the Hello World page is morally more wasteful than outdoor terrace heaters or advertising jumbo-trons?
I hear your argument. However, you assume CloudFlare pays taxes and utility rates comparable to what other customers pay. That is never the case with large businesses. CloudFlare seems to be less parasitic than others in the industry, but they are not doing this for the charity.
For example, in 2024 JPMorgan received a $77m subsidy to build a datacenter that created only one permanent job.
why does cloudflare not allow existing users to create new accounts? you basically need to use a burner email and transfer it afterward. makes it awkward to use this on new projects that you want independent of your existing accounts.
The reason this blog post does not come with any concrete examples how to use this enablement for useful and constructive things tells you something very important - it is a toy and they do not know who and how they will use it.
It is cool feature but to what end? Buying a domain is not something you have to do daily to require any kind of automation.
I am also not sure who Stripe Atlas for. I am genuinely confused. It is definitely not something a developer will use.
I understand that you can bootstrap a number of systems but that is like half-hour of work and arguably it is probably a good idea to do it manually to make sure you have strong foundations.
I've have personally never seen a good example where a cross vendor account provisioning actually working. For example, Fly.io used to provision Sentry accounts automatically which you could not access in any other way but through Fly.io. I mean the Sentry account was effectively locked to a project that you cannot transfer - hijacking the actual global alias as well. Vercel did something similar with PostgreSQL via Neon and Redis via Upstash resulting in painful migration processes.
I can imagine ending in some kind of deadlock between services due to security hence why the 30 minutes initial setup is kind of time well spent to avoid future issues.
> Buying a domain is not something you have to do daily to require any kind of automation.
Sorry, but no, you totally miss the fact there are domain farms which buy the dropped domains and then offer them up for sale. Bots now use AI to analyze the domain's value and automate the whole process. To be able to let AI buy it as well likely offers a tremendous amount of time saving.
They may be wrong on that particular point, but Cloudflare definitely profits from increased crime as it drives increased sales of Cloudflare's security products. There are rumors they even knowingly help protect DDoS botnets because they benefit from there being more DDoS.
Domain registration is already API driven and has been for decades. The most sophisticated domain name investors (or "domain farms") go as far as to own registrars directly so they have instant access to the registries. Nobody involved in domains would use Cloudflare's product because they already have and have had automations for decades.
For example, DropCatch (NameBright) own over 1,000 different registrars so that they have over 1,000 direct routes to Verisign's .com registry. GName are a new player in the space, approaching 1,000 registrars. The amount these companies spend on their registrar licensing alone is many millions of dollars[1].
Cloudflare's product adds nothing new to the world of domains. Anyone has been able to go to OpenSRS and sign up as a reseller with API access for over 20 years.
Perfect for spammers, scammers and domain squatters, who can now automate their activities even more.
Can’t think of any other uses for this given the current state of LLM ‘agents’, though I can’t wait for the next report of something like ‘openclaw registered 1000 domains for me without asking and now cloudflare won’t refund me’.
And cloudflare can actually sell them priority access to pass their bot protection or introduce micropaiments for agents access content. I feel cloudflare is getting a bit scary tbh. It is like your friendly bot net.
Yea, I appreciate them protecting it from DDOS. I always viewed them as a responsible company.
To me this feels irresponsible and like it's main goal is to forward autonomous cyber attacks. Which is antithetical to what they do? Maybe I am missing the legitimate use case here, but I can only see this being used for removing responsibility from crime or espionage?
Does anyone know offhand if cloudflare is a department of war contractor? I never looked into it. But this smells funny to me
Somehow the Internet needs biometrics and age verification everywhere but also chat bots can buy property there without too much thought.
Most people don't get DDOSed, and for many of the ones that do, they can just wait it out until the attacker gets tired of burning money. It's very costly and risky for the attacker. Obviously they do occur sometimes - so does murder - but Cloudflare is massively exaggerating the risk of drive-by shootings to make you buy their bulletproof vests.
Depends on how democratic the Society is. The less so, the more it's a powerful minority at the top. How much say did the average US citizen have in starting this war with Iran? It's not something the current administration ran on to get elected. It's not very popular in the polling.
Are you perchance talking about deSEC? I've also switched to them, and thought that it was too much work to send an email and wait for replies, so I ended up using dummy inboxes for my other, lesser important domains.
Though I guess it's still a good thing they do this? At the time I remember being mildly inconvenienced, but not enough to actually care. I just remember thinking, "How is this nonprofit going to handle all that support volume?".
LLM generation in general provides the most use to scammers and the like. Generate emails which people won't read, generate articles which are just honeypots or rip-offs, generate images to said articles, generate more and more spam.
Every legit use case for LLM practically requires that human would verify the result manually, at least briefly. But spammers can enjoy skipping that step, since content was never a main priority in the first place.
Any business can be run in a shady manner if the human decided. One fully automated business I think could exist and might be useful is apartment/condo rental. I'd pay a business $100 for a proper report on the rentals available in a city that meet a criteria and are amalgamated from all the the various platforms. Doing it yourself (at least in Canada) means creating accounts on a bunch of platforms, and the process is very tedious.
> Any business can be run in a shady manner if the human decided.
No kidding.
> One fully automated business I think could exist and might be useful is apartment/condo rental.
We're starting strong on the category of businesses that generate no actual value and just scrape an amount of value out of existing transactions that would've happened anyway, i.e., rent-seeking. But good for you, you can now artificially shrink the supply of limited-availability goods in the market, then gate access to them behind a paywall, and you don't even have to do the minimal amount of actual work required to fleece strangers for part of their paycheck while creating no value.
Despite paying rent for an apartment, it’s not rent-seeking. You get a place to live out of it that wouldn’t exist without the owner renting it to you.
Rent-seeking is a very specific economic term where a party inserts themselves into a transaction and takes a cut without providing anything: https://en.wikipedia.org/wiki/Rent-seeking
Being a landlord comes with significant responsibilities and even principal investment risk.
> Despite paying rent for an apartment, it’s not rent-seeking. You get a place to live out of it that wouldn’t exist without the owner renting it to you.
> Rent-seeking is a very specific economic term where a party inserts themselves into a transaction and takes a cut without providing anything: https://en.wikipedia.org/wiki/Rent-seeking
> Being a landlord comes with significant responsibilities and even principal investment risk.
Economist here. Yes, this was a correct use of the term "rent-seeking behavior". It's actually quite funny to see someone try to argue otherwise, when the name was chosen because this is, literally, the textbook example.
A landlord is partially rent-seeking. Yes they provide the service of making sure the apartment is habitable (cough) and so on, but they charge above market price for that. How do I know? I know because I'd do it myself for cheaper if that was an option, but it's not an option because landlords own all the spare apartments. (Why don't I buy one then? They're very expensive because I have to price-match the landlords, who are paying very high prices for the right to rent-seek!)
The market for real estate is basically the market for taxi medallions. It costs something to run a taxi, but there are a limited number of medallions and you can charge well over that cost because you have a medallion, which also makes the medallions very expensive. Until Uber comes along. But you can't just make an illegal apartment without land the same way you can make an illegal taxi without a medallion.
So if anyone accepts your challenge will you move the goalposts and tell them their business isn’t good enough in your point of view? It doesn’t seem like you’re actually interested in dialogue. You also don’t seem to be aware of the definition of rent seeking but that’s an entirely different topic.
I’ll sit out your little experiment because I’m not in the mood for this kind of response. But you may discover that if you turn down the venom a little, qualified people could teach you things like automated business models that are quite ethical and even the definition of rent seeking.
> So if anyone accepts your challenge will you move the goalposts and tell them their business isn’t good enough in your point of view?
It's not a value judgement, it's literally rent-seeking behavior. You're seeking, to rent, property that you own, presumably for a profit. Like come on, it's what the word means.
> You also don’t seem to be aware of the definition of rent seeking but that’s an entirely different topic.
Both my command of the English language and the economist elsewhere in this thread disagree with you, but go off I guess.
> qualified people could teach you things like automated business models that are quite ethical and even the definition of rent seeking.
And yet instead of citing one you went off a tone-policing rant.
My question was quite open-ended. I genuinely didn't expect someone to come in and list the textbook example that an actual economist went on to point out was crap for the exact reason I said, truly. But that's the kind of poetic unawareness that one really can't plan for.
> I'd pay a business $100 for a proper report on the rentals available in a city
I'm curious about things of this nature, where it seems like a case of "this information is important to me and I want accurate results".
But then the talk of automation seems to exclude careful human review of those results, which is needed to stop hallucinations from making their way to customers.
> I'd pay a business $100 for a proper report on the rentals available in a city that meet a criteria and are amalgamated from all the the various platforms.
If this can be fully automated then you can just ask your own agent to do this and wouldn't need a business for it. And agents can already fill out web forms just fine.
Well like most rich guys, I have an assistant, so I don't need or use "agents" - maybe my assistant could learn to use "agents" - but her core competency isn't, nor should it be, learning to use AI agents in any meaningful way. Maybe she could outsource it to someone who got their agents to do it for her for $100.... Same with my little sister who has a 5 year old and a 2 year old and doesn't really know how a computer works never mind what AI agents are.
I disagree frankly, as the next wave is clearly fully autonomous businesses.
Considering the disaster of that AI-powered store in San Francisco, I'm skeptical that this could happen in the next wave. Or even the next ocean.
(WSJ article from a few weeks ago stated that the "AI" can't stop ordering candles, and manages the staff so poorly that sometimes there are no employees scheduled for some shifts.)
So, so many pro-AI/AI boosters just... Ignore this rather inconvenient fact in my experience. They will hype up how epic agentic coding is, or agentic <whatever here> is, all day long, but they will never tell you that LLMs are really benefiting scammers and criminals the most, who can now generate literally infinite content, for infinite amounts of time, because they don't need to verify or prove anything legitimate. And people who are apart of both of these groups are very, very good at sending, to the LLM, prompts that look completely innocent to any kind of guardrail or filter that these companies can devise. The only other use that is probably more profitable is porn. Really.
It’s been said that “Nigerian prince” email scammers intentionally use poor spelling and grammar in order to narrow their funnel at the top by quickly weeding out observant and wary people who are unlikely to fall for it.
By that token, LM-generated content which looks good at a glance but doesn’t hold up to scrutiny seems ideal for scamming. I’d speculate that in the scam content generation workflow, not only is there little penalty to skipping the verification step, but since you intend to push that step onto the target and hope the result is a false positive, subtly wrong hallucination might be not only tolerable but in fact better for its purpose than what a human could produce.
I'm convinced that one of the top use cases for OpenClaw is orchestrating cold outreach email campaigns, as if there's nothing wrong with using AI to spam people to death. Platforms that enable sending cold emails are taking a sizeable risk that the low engagement of such emails stimulates some worsening inbox deliverability for the rest of their traffic (see [1] - you can't hide just by sending through big tenanted platforms like Amazon).
[1] Every message sent from Amazon SES carries a "Feedback-Id" header that allows Google (and anyone else) to track the Amazon account responsible for the message. The fourth field is an opaque but stable identifier associated with your Amazon account; receivers can and do use this for rate limiting:
https://aws.amazon.com/blogs/messaging-and-targeting/underst...
Technically, you could create many top level Amazon accounts, but if you want to send lots of mail, you must warm up your account. So accounts can be created, but it’s useless if you need to send high volumes of messages.
I have a hobby or we could even say an addiction of having lota of ideas for various kinds of things. Part of the fun is inventing a name, visual identity, logo etc. and donain nane is part of it. Maybe they never reach production but many have. I have tools to automate boring parts like any developer would — and I could essily use something like this.
Generate hyper personalized ads in any format! Embed them stealthily into virtually any context!
I guarantee thats all big tech is thinking about as the future of LLMs. All this coding stuff is merely a good will investment to buy them time until they can implement this
The only use case that pops into my mind is to build a product like Shopify that sets up a store, email, landing page, etc all from one chat-bot interface.
I was about to say, this type of automated domain purchasing and deployment is a godsend to scammers.
They buy up a bunch of .top, .shop and .xyz domains for $1 each. They spam them out in in all those "USPS tracking" spam text and Facebook fake store ads. The shelf life on these domains is a few days at best before they get shut down, now you can automate domain rotation and not have to pause your spam campaigns.
> Perfect for spammers, scammers and domain squatters, who can now automate their activities even more.
Buy why do this, unless you're in the business of arming both sides of a conflict?
(With a side bonus of designing a defense product in such a way that you reverse much of the ground that was gained with "HTTPS everywhere", to give you centralized cleartext access to much of the Internet traffic.)
I kind of agree with you, I would hazard that this is perhaps targeted towards folks (maybe TPMs, small business owners) who are using ai to start a software side business or make a website and have never bought a domain before or configured DNS.
I guess also; something that saves me 20 minutes a few times a year is still nice.
People making cooking websites, websites for their garden, etc usually have nowhere to go. A web app who is an agent for a customer will then deploy agents in the backend to deploy the website too.
Basically what one would do manually, you tell one agent to make another agent do it.
It's certainly a great and useful tool. But it's a website maker somewhat in the same way that a Facebook page or Instagram account is a website maker.
AFAIK you can't make a website on SquareSpace and download it to your computer, edit it locally and move it to a different host, etc.
In the past there were actual WYSIWYG editors which let you design your website or CMS theme and then do whatever you wished with it. Artisteer was the pinnacle of this. Then nerds took over with their command lines and Kubernetes.
Imagine if one day people decided that making and editing documents in Word was no longer possible, that they had to be hand coded and command line compiled and linted, and not mix tabs and spaces. That's what happened to website publishing. For no reason at all.
I think that's the real gap. Non-technical people don't want to learn DreamWeaver or SquareSpace's backend. They want to describe what they need and have it just work.
While large social media sites have captured lots of traffic, etc. I've had small websites for a local wargaming club, a very modest blog, etc. for decades requiring little or no technical expertise.
The idea that people who want modest websites need active agentic systems to do that is a really odd take.
Sadly they will be publishing on a web which has no human readers anymore because it’s been crowded out by 5 trillion AI slop gardening websites. And the only visitors will be other AI scraper bots.
Any actual readers will be on platforms which combat the bot spam.
People use agents to deploy sites all the time. Buying a domain is part of that if you want to build a site that's beyond a toy. Allowing agents to do a task isn't just for things you do every day – it's also for things you do rarely and need agents' help. It's not just devs using agents to perform these sort of tasks anymore.
Stripe Atlas makes it massively easier for startups to incorporate in Delaware. This is particularly hard for non-US founders. It solves a real problem. I don't think this part will be done by agents though!
If the rest of your deployment flow is via the agent, needing to switch over to a different context and open up a browser and login (or create an account) and buy the domain absolutely is a bump in the road.
I am watching people who can't code build and deploy dashboards and sites with Claude Code (desktop app - they don't use the CLI), then go cap in hand to developer friends to get it hosted on a domain (rather than some Vercel or whatever URL).
Those people absolutely want to risk letting an agent buy and set up the domain.
This is not necessarily as blindly stupid as you might think. Many of these people know that this workflow is no good for writing code that does anything serious (i.e. storing data for people, taking payments, etc.) but there are a huge number of projects that are just websites, dashboard, data visualisations, etc. with static content and public APIs (Twitter is awash with them) and domains are cheap.
A decent minority of these are even quite cool or interesting.
So a lot of people want to put their vibe-coded weekend project behind a nice domain. Why not?
Let's say they buy a first time discounted $5 domain with a $9000 renewal (could the first renewals be made contractually mandatory?), potentially some other weird terms that the agent agreed to for them.
If I was ill spirited I'd go look at how the agents try to buy and setup juicy traps to milk it as much as I can for the first wave.
I would expect the value of a domain purchase + setup handled by an agent is the highest for people that are not very technical. I'd say that a well-engineered agent will do a better job avoiding botching it than your average non-dev.
Lets remind the purpose of incorporating in Delaware is legal tax evasion, so that we don't not have pensions, health insurance or anything nice, really.
Investors usually expect that non-US founders incorporate in the US, and usually expect Delaware. There are other states that are more friendly to tax avoidance. Delaware is mostly preferred because it's a known quantity with mature regulation. Investors don't want to deal with dozens of different legal regimes, they want the one that they know about.
Uhuh. And in other places, companies are incorporating in Ireland or Luxembourg or other similar tax evasion heavens because of the "predictable legal framework" too. Lol.
The primary purpose of incorporating in Delaware is less about taxes and more that Delaware is the "Silicon Valley" of corporate law - incredible concentration of professionals, infrastructure, and intangibles. Any dispute you have will generally be handled better, faster, and cheaper by Delaware courts than they would be anywhere else. I'll quote my good friend who is a startup M&A lawyer: "I'd go so far as to say that it would be managerial malpractice to incorporate anywhere other than Delaware."
Nevada makes it much harder to sue corporate officers when they do malfeasance. Wyoming has tons of privacy perks for the officers (similar to cayman island accounts). “Perks” though also convert into signaling for the intent of the founders.
Please explain. Your comment reveals your lack of understanding of corporate law and the benefits of one state versus the other. And smart companies are going to incorporate in Texas anyway and it has nothing to do with taxes. More to do with corporate governance.
Are you sure you know what you're talking about here?
In the US, regulations on pensions, health insurance etc. are governed by the state that employees physically work in, not by the laws of the state of incorporation.
Last time (after years of doing it manually every once in a while) I just gave codex an ephemeral restricted Cloudflare API Token / key / whatever, the screenshot, and it set up all the records on its own.
> Buying a domain is not something you have to do daily to require any kind of automation.
Which is arguably unfortunate, as it nudges people towards using centralized services because they simply don't know that they have the option to register one.
For example, why not self-host a single-page party invitation site designed by an agent rather than using Facebook or Instagram?
A lot of what enabled Web 1.0 was how easy it was for an average web user to create his own website.
An average web user got far less technical since, and making a website got harder instead.
Now, if anyone could just ask an AI agent to set up a website, and get a personal page with an e-mail inbox and a domain - all reasonably secure, TLS set up, billing added as +$5 per year to the AI subscription bundle? Maybe that would help some.
Yes, this is exactly my hope too. Many hacker/cypherpunk ideas failed or never reached wide adoption because they were just too complicated for regular people: GPG/web of trust, self-hosting websites and email, having your own custom software for personal tasks…
Instead, everybody ended up using Gmail, iMessage/WhatsApp, and Facebook, and things are as centralized as they can be.
Agents could be a force in breaking that trend. Even if inference stays centralized, the artifacts agents create would not be. Basically the difference between everybody renting from one of a handful apartment building mega corps or being able to hire contractors to build your own things according to your ideas.
And just like there, it’ll probably help a lot to know a bit about how the sausage is made to not be taken advantage of. Also, many people will probably always continue to rent, which is fine. But the possibility of agent competition alone will hopefully keep centralized platforms and SaaS offerings on their toes, which is good for their users.
The problem is not website, the problem is discovery and discovery is on Instagram, TikTok, and social networks. You don't have any incentive to build a website for a regular audience. What you might do is build an audience on a social network and then try to move them to a website.
But at that point you're big enough to build it properly.
You can always follow the POSSE pattern [1] (except for platforms that actively punish links to your own site of course). That way you get both the reach and remain independent in terms of content moderation.
1980s and before - Centralized computers, thin clients & terminals
1990s - Decentralized computing - rich clients running native code locally, data lives locally, making use of the network for necessary communication (e.g. email, IM)
Present day - Entirely centralized data, compute outsourced from companies to 'Public Clouds', bloated clients running JavaScript locally, but mostly without local storage besides cached copies of data.
I suppose it might be one of those things that just oscillate in society, since neither extreme is without frustrations. And as soon as the generation most familiar with the specific downsides of either extreme steps aside, the cycle of history repeats.
Doesn’t this sum up most of the AI “innovations” we’ve seen shoveled in this bubble?
We constantly see AI thought leaders backpeddling on promises and just spouting general nonsense. Altman originally talked effusively about an era of “abundance”. An abundance of what? It’s a word salad of feel good vibes without any substance.
Sam Altman has gone from claiming AI might cure cancer to shoveling ads and the scope of AI seems to be reduced to mostly be suitable as flawed, imperfect, but mildly useful coding/automation agents that are likely subsidized beyond economic viability, but you can’t point that out because it’s the future!
I think this post needs to be put in context, for months now Cloudflare has been releasing products that allow their whole platform to be usable by agents with the main objective of enabling their customers to dynamically write code using Cloudflare, this is just another step.
For example, you can now with Artifacts and Dynamic Workers make a lovable-style SaaS where your customers ask the AI agent to write software for them, the agent can run it in sandboxes with no build step, it can version it with a git-compatible API, and now you can even have it buy a domain for the end customer or set up their own cloudflare account when they want to move to production.
I personally have no use case for creating domains via agents, but some of the other features they're releasing around this area are extremely useful and I've started to ship internal tools for my clients where they are used, like giving them their own mini claude code that only does one thing – one I shipped last week was an agentic interface for Salesforce reports that understands their domain better (and all the undocumented tech debt) than the built-in Salesforce AI does and therefore manages the context better
My biggest hesitation with these things is that there is no limit to the possible bill I may receive when the agent goes haywire. Cloudflare doesn’t see this as a problem of course.
I don't think there are a lot in the SAAS world. Usually when something quirky and new launches, readers on this website can discern something about useful intent.
Arguably Github, Slack, Twitch, TikTok were basically toys at launch with a lot of people questioning possible market fit.
But there is a difference between those products - and for example - everything that came out of the crypto blockchain scene. This new product by Cloudflare feels more in the latter camp than the former.
Slack, of course, came out of a video game company pivot. Dropbox is famous here because of that one take. The need to allow very intelligent people to be whimsical is maybe best captured by Richard Feynman spinning dinner plates at the cafeteria, which would later lead him to a Nobel Prize for it.
> Buying a domain is not something you have to do daily to require any kind of automation
I wrote a python client for dnsimple nearly 16 years ago to exactly that. If you can’t think of a reason it’s useful, you may wish to get your agent to buy a domain for some project you have asked to create.
> The reason this blog post does not come with any concrete examples how to use this enablement for useful and constructive things tells you something very important - it is a toy and they do not know who and how they will use it.
Every time I come across AI projects and AI integrations (including my previous job where I full-time worked on one), no one was able to show me concrete examples how can I use it for constructive things.
It's for founders who don't have lawyers. My co-founder and I are both developers, we used Stripe Atlas to incorporate a C-Corp due to expecting to fundraise <1 year after incorporation. Stripe Atlas generates about 200 pages of legal boilerplate documents with very sane defaults so that your corporate structure, bylaws, IP protections, director indemnity, etc. align well with investor expectations. It helps investors not have to "rules-lawyer" all your corporate records during due-diligence, because their content exactly matches YC's expectations.
-------
I said we made a C-Corp but other founders should default to LLC, which Stripe Atlas can also streamline. An LLC is superior to C-Corp in pretty much every way for any pre-raise founders who don't have an extra $2,000 to >$10,000/year they're willing to part with for higher franchise taxes, "foreign" (different state) corporation registration, CPA's, and additionally lawyers if any investments aren't YC SAFE's (e.g. not YC, Neo, or A16Z SpeedRun).
Also note that for pre-revenue C-Corps, Delaware franchise taxes are scaled against number of shares, not company revenue or # of employees, so you can save some money by forming your company with 1,000,000 shares and then file a "Unanimous action of the board of directors" to increase it to 10,000,000 just before angel/pre-seed/seed round, and potentially save a few hundred dollars on your first year franchise taxes, depending on when you incorporate and raise. But if a few hundred dollars makes a difference to you, incorporating as an LLC instead of a C-Corp is the only defensible decision.
And as always, start your taxes 3-4 months before they're due. If you want a CPA to do them (which you should if you have any revenue), you'll need to retain them way ahead of time for C-Corps. If you're filling tax forms out yourself, you'll want to start at least a month before they're due.
Yes unless you have a very very very good reason it's always best to just file a basic LLC in the state you are a resident of. Only costs a few hundred dollars at most and doesn't really complicate taxes
This is totally false, sorry. Delaware entities are the standard. Delaware corporate law is better understood than any other by a long shot. Dealing with a random non-Delaware LLC is usually a hint that your counterparty is a rube.
Huh? You got any sources on that? I’ve never heard anyone say a non-Delaware LLC is a bad idea. And most sources seem to say incorporating in your home state is usually the right call.
I guess you didn't read my comment. I said unless you have a very very good reason one of which could very well be if you plan on immediately raising VC money. Most companies don't do that and will just end up wasting a lot of time by having a foreign LLC and tons of additional tax issues they have to deal with by having a corporation.
"The minimum tax is $175.00 for corporations using the Authorized Shares method and a minimum tax of $400.00 for corporations using the Assumed Par Value Capital Method." [0]
That is the "save a few hundred dollars" I was talking about. I did get the # of shares threshold wrong, it needs to be <= 5,000.
> They're wrong about the foreign registration -- in California (and I believe most other states), you also need to register foreign LLCs.
Yes, but I was referencing that it often costs more to register a C-Corp than an LLC (depending on the state).
> They're wrong about investments -- SAFEs are very easy for corporations (no lawyers required), but they can't even be used by LLCs. You'll need to convert to a C-Corp.
Yes. Totally agree on all points. This conversion will cost roughly the same as first year taxes, but leaves the option of not doing it if you never get enough revenue to hire employees and don't get funded. And if you do get enough revenue for that, or you get funded by SAFE's, you'll have no issue affording the lawyer+CPA who can do it for you.
As for it being a bad time to deal with that headache, I generally agree. You'd probably want to do that when you reach the point that you feel ready to start fundraising.
> They're wrong about investments -- SAFEs are very easy for corporations (no lawyers required), but they can't even be used by LLCs. LLCs don't have stock, and most boilerplate documents will not work for LLCs.
I miscommunicated on this point: I meant to say if you're not getting funded by SAFE's, you'll need a lawyer, and therefore the "saving money" thing probably isn't particularly relevant and there's no issue filing as a C-Corp.
Boilerplate documents work fine for LLC, and Stripe Atlas helps with this.
> Something about passing losses from an LLC to your personal taxes being a good way to get you audited.
I'm not sure you can do that? Haven't had to deal with it personally (my LLC's were profitable in their first year) but AFAIK capitalization is usually done with post-tax money so I don't see how first-year LLC losses can reduce your personal AGI.
> Something about tax paperwork burden being roughly equal for LLC vs. C-Corp.
I was mainly trying to say that CPA's charge more for C-Corps than for LLCs.
This was such a weird mention to see in the article. Stripe Atlas is a service that helps new businesses incorporate and onboard onto Stripe/partner services with some startup credits. It's been around forever, has nothing to do with AI, and is generally a very well-respected service.
I am curious. Say, cloudflare let's Mr doofus run 4 agents from AI provider X. Those agents go on to create a pyramid scheme, prompted or not(both cases are interesting to me). The agents are running code in infrastructure owned by a third party cloud provider. The law catches up with the bots many years later after people lose a couple million. Who is at fault?
I think cloudflare is in the clear. Mr doofus could argue that the AI company allowed or enabled the crime which they otherwise wouldn't have done. Or Mr doofus could claim his prompts shouldn't have lead to that outcome and that wasn't his intent at all. Making the bots at fault, but not the AI company I guess?
> I've have personally never seen a good example where a cross vendor account provisioning actually working.
That's not what this is though, is it? In other words, isn't the (anti-)pattern you describe an argument in favor of agents setting up your accounts instead?
You can tell your agent to buy the domain at registrar x, manage DNS at y (and maybe configure DDoS protection and CDN), and host your content at z, and if the agent is good enough, you don't even need to understand the details.
You end up with individual credentials for each service, rather than a web of account relationships managed by a single "portal" SaaS.
If you want an end to end automation solution, you have to automate everything, not just high frequency tasks. It’s not acceptable to just say “oh you can automatically deploy a new site but first you have to register an account and buy a little domain”. The user command is “deploy site, right NOW”.
I remember back in the day Heroku had a huge store of integrations that you could just turn on with a click and they worked like that. You'd get a New Relic account that was tailored to dyno performance and you accessed it via your Heroku dashboard.
It became "the way" a lot of these PaaS systems operated and I'm sure the goal was to get some percentage once you increased your usage from the free tier, which makes sense for the PaaS partner.
For sure, revshare is standard on those partnerships.
Fun(ny) fact: all the companies that started out on Heroku back then are still locked into those Heroku-captive tenant accounts on those partners, because contractually, the partner is not allowed to transition such an account to direct billing. One company I've worked with has had all their infra moved off Heroku for almost a decade, but their Sendgrid account, which has hundreds of subtenants that each have custom domains configured, still can only be logged into via Heroku. They'd have to rebuild that whole thing from scratch (including make all their customers redo DNS validation) to move to a real sendgrid account.
I'm sure Heroku earns Salesforce a really healthy revenue stream based on this.
> The reason this blog post does not come with any concrete examples how to use this enablement for useful and constructive things tells you something very important - it is a toy and they do not know who and how they will use it.
I've been wondering the same thing. What would have stopped me from using a model to talk to their APIs in an autonomous way anyway? Are you going to captcha my bot from running scripts to hit your API end-points? How can you tell its not my automated scripts vs an agent vs me testing?
I'm probably very out of date here, but I thought domains weren't allowed to be purchased programmatically due to misuse, crime, fraud etc. Why is it allowed now just because of agents? This is bonkers to me.
An entire generation of non developers are being onboarded to products built for developers because of AI. Exampl: a very non technical friend has built a bunch of business automations with Claude and a few days ago he just dropped in the conversation that he is using Cloudflare. “For what?” I asked because usually Claude will recommend Cercel before Cloudflare. But in this case, it recommended Cloudflare because of the Tunnels feature. Now he is using it for a lot more than Tunnels. Mostly just lets Claude use it whenever it makes sense.
“To what end?” was the default reaction when Amazon launched S3 in mid 2000s :)
Seasoned, well trained engineers have created hundreds of thousands in billing on AWS through a simple mistakes overnight.
It's immediately reminds me of putting microtransactions into children games on mobile devices - a venue that has been thoroughly explored some 10-15 years ago.
I can't see payment and provisioning as a blocker in any scenario.
This has a potential to create a massive yet very dubious income stream for the company.
Downvoted. Stripe Atlas is a massively successful service that handles 100K+ incorporations annually. It's a key piece of Stripe's ecosystem support. You writing that you're "not sure who it's for" suggests to me that maybe you're out of your depth here as a general matter.
Yea its just you and did you generate that with AI ?
Plenty use Cloudflare to ship and this basically negates the need to automate all the logistics. Not really sure what you are rambling on about, you are just mixing totally unrelated group of tools and services to support your "yeah agentic use of cloudflare is bad: which makes no sense.
> I am also not sure who Stripe Atlas for. I am genuinely confused. It is definitely not something a developer will use.
Stripe Atlas has actually been around for quite a while, from like 2016. It's a quick start business platform for startups. HN discussion here: https://news.ycombinator.com/item?id=11166417
So correct in that it's not something intended for developers. It's intended for entrepreneurs (whether or not they are developers)
This is simply Cloudflare seeing the possibility of an infinite stream of income... these APIs are cheap to execute for them but are always tied to billing.
So, I have been doing a lot of vibe coding and making projects and got a confident grasp of the AI agent capabilities (primarily a Opus user, Claude code, and have ~10 years of full stack experience).
When I recently started a consulting agency, I found myself reaching into Cloudflare and experienced the same bottlenecks they describe.
Here's where I can see this helping again, in the future, when I know what I want and I want to quickly provision a quick digital presence:
- buy the domain
- provision and deploy to the domain, use Cloudflare as my hoster to serve my bundles (already created the site locally and have MCPs configured to handle this)
- Give it a budget, my "risk" tolerance amount, of say $50
- if something goes wrong, the ~30mins saved is worth that $50 risk (low chance of problem here)
- Yes I'm going to play with this and see if it works out, and if it does, now I can spin up startup websites for small microapps and POCs a bit faster.
LLms are an incredibly expensive way to learn that most humans are indeed unoriginal. So armed with an LLM.. yeah great things arent coming out are they.
But at the same time they can't be displaced on a whim either lol.
About goddamn time. The recent past consisted of discord blocking me because their telemetry was broken and exceeded their rate limit and target blocking me because two devices in a single household look really suspicious.
This is Cloudflare. They have an extremely strong incentive to increase bot usage. If there is no bot scrapping the internet they'll be out of business.
I've been using cloudflares remote browser api to bypass their own WAFs for my scrapers for a while, their products and services have been wildly contradictory for a while.
I literally hate it every time I try to visit a website and face Cloudflare bot verification. And now, they’re letting bots create accounts and buy domains. Double-standard hypocrisy.
It's not as simple as being pro- or anti-bot. It's about giving site owners the tools to decide whether or not they want to allow them. Seems pretty consistent to me. If they don't want bots, they can use tools to identify and block them. If they do, they can do things like automatically deliver markdown versions to them, or use x402 to charge micropayments.
Disclaimer: I work at Cloudflare, but not on these
A few months back I was building a product and wanted to add domains. My first choice would have been to use Cloudflare as the registrar, but they didn't support buying domains via the API.
I wonder if this means I can now also buy a domain via the API?
I recently started migrating my DNS to a DNSSEC-enabled provider.
This involves copy-pasting DNSSEC properties from one web interface into another.
Pretty much everything but this step has been automated in my website creation process: Picking a git template for my site, creating the git repository remotely on my self-hosted Forgejo, setting up the webserver and the DNS using external-dns. Only the domain creation and initial pointing of NS and DNSSEC records is something I sit and do.
I'm not willing to switch to Cloudflare for this feature.
This might hurt the ones like vercel etc... or even smaller hosting services like tiiny etc...
I don't get the spammer thing? You'll still need to verify your identity, as the whole thing uses stripe? So I don't get all the hate...
I prefer to delegate as much as possible to AI services once I have a mature process that is easy to validate. Buying a domain name feels pretty mature to me etc, so I don't get where all the hate is coming from?
(Maybe I'm way to deep in the whole AI/Jack Dorsey/Block model?)
They can doesn't mean they should. Letting an unsupervised agent register domains and build websites exposed to the public is yet another recipe for a disaster waiting to happen.
This is an API. They now allow users to create accounts, buy domains and deploy from their api instead of going on the website. That's great. I am not sure I understand why all this complex protocol is needed though, especially now that you can generate a cli with a prompt.
I meant a cli is essentially a wrapper around an API, you are right it is less complex than a direct call. My point was that now there is an API you can call with this CLI, or a cli you vibecode yourself to call the API or you can call the API directly. Where before you probably could not create an account without going on the website manually. They now have a programming interface to more features of their services. But their cli still feel too complex with the stripe protocol integration. As said in other comments, I probably only want to create an account and register a domain every once in a while so a simpler cli that just wraps the api call would be better.
The whole backbone of pedomericas so-called tech industry is nothing but an advanced advertising operation designed to shovel ad many ads down the worlds throat. I am happy to see that pedomericans now have an additional tool in their toolbox to shovel more efficiently. Congratulations retards
They can do that now? I did that with agents since last summer. They also helped me set up aws and azure. It is such a pleasure to not having to read about their stupid platforms. What a security group is, what a vps is, what an eni and what a gateway is blah blah I just give the agent specs and access lists, then check it and it all just works.
> I wonder what it means for an agent to “agree” to terms of service
It's already not clear what it means for humans to do it, but it doesn't prevent every single service from asking it. At least an AI has a chance to ingest it all.
I don't understand the pessimism here. You never know the use cases for quickly and automatically rotating domains. There have always been bots, spammers and scammers. I'm interested to see what people build with this.
AI agent calls a human on their phone (even engage in an email chain), whilst talking to the human they analyse the likelyhood of diffferent fraud vectors, and choose the most likely one to work on this particular victim. Whilst keeping the human talking in chit chat to raise their confidence levels, in the background it buys a domain which fits the users fraud profile, and quickly makes a basic website on it. Maybe its a fake login page, maybe it just hosts malware, who knows at this point. The agent then emails the user from a mailbox on the new domain which directs the user to the new domain and commits the fraud. The email from the domain ties up with what the agent is saying on the phone, so it all looks legit to the human.
Immediately after the call it deletes the website, directs the new domains dns to blackhole and discards it from its posession.
This is all possible right now. I am also interested to see what is built with this technology in the future, but interested in a very worried way.
This is the OAuth moment for agents. Identity attestation + scoped payment token + provisioned account in one call. Standard's forming faster than people think.
I'd be interested in how this could be used. The $100 cap is the right shape of mitigation in terms of guardrails. Buying a domain is irreversible but has a price tag, so you can deterministically bound how irreversible it gets.
This feels less like a major AI milestone and more like "the raccoons learned how to open the cooler.”
Agents can now participate in the oldest internet tradition: impulsively creating weird little websites at 2 am with unjustified confidence. But with no alcohol involved, which removes 93.74% of the impressiveness.
In a sense, AI has finally progressed to the point where Drew Curtis started fark.com, and I'm hesitant to label that a 'milestone'.
This is good for spammers and bots. They can automate creating websites, pay Cloudflare. Others pay Cloudflare to protect them from spammers and bots (and misidentified humans)
The more chaos on the Internet, the more Cloudflare earns. It is a horrible company.
They are still losing money unlike Akamai, so there is hope they go bankrupt.
Infrastructure provisioning is a key ingredient of agentic AI viruses: https://www.ericburel.tech/blog/ai-virus-agent
This may be the first steps of the worst wave of spamming campaign ever seen on the Internet. We'll need to reinvent how we connect and communicate via computers.
I got early access to Stripe Projects, the initialization didn't work very well. I emailed Rami (the lead of the Projects team) two weeks ago and he put his team on it. I waited for 5ish days and asked composer 2 to diagnose, it found the problem and let me know. I sent it to Rami and haven't really heard back any real progress on the bug after some follow up requests. Haven't tried it since though, might've been fixed.
Edit: composer 2 found a way to fix the initialization by setting an environment variable and it worked after doing that, but the docs didn't say to set the variable and Rami didn't know I should do that, so it is a bug
Wow, the amount of reactionary doomsaying in this thread is offputting. I built the Stripe Projects agentic provisioning integration (what this post is about) at Inngest and when I saw it actually work in action I thought it was actually kind of magical. Basically, hey agent, use my stripe account to provision a pro plan at Inngest, build me an app and deploy it. The agent does it and logs me into the Inngest dashboard. Agentic provisioning seems inevitable given the way we work now, and deferring to Stripe for kyc seems a reasonable way to do it.
As someone not well versed in these topics, would you mind helping me understand how this is different than an MCP for your onboarding & account provisioning APIs.
It's provisioning expressed as an API, but wrapped in a cli that agents can very easily use. Then anyone that implements the API is added to a marketplace of services. And the ability to pay for service is baked in because it's stripe. The end result is that as an engineer I can ask an agent to use the stripe cli to discover and provision, including paying for, a wide variety of services and it mostly just works.
I'm no expert. But I think it's the same thing that makes it easier to use for humans. So, `stripe projects --help` and then `stripe projects catalog` is super easy for me to grok and use versus reading some api docs and curling some endpoints.
Is it expressed as an API though? Does Stripe Projects have a documented public API? Also isn't the payments for this involve manually entering payment/card info (meaning it could theoretically be done a dozen different ways which do not require Stripe)?
In theory, this is a cool idea, but in practice I think this being done through a proprietary, locked-in Stripe product, is going to ultimately hinder adoption.
The security implications here are also concerning - from what I can tell - Stripe seems to have access to all of the keys/credentials for third party accounts/resources provisioned via Stripe Projects.
So stripe has centralized control over payments, KYC, credentials/keys (full lifecycle, not just storage), the provider marketplace, and even over the availability/reliability of anything built with on top of Stripe Projects (since now your credential/key lifecycle has Stripe on the hot path).
This is like a more janky/less reliable loveable, without the handrails, and with a mere illusion of less lock-in.
Imo, this kind of thing will only work long-term as an open protocol without Stripe lock-in, and I know certain people/companies are already working in this direction.
I asked them and they said the plan is to make the spec public. I'll leave it up to them to say when that will happen. I'll say the spec is pretty flexible/configurable. You can swap our payment providers, it does not have to be stripe. And you can configure who does kyc and you can do that yourself.
Cannot unsee it that in their own video demonstration they prompt the agent to deploy to domain name of "superseal.club" and agent grabs superseal.cc instead.
Is it possible to block the agents from deleting domains? I’m comfortable with the risks of everything else, but I don’t want to give ai unfettered access to my cloudflare accounts because I don’t want to give it the ability to remove or delete domains.
Cloudflare seems to be on a streak, boasting about new capabilities that are only useful for mass spam. When can we start blocking them for deliberately harboring spam?
While I don't necessarily disagree with a lot of the skepticism and negative sentiment around this, it's worth noting this _does_ require having a Stripe account, which (last I was aware) does require that you prove you're a real person and provide banking details, at least in order to transact in production. That will certainly limit the use of a lot of spammers, scammers, etc. no? Or, maybe I'm misreading and/or being naive!
Note: I am a CloudFlare customer, but on a very low plan and probably have no use for this.
Overall I feel like lot of HN accounts are using AI to generate comments, I already found several on this thread alone. Not sure what the hate is for cloudflare is tbh. I already buy domains automatically but cloudflare has been shipping a lot lately nd this is a great add-on.
The infrastructure for agents to act is scaling way faster than the infrastructure for anyone to verify what they did. We don't let humans open bank accounts without audit trails. Agents autonomously creating accounts and deploying to production should have at least the same bar.
I recently tried buying a domain in cloudflare, they refused the payment -- even using my account which I use actively for years -- tried to pay with paypal, no luck. Went to porkbun and bought the same domain in 5 minutes and pointed it to cloudflare name server.
Maybe they should fix the regular flow before automating it with agents?
What are the practical, legitimate use cases for buying domains at scale? I really can't think of a single one. I can however think of quite a few nefarious ones.
I have to stop myself from appending "autonomous" any time I read agents.
Cursor and Claude Code are also agents, and making it easier to run these operations from those interfaces assuming some margin of error is ok is a genuinely useful feature.
Trivial for the spammers that need this service to build this, surely they already have.. this agentic hype cycle is way more annoying than NFTs/Crypto, which I thought was impossible.
arjie | 10 days ago
joemazerino | 10 days ago
floodfx | 10 days ago
This looks interesting nonetheless.
saneshark | 10 days ago
Waterluvian | 10 days ago
threethirtytwo | 10 days ago
The agent does everything. “Make a website that does…“ and it can handle everything from start to finish. It’s that good now.
SpicyLemonZest | 10 days ago
fragmede | 10 days ago
SpicyLemonZest | 10 days ago
I suppose it's possible that someone's just running a charity Wordpress-like operation for their friends who all want websites.
threethirtytwo | 9 days ago
In the middle of the interview there was a bug where our sessions no longer synced. So that’s a downside. But before that the interview was perfect.
saneshark | 10 days ago
I’m not trying to shamelessly promote here but since you asked one of them is at jobwiz.biz
fragmede | 10 days ago
hhh | 10 days ago
saneshark | 10 days ago
beta.jobwiz.biz
jackconsidine | 10 days ago
> This account is in violation of Cloudflare's Terms of Service. Specifically fraud. The suspension is permanent.
(Yes that’s really it. Sincerely. No “but I also abused X”)
captn3m0 | 10 days ago
CloudFlare ToS has you covered. A human must accept it, even with the new agentic flow.
jasomill | 10 days ago
pocksuppet | 10 days ago
itsafarqueue | 10 days ago
noprocrasted | 10 days ago
nojs | 10 days ago
janalsncm | 10 days ago
Gigachad | 10 days ago
e40 | 10 days ago
ethagnawl | 10 days ago
So, if you're looking for me, I'll be hiking while it's still legal.
itsafarqueue | 10 days ago
ethagnawl | 10 days ago
boothby | 10 days ago
And before anybody replies: no, I don't mean "and puppy." They're just not as cute.
datsci_est_2015 | 10 days ago
The catalyst is probably the consent of payment processors, if I had to speculate.
w10-1 | 10 days ago
cynicalsecurity | 10 days ago
scotty79 | 10 days ago
neonnoodle | 9 days ago
armanj | 10 days ago
good luck
c-linkage | 10 days ago
throwup238 | 10 days ago
silcoon | 10 days ago
Let’s automate this end to end, from idea to raising capitals. Vibe Angels should just be multi agents managing how much capitals to allocate to each projects.
zbentley | 10 days ago
loganc2342 | 10 days ago
owenpalmer | 10 days ago
jakebasile | 10 days ago
Also, when an agent sets up a domain, who is the domain owner? Who responds to takedown requests? What if it then decides to host illegal content at the domain (generated or otherwise). Who is responsible? Agents aren't (yet) legal persons, so it must be the person who owns the agent, but if that person never even sees the legal agreement being agreed to how would it hold up in court? If the person didn't direct the creation or hosting of illegal content, what then?
idank | 10 days ago
And it's not like pro agent companies have a reason to self regulate. They're not going to absorb that liability voluntarily, they'll push it onto users contractually (most of them already do). This is just another channel to bring in customers. They will capitalize ruthlessly to increase their bottom line.
zelon88 | 10 days ago
Good thing the fraud is committed in places that specifically don't prosecute fraud when it's targeted against Western countries.
skeptic_ai | 10 days ago
14 | 10 days ago
swader999 | 10 days ago
faangguyindia | 10 days ago
Basically, now it's trivial for any new devops guy to run such a query in Claude Code:
“Log in to this production server, find out all services it runs and their deployment method, create documentation about everything, and generate a repeatable, auditable deployment workflow.”
Devops and sysadmins can no longer withhold information to maintain job security.
Boom, 80% of the team gone.
I know companies are doing migrations of production Postgres and MySQL on 1000s of machines using AI agents.
I’m imagining how many SaaS will be automated out and simply be an "agent skill" in ClaudeCode.
zbentley | 10 days ago
I can't imagine this is very prevalent. That's a very 2004-style corporate immaturity; I get the sense that even the slow-moving behemoths of the software world have mostly caught up to, say ... 2017's recognition of the importance of automation and reproducibility and won't tolerate the kind of malpractice you describe--wilful information siloing by infrastructure teams.
Like, those businesses might well suck at automation! But they've been doing it and firing the people who resist it for a long while now.
bakugo | 10 days ago
otterley | 10 days ago
faangguyindia | 10 days ago
otterley | 10 days ago
vatsachak | 10 days ago
wartywhoa23 | 10 days ago
lionkor | 10 days ago
I found that, without that, Claude makes too many critical mistakes.
zelphirkalt | 10 days ago
devilsdata | 9 days ago
aleksiy123 | 10 days ago
But jokes aside having a central place to manage billing and accounts for deploying infra across multiple providers is pretty awesome imo.
if they have a terraform provider even better. I wonder if also makes multi tenant architectures or environment isolation easier to provision as well.
skeptic_ai | 10 days ago
slopinthebag | 10 days ago
hboon | 10 days ago
firefoxd | 10 days ago
While they are on the phone with the agent, it buys a domain relevant to the victim, the agent codes and deploy the website specially catered to them and the fraud bucket. Collect payment, destroy the website, redirect the domain to google.com. no need to start a new call because you had several agents committing the same fraud in parallel.
It can also be used to make art.
iugtmkbdfil834 | 10 days ago
What I saw was Transmetropolitan setup, where Hole renews their presence online every 5 minutes or so to avoid government censor.
lxgr | 10 days ago
iugtmkbdfil834 | 10 days ago
pavel_lishin | 10 days ago
Mario9382 | 10 days ago
Gigachad | 10 days ago
The banking system will become increasingly fraud resilient with better real time detection of fraud.
Your phone may even have its own AI on your side listening in on the call and sounding the alarm when a number from Nigeria starts using an AI voice pretending to be your son.
corentin88 | 10 days ago
Gigachad | 10 days ago
trinix912 | 10 days ago
Gigachad | 10 days ago
Phone numbers in Australia are also all tied to ID. If there is a will to fix the system, it can be done.
ButlerianJihad | 10 days ago
nerdsniper | 9 days ago
As a result, it's very difficult for me to use a lot of Chinese websites and it's a pretty sizable barrier to hardware development when Chinese citizens can just download the relevant datasheet off some Chinese forum in 5 minutes, but I have to sign NDA's with western companies or figure out how to WeChat a Chinese OEM to send me their datasheets.
Gigachad | 9 days ago
pavel_lishin | 10 days ago
We've had phone fraud for decades, and the system has dragged its heels forever. I genuinely don't know if even this will be enough to address phone spam.
duped | 10 days ago
ectospheno | 10 days ago
TheSoftwareGuy | 10 days ago
I feel like it should be easy for the postal inspectors or to go after these, if they cared. Just gather up some of these letters from someone who just bought a house (seems to be public record when someone buys a house, that's how the scammers know when to target someone). Then just call the number in the letter, trace the call and arrest whoever is there.
yieldcrv | 9 days ago
Instead of extrapolating only from reported fraud by victims
rvz | 10 days ago
Soft scammers, fraudsters and defamers are celebrating in copying websites for malicious intent.
For sure this is going to get abused.
stevefan1999 | 10 days ago
caymanjim | 10 days ago
forsalebypwner | 10 days ago
Their name doesn't appear in the first 6 pages (~175 TLDs) of this list https://tldes.com/cheapest-domains
On renewals they appear much more competitive though.
faangguyindia | 10 days ago
You can have a zero-cost inbox.
Earlier, I was using Zoho and FastMail (however you dice it, it will use some money, $12 a year for Zoho and $7 per month for FastMail? Even then, perhaps you only get one mailbox and some aliases)
but with this method, I get unlimited aliases, domains, and mailboxes:
Now, I wrote a script which captures the email and saves attachments to S3 using the HTTP API (why S3 and not R2? Because Cloudflare wanted a credit card, and I was too lazy to add it there lol) and emails to D1.
This uses an email -> webworker workflow.
I use an API to fetch my emails.
This means all my inbound emails are now handled by Cloudflare, and I can easily use all of it with zero payment.
The best part is this supports tokenised emails, so I can provide a unique email address to each service I sign up for.
I am using SES as the sender. I’ve set up one script which auto-sets up any domain in SES and auto-verifies the sender email.
The funniest thing is I am receiving zero spam? As if other email providers sell my email?
twothumbsup | 10 days ago
dewey | 10 days ago
faangguyindia | 10 days ago
weird-eye-issue | 10 days ago
faangguyindia | 10 days ago
weird-eye-issue | 10 days ago
selcuka | 10 days ago
It's hyperscalable and highly available today, until the API changes.
dewey | 10 days ago
I'll stick to Fastmail, where if something isn't working as expected I can just email them and get a response from a real human.
tietjens | 10 days ago
fragmede | 10 days ago
faangguyindia | 10 days ago
you can write an api to imap adapter and use it in your favourite mail client
SES exposes SMPT directly.
twostorytower | 10 days ago
faangguyindia | 10 days ago
sim04ful | 10 days ago
swyx | 10 days ago
also share your scripts pls?
dakolli | 9 days ago
readitalready | 10 days ago
trick-or-treat | 10 days ago
DeathArrow | 10 days ago
Why didn't Amazon think of that?
zelon88 | 10 days ago
unglaublich | 10 days ago
zelon88 | 10 days ago
For example, in 2024 JPMorgan received a $77m subsidy to build a datacenter that created only one permanent job.
https://nysfocus.com/2026/04/20/data-center-tax-break-jpmorg...
charcircuit | 10 days ago
tomhow | 10 days ago
schpet | 10 days ago
hedayet | 10 days ago
sovenyr | 10 days ago
Phelinofist | 10 days ago
_pdp_ | 10 days ago
It is cool feature but to what end? Buying a domain is not something you have to do daily to require any kind of automation.
I am also not sure who Stripe Atlas for. I am genuinely confused. It is definitely not something a developer will use.
I understand that you can bootstrap a number of systems but that is like half-hour of work and arguably it is probably a good idea to do it manually to make sure you have strong foundations.
I've have personally never seen a good example where a cross vendor account provisioning actually working. For example, Fly.io used to provision Sentry accounts automatically which you could not access in any other way but through Fly.io. I mean the Sentry account was effectively locked to a project that you cannot transfer - hijacking the actual global alias as well. Vercel did something similar with PostgreSQL via Neon and Redis via Upstash resulting in painful migration processes.
I can imagine ending in some kind of deadlock between services due to security hence why the 30 minutes initial setup is kind of time well spent to avoid future issues.
Maybe it's me.
cromka | 10 days ago
Sorry, but no, you totally miss the fact there are domain farms which buy the dropped domains and then offer them up for sale. Bots now use AI to analyze the domain's value and automate the whole process. To be able to let AI buy it as well likely offers a tremendous amount of time saving.
misnome | 10 days ago
I guess this, lowers the barrier to entry for this extremely specific niche?
przmk | 10 days ago
estimator7292 | 10 days ago
adventured | 10 days ago
What cut are you talking about?
pocksuppet | 10 days ago
2000UltraDeluxe | 10 days ago
fontain | 10 days ago
Domain registration is already API driven and has been for decades. The most sophisticated domain name investors (or "domain farms") go as far as to own registrars directly so they have instant access to the registries. Nobody involved in domains would use Cloudflare's product because they already have and have had automations for decades.
For example, DropCatch (NameBright) own over 1,000 different registrars so that they have over 1,000 direct routes to Verisign's .com registry. GName are a new player in the space, approaching 1,000 registrars. The amount these companies spend on their registrar licensing alone is many millions of dollars[1].
Cloudflare's product adds nothing new to the world of domains. Anyone has been able to go to OpenSRS and sign up as a reseller with API access for over 20 years.
[1] The majority of ICANN's registrar revenue comes from just a few companies that own thousands of registrars collectively: https://www.iana.org/assignments/registrar-ids/registrar-ids... cmd + f "DropCatch" and "GName"
Griffinsauce | 10 days ago
dawnerd | 10 days ago
grey-area | 10 days ago
Can’t think of any other uses for this given the current state of LLM ‘agents’, though I can’t wait for the next report of something like ‘openclaw registered 1000 domains for me without asking and now cloudflare won’t refund me’.
riedel | 10 days ago
adamas | 10 days ago
2ndorderthought | 10 days ago
To me this feels irresponsible and like it's main goal is to forward autonomous cyber attacks. Which is antithetical to what they do? Maybe I am missing the legitimate use case here, but I can only see this being used for removing responsibility from crime or espionage?
Does anyone know offhand if cloudflare is a department of war contractor? I never looked into it. But this smells funny to me
Somehow the Internet needs biometrics and age verification everywhere but also chat bots can buy property there without too much thought.
kevin_thibedeau | 10 days ago
2ndorderthought | 10 days ago
tardedmeme | 9 days ago
dragonelite | 10 days ago
dwroberts | 10 days ago
They are arming spammers and scammers with these tools so you need their product to protect yourself from them
cyanydeez | 10 days ago
kingleopold | 10 days ago
like wmd's in iraq and hormuz problem now, lmao. remember how hormuz was not a problem and it was wideoy peaceful and open months ago? lol
cyanydeez | 10 days ago
goatlover | 9 days ago
fhn | 10 days ago
sshine | 10 days ago
To create records for more than one domain, you need to write a personal support email.
They say it's to raise DNSSEC awareness, but I think it's also a robot captcha.
kreco | 10 days ago
I'm not all familiar with this so I don't understand why it's not a ticket or any other non-automated action even for a single domain ?
I mean what is "the standard" that would actually allow a robot to register a domain to a DNS registry ?
impjohn | 10 days ago
mapkkk | 10 days ago
Though I guess it's still a good thing they do this? At the time I remember being mildly inconvenienced, but not enough to actually care. I just remember thinking, "How is this nonprofit going to handle all that support volume?".
sshine | 10 days ago
They replied somewhat quickly (for humans).
I had accumulated enough hope for them to wait the 25 hours it took them.
And yes, I wouldn't go this way either.
encom | 10 days ago
I've used Desec for several years now, and I'm very happy with them. Zero problems, would recommend.
Yizahi | 10 days ago
Every legit use case for LLM practically requires that human would verify the result manually, at least briefly. But spammers can enjoy skipping that step, since content was never a main priority in the first place.
2ndorderthought | 10 days ago
pixel_popping | 10 days ago
notarobot123 | 10 days ago
Spamcorp services are the future. Don't resist it, that would be futile.
jcgrillo | 10 days ago
ToucanLoucan | 10 days ago
neom | 10 days ago
ToucanLoucan | 10 days ago
No kidding.
> One fully automated business I think could exist and might be useful is apartment/condo rental.
We're starting strong on the category of businesses that generate no actual value and just scrape an amount of value out of existing transactions that would've happened anyway, i.e., rent-seeking. But good for you, you can now artificially shrink the supply of limited-availability goods in the market, then gate access to them behind a paywall, and you don't even have to do the minimal amount of actual work required to fleece strangers for part of their paycheck while creating no value.
neom | 10 days ago
jcgrillo | 10 days ago
kortilla | 9 days ago
Rent-seeking is a very specific economic term where a party inserts themselves into a transaction and takes a cut without providing anything: https://en.wikipedia.org/wiki/Rent-seeking
Being a landlord comes with significant responsibilities and even principal investment risk.
chimeracoder | 9 days ago
> Rent-seeking is a very specific economic term where a party inserts themselves into a transaction and takes a cut without providing anything: https://en.wikipedia.org/wiki/Rent-seeking
> Being a landlord comes with significant responsibilities and even principal investment risk.
Economist here. Yes, this was a correct use of the term "rent-seeking behavior". It's actually quite funny to see someone try to argue otherwise, when the name was chosen because this is, literally, the textbook example.
tardedmeme | 9 days ago
The market for real estate is basically the market for taxi medallions. It costs something to run a taxi, but there are a limited number of medallions and you can charge well over that cost because you have a medallion, which also makes the medallions very expensive. Until Uber comes along. But you can't just make an illegal apartment without land the same way you can make an illegal taxi without a medallion.
hluska | 9 days ago
I’ll sit out your little experiment because I’m not in the mood for this kind of response. But you may discover that if you turn down the venom a little, qualified people could teach you things like automated business models that are quite ethical and even the definition of rent seeking.
Have a nice day.
ToucanLoucan | 9 days ago
It's not a value judgement, it's literally rent-seeking behavior. You're seeking, to rent, property that you own, presumably for a profit. Like come on, it's what the word means.
> You also don’t seem to be aware of the definition of rent seeking but that’s an entirely different topic.
Both my command of the English language and the economist elsewhere in this thread disagree with you, but go off I guess.
> qualified people could teach you things like automated business models that are quite ethical and even the definition of rent seeking.
And yet instead of citing one you went off a tone-policing rant.
My question was quite open-ended. I genuinely didn't expect someone to come in and list the textbook example that an actual economist went on to point out was crap for the exact reason I said, truly. But that's the kind of poetic unawareness that one really can't plan for.
> Have a nice day.
I did, thanks!
justinclift | 10 days ago
I'm curious about things of this nature, where it seems like a case of "this information is important to me and I want accurate results".
But then the talk of automation seems to exclude careful human review of those results, which is needed to stop hallucinations from making their way to customers.
jensensbutton | 10 days ago
If this can be fully automated then you can just ask your own agent to do this and wouldn't need a business for it. And agents can already fill out web forms just fine.
neom | 10 days ago
skinfaxi | 10 days ago
axus | 10 days ago
pixel_popping | 10 days ago
reaperducer | 10 days ago
Considering the disaster of that AI-powered store in San Francisco, I'm skeptical that this could happen in the next wave. Or even the next ocean.
(WSJ article from a few weeks ago stated that the "AI" can't stop ordering candles, and manages the staff so poorly that sometimes there are no employees scheduled for some shifts.)
kjkjadksj | 10 days ago
grey-area | 10 days ago
pixel_popping | 9 days ago
ethin | 9 days ago
bourgoin | 9 days ago
By that token, LM-generated content which looks good at a glance but doesn’t hold up to scrutiny seems ideal for scamming. I’d speculate that in the scam content generation workflow, not only is there little penalty to skipping the verification step, but since you intend to push that step onto the target and hope the result is a false positive, subtly wrong hallucination might be not only tolerable but in fact better for its purpose than what a human could produce.
wildrhythms | 10 days ago
ttul | 10 days ago
[1] Every message sent from Amazon SES carries a "Feedback-Id" header that allows Google (and anyone else) to track the Amazon account responsible for the message. The fourth field is an opaque but stable identifier associated with your Amazon account; receivers can and do use this for rate limiting: https://aws.amazon.com/blogs/messaging-and-targeting/underst...
tardedmeme | 9 days ago
ttul | 9 days ago
kukkeliskuu | 10 days ago
PunchyHamster | 10 days ago
timacles | 10 days ago
Generate hyper personalized ads in any format! Embed them stealthily into virtually any context!
I guarantee thats all big tech is thinking about as the future of LLMs. All this coding stuff is merely a good will investment to buy them time until they can implement this
tardedmeme | 9 days ago
aftbit | 10 days ago
fckgw | 10 days ago
They buy up a bunch of .top, .shop and .xyz domains for $1 each. They spam them out in in all those "USPS tracking" spam text and Facebook fake store ads. The shelf life on these domains is a few days at best before they get shut down, now you can automate domain rotation and not have to pause your spam campaigns.
tardedmeme | 9 days ago
zuzululu | 10 days ago
neilv | 10 days ago
Buy why do this, unless you're in the business of arming both sides of a conflict?
(With a side bonus of designing a defense product in such a way that you reverse much of the ground that was gained with "HTTPS everywhere", to give you centralized cleartext access to much of the Internet traffic.)
Computer0 | 10 days ago
matt-p | 9 days ago
I guess also; something that saves me 20 minutes a few times a year is still nice.
compounding_it | 10 days ago
People making cooking websites, websites for their garden, etc usually have nowhere to go. A web app who is an agent for a customer will then deploy agents in the backend to deploy the website too.
Basically what one would do manually, you tell one agent to make another agent do it.
Meta agents are where are going it seems.
tdeck | 10 days ago
They've had WYSIWYG website builders since the late 1990s.
carlosjobim | 10 days ago
tdeck | 10 days ago
carlosjobim | 10 days ago
AFAIK you can't make a website on SquareSpace and download it to your computer, edit it locally and move it to a different host, etc.
In the past there were actual WYSIWYG editors which let you design your website or CMS theme and then do whatever you wished with it. Artisteer was the pinnacle of this. Then nerds took over with their command lines and Kubernetes.
Imagine if one day people decided that making and editing documents in Word was no longer possible, that they had to be hand coded and command line compiled and linted, and not mix tabs and spaces. That's what happened to website publishing. For no reason at all.
tdeck | 10 days ago
afxuh | 10 days ago
kukkeliskuu | 10 days ago
mook | 10 days ago
You know, I kind of miss Geocities too.
Fomite | 10 days ago
The idea that people who want modest websites need active agentic systems to do that is a really odd take.
Gigachad | 10 days ago
Any actual readers will be on platforms which combat the bot spam.
terrytys | 10 days ago
hulitu | 10 days ago
Just like it is usually used: spam and (D)DoS
ascorbic | 10 days ago
Stripe Atlas makes it massively easier for startups to incorporate in Delaware. This is particularly hard for non-US founders. It solves a real problem. I don't think this part will be done by agents though!
Disclaimer: I work at Cloudflare but not on this
makeitdouble | 10 days ago
Short of throwaway sites (spam etc) it's hard to imagine skimping time on this specific, mostly painless part.
ascorbic | 10 days ago
barnabee | 10 days ago
I am watching people who can't code build and deploy dashboards and sites with Claude Code (desktop app - they don't use the CLI), then go cap in hand to developer friends to get it hosted on a domain (rather than some Vercel or whatever URL).
Those people absolutely want to risk letting an agent buy and set up the domain.
This is not necessarily as blindly stupid as you might think. Many of these people know that this workflow is no good for writing code that does anything serious (i.e. storing data for people, taking payments, etc.) but there are a huge number of projects that are just websites, dashboard, data visualisations, etc. with static content and public APIs (Twitter is awash with them) and domains are cheap.
A decent minority of these are even quite cool or interesting.
So a lot of people want to put their vibe-coded weekend project behind a nice domain. Why not?
makeitdouble | 10 days ago
Let's say they buy a first time discounted $5 domain with a $9000 renewal (could the first renewals be made contractually mandatory?), potentially some other weird terms that the agent agreed to for them.
If I was ill spirited I'd go look at how the agents try to buy and setup juicy traps to milk it as much as I can for the first wave.
rsanek | 10 days ago
lejalv | 10 days ago
Rename to Greedware.
ascorbic | 10 days ago
jrflowers | 10 days ago
ascorbic | 10 days ago
pembrook | 10 days ago
Stop spreading populist internet bullshit.
Incorporating in Delaware is like 95% about being in a predictable legal framework for any business related dispute imaginable.
Yizahi | 10 days ago
sudofox | 10 days ago
nerdsniper | 10 days ago
dzink | 10 days ago
sam345 | 10 days ago
lxgr | 10 days ago
In the US, regulations on pensions, health insurance etc. are governed by the state that employees physically work in, not by the laws of the state of incorporation.
sshine | 10 days ago
I recently set up DNSSEC for the first time.
It really was just a bunch of copy-paste from one provider to another.
I like to understand what I'm doing, and LLMs helped greatly with that.
But it was copy-pasting screenshots into chat, so not really agentic.
ElFitz | 10 days ago
nottorp | 10 days ago
You can tell Claude to add a new condition to an if and instead it will duplicate the whole if body.
They're hoping you'll tell your "agent" to buy a domain and it will buy 30 instead.
lxgr | 10 days ago
Which is arguably unfortunate, as it nudges people towards using centralized services because they simply don't know that they have the option to register one.
For example, why not self-host a single-page party invitation site designed by an agent rather than using Facebook or Instagram?
ACCount37 | 10 days ago
An average web user got far less technical since, and making a website got harder instead.
Now, if anyone could just ask an AI agent to set up a website, and get a personal page with an e-mail inbox and a domain - all reasonably secure, TLS set up, billing added as +$5 per year to the AI subscription bundle? Maybe that would help some.
lxgr | 10 days ago
Instead, everybody ended up using Gmail, iMessage/WhatsApp, and Facebook, and things are as centralized as they can be.
Agents could be a force in breaking that trend. Even if inference stays centralized, the artifacts agents create would not be. Basically the difference between everybody renting from one of a handful apartment building mega corps or being able to hire contractors to build your own things according to your ideas.
And just like there, it’ll probably help a lot to know a bit about how the sausage is made to not be taken advantage of. Also, many people will probably always continue to rent, which is fine. But the possibility of agent competition alone will hopefully keep centralized platforms and SaaS offerings on their toes, which is good for their users.
disiplus | 10 days ago
But at that point you're big enough to build it properly.
lxgr | 10 days ago
[1] https://www.citationneeded.news/posse/
xp84 | 9 days ago
Interesting evolution:
1980s and before - Centralized computers, thin clients & terminals
1990s - Decentralized computing - rich clients running native code locally, data lives locally, making use of the network for necessary communication (e.g. email, IM)
Present day - Entirely centralized data, compute outsourced from companies to 'Public Clouds', bloated clients running JavaScript locally, but mostly without local storage besides cached copies of data.
I wonder what path the next phase will take.
lxgr | 9 days ago
Eufrat | 10 days ago
Doesn’t this sum up most of the AI “innovations” we’ve seen shoveled in this bubble?
We constantly see AI thought leaders backpeddling on promises and just spouting general nonsense. Altman originally talked effusively about an era of “abundance”. An abundance of what? It’s a word salad of feel good vibes without any substance.
Sam Altman has gone from claiming AI might cure cancer to shoveling ads and the scope of AI seems to be reduced to mostly be suitable as flawed, imperfect, but mildly useful coding/automation agents that are likely subsidized beyond economic viability, but you can’t point that out because it’s the future!
mpeg | 10 days ago
For example, you can now with Artifacts and Dynamic Workers make a lovable-style SaaS where your customers ask the AI agent to write software for them, the agent can run it in sandboxes with no build step, it can version it with a git-compatible API, and now you can even have it buy a domain for the end customer or set up their own cloudflare account when they want to move to production.
I personally have no use case for creating domains via agents, but some of the other features they're releasing around this area are extremely useful and I've started to ship internal tools for my clients where they are used, like giving them their own mini claude code that only does one thing – one I shipped last week was an agentic interface for Salesforce reports that understands their domain better (and all the undocumented tech debt) than the built-in Salesforce AI does and therefore manages the context better
7thpower | 10 days ago
mpeg | 10 days ago
7thpower | 9 days ago
huijzer | 10 days ago
philipallstar | 10 days ago
brazzy | 10 days ago
input_sh | 10 days ago
frevib | 10 days ago
At enterprise level, account provisioning with SCIM is the industry standard.
barnabee | 10 days ago
We should build more toys
jeremyjh | 10 days ago
Arguably Github, Slack, Twitch, TikTok were basically toys at launch with a lot of people questioning possible market fit.
But there is a difference between those products - and for example - everything that came out of the crypto blockchain scene. This new product by Cloudflare feels more in the latter camp than the former.
fragmede | 9 days ago
aniviacat | 10 days ago
> Hey, please make me a website about my dog woofy. Give it the link myfluffywoofy.dog ;) Thank you!
nailer | 10 days ago
I wrote a python client for dnsimple nearly 16 years ago to exactly that. If you can’t think of a reason it’s useful, you may wish to get your agent to buy a domain for some project you have asked to create.
zsoltkacsandi | 10 days ago
Every time I come across AI projects and AI integrations (including my previous job where I full-time worked on one), no one was able to show me concrete examples how can I use it for constructive things.
nerdsniper | 10 days ago
It's for founders who don't have lawyers. My co-founder and I are both developers, we used Stripe Atlas to incorporate a C-Corp due to expecting to fundraise <1 year after incorporation. Stripe Atlas generates about 200 pages of legal boilerplate documents with very sane defaults so that your corporate structure, bylaws, IP protections, director indemnity, etc. align well with investor expectations. It helps investors not have to "rules-lawyer" all your corporate records during due-diligence, because their content exactly matches YC's expectations.
-------
I said we made a C-Corp but other founders should default to LLC, which Stripe Atlas can also streamline. An LLC is superior to C-Corp in pretty much every way for any pre-raise founders who don't have an extra $2,000 to >$10,000/year they're willing to part with for higher franchise taxes, "foreign" (different state) corporation registration, CPA's, and additionally lawyers if any investments aren't YC SAFE's (e.g. not YC, Neo, or A16Z SpeedRun).
Also note that for pre-revenue C-Corps, Delaware franchise taxes are scaled against number of shares, not company revenue or # of employees, so you can save some money by forming your company with 1,000,000 shares and then file a "Unanimous action of the board of directors" to increase it to 10,000,000 just before angel/pre-seed/seed round, and potentially save a few hundred dollars on your first year franchise taxes, depending on when you incorporate and raise. But if a few hundred dollars makes a difference to you, incorporating as an LLC instead of a C-Corp is the only defensible decision.
And as always, start your taxes 3-4 months before they're due. If you want a CPA to do them (which you should if you have any revenue), you'll need to retain them way ahead of time for C-Corps. If you're filling tax forms out yourself, you'll want to start at least a month before they're due.
weird-eye-issue | 10 days ago
loeber | 10 days ago
Silamoth | 10 days ago
_se | 10 days ago
abustamam | 10 days ago
weird-eye-issue | 9 days ago
nerdsniper | 9 days ago
> They're wrong about the Delaware franchise tax.
"The minimum tax is $175.00 for corporations using the Authorized Shares method and a minimum tax of $400.00 for corporations using the Assumed Par Value Capital Method." [0]
That is the "save a few hundred dollars" I was talking about. I did get the # of shares threshold wrong, it needs to be <= 5,000.
> They're wrong about the foreign registration -- in California (and I believe most other states), you also need to register foreign LLCs.
Yes, but I was referencing that it often costs more to register a C-Corp than an LLC (depending on the state).
> They're wrong about investments -- SAFEs are very easy for corporations (no lawyers required), but they can't even be used by LLCs. You'll need to convert to a C-Corp.
Yes. Totally agree on all points. This conversion will cost roughly the same as first year taxes, but leaves the option of not doing it if you never get enough revenue to hire employees and don't get funded. And if you do get enough revenue for that, or you get funded by SAFE's, you'll have no issue affording the lawyer+CPA who can do it for you.
As for it being a bad time to deal with that headache, I generally agree. You'd probably want to do that when you reach the point that you feel ready to start fundraising.
> They're wrong about investments -- SAFEs are very easy for corporations (no lawyers required), but they can't even be used by LLCs. LLCs don't have stock, and most boilerplate documents will not work for LLCs.
I miscommunicated on this point: I meant to say if you're not getting funded by SAFE's, you'll need a lawyer, and therefore the "saving money" thing probably isn't particularly relevant and there's no issue filing as a C-Corp.
Boilerplate documents work fine for LLC, and Stripe Atlas helps with this.
> Something about passing losses from an LLC to your personal taxes being a good way to get you audited.
I'm not sure you can do that? Haven't had to deal with it personally (my LLC's were profitable in their first year) but AFAIK capitalization is usually done with post-tax money so I don't see how first-year LLC losses can reduce your personal AGI.
> Something about tax paperwork burden being roughly equal for LLC vs. C-Corp.
I was mainly trying to say that CPA's charge more for C-Corps than for LLCs.
0: https://corp.delaware.gov/frtaxcalc/
konschubert | 10 days ago
But it’s worth noting that any good technology starts off being called a toy and with most people not being able to imagine its usefulness.
rrr_oh_man | 10 days ago
(Sorry for the snark, I'm hangry)
tardedmeme | 9 days ago
bjacobel | 9 days ago
dizhn | 10 days ago
rco8786 | 10 days ago
This was such a weird mention to see in the article. Stripe Atlas is a service that helps new businesses incorporate and onboard onto Stripe/partner services with some startup credits. It's been around forever, has nothing to do with AI, and is generally a very well-respected service.
21asdffdsa12 | 10 days ago
2ndorderthought | 10 days ago
I think cloudflare is in the clear. Mr doofus could argue that the AI company allowed or enabled the crime which they otherwise wouldn't have done. Or Mr doofus could claim his prompts shouldn't have lead to that outcome and that wasn't his intent at all. Making the bots at fault, but not the AI company I guess?
lxgr | 10 days ago
That's not what this is though, is it? In other words, isn't the (anti-)pattern you describe an argument in favor of agents setting up your accounts instead?
You can tell your agent to buy the domain at registrar x, manage DNS at y (and maybe configure DDoS protection and CDN), and host your content at z, and if the agent is good enough, you don't even need to understand the details.
You end up with individual credentials for each service, rather than a web of account relationships managed by a single "portal" SaaS.
deadbabe | 10 days ago
If you want an end to end automation solution, you have to automate everything, not just high frequency tasks. It’s not acceptable to just say “oh you can automatically deploy a new site but first you have to register an account and buy a little domain”. The user command is “deploy site, right NOW”.
brightball | 10 days ago
It became "the way" a lot of these PaaS systems operated and I'm sure the goal was to get some percentage once you increased your usage from the free tier, which makes sense for the PaaS partner.
xp84 | 9 days ago
For sure, revshare is standard on those partnerships.
Fun(ny) fact: all the companies that started out on Heroku back then are still locked into those Heroku-captive tenant accounts on those partners, because contractually, the partner is not allowed to transition such an account to direct billing. One company I've worked with has had all their infra moved off Heroku for almost a decade, but their Sendgrid account, which has hundreds of subtenants that each have custom domains configured, still can only be logged into via Heroku. They'd have to rebuild that whole thing from scratch (including make all their customers redo DNS validation) to move to a real sendgrid account.
I'm sure Heroku earns Salesforce a really healthy revenue stream based on this.
giancarlostoro | 10 days ago
I've been wondering the same thing. What would have stopped me from using a model to talk to their APIs in an autonomous way anyway? Are you going to captcha my bot from running scripts to hit your API end-points? How can you tell its not my automated scripts vs an agent vs me testing?
smrtinsert | 10 days ago
zaidf | 10 days ago
“To what end?” was the default reaction when Amazon launched S3 in mid 2000s :)
zeroq | 10 days ago
Seasoned, well trained engineers have created hundreds of thousands in billing on AWS through a simple mistakes overnight.
It's immediately reminds me of putting microtransactions into children games on mobile devices - a venue that has been thoroughly explored some 10-15 years ago.
I can't see payment and provisioning as a blocker in any scenario.
This has a potential to create a massive yet very dubious income stream for the company.
loeber | 10 days ago
Jyaif | 10 days ago
zuzululu | 10 days ago
Plenty use Cloudflare to ship and this basically negates the need to automate all the logistics. Not really sure what you are rambling on about, you are just mixing totally unrelated group of tools and services to support your "yeah agentic use of cloudflare is bad: which makes no sense.
abustamam | 10 days ago
Stripe Atlas has actually been around for quite a while, from like 2016. It's a quick start business platform for startups. HN discussion here: https://news.ycombinator.com/item?id=11166417
So correct in that it's not something intended for developers. It's intended for entrepreneurs (whether or not they are developers)
j45 | 10 days ago
It’s already been possible for a very long time to do all these steps via api, using Cloudflare and/or other domain registrars.
The manual steps you take is what you do, and the sequencing you learn is critical as it might not be simply from start to finish.
It can be simplified as a sequenced bash script using clis across all the services.
tremon | 9 days ago
mannanj | 9 days ago
When I recently started a consulting agency, I found myself reaching into Cloudflare and experienced the same bottlenecks they describe.
Here's where I can see this helping again, in the future, when I know what I want and I want to quickly provision a quick digital presence:
- buy the domain
- provision and deploy to the domain, use Cloudflare as my hoster to serve my bundles (already created the site locally and have MCPs configured to handle this)
- Give it a budget, my "risk" tolerance amount, of say $50
- if something goes wrong, the ~30mins saved is worth that $50 risk (low chance of problem here)
- Yes I'm going to play with this and see if it works out, and if it does, now I can spin up startup websites for small microapps and POCs a bit faster.
23rf | 9 days ago
But at the same time they can't be displaced on a whim either lol.
Capitalists punching the air rn.
snihalani | 9 days ago
baalimago | 10 days ago
debarshri | 10 days ago
charcircuit | 10 days ago
dgan | 10 days ago
hansvm | 10 days ago
skybrian | 10 days ago
raincole | 10 days ago
zymhan | 9 days ago
dakolli | 9 days ago
dr_dshiv | 10 days ago
yanis_t | 10 days ago
ascorbic | 10 days ago
eptityri | 10 days ago
ascorbic | 10 days ago
Disclaimer: I work at Cloudflare, but not on these
dirkc | 10 days ago
I wonder if this means I can now also buy a domain via the API?
*update* - seems so, but with some limitations: https://developers.cloudflare.com/registrar/registrar-api/#b...
shevy-java | 10 days ago
sshine | 10 days ago
This involves copy-pasting DNSSEC properties from one web interface into another.
Pretty much everything but this step has been automated in my website creation process: Picking a git template for my site, creating the git repository remotely on my self-hosted Forgejo, setting up the webserver and the DNS using external-dns. Only the domain creation and initial pointing of NS and DNSSEC records is something I sit and do.
I'm not willing to switch to Cloudflare for this feature.
But it reminds me there's more to automate.
ToJans | 10 days ago
I don't get the spammer thing? You'll still need to verify your identity, as the whole thing uses stripe? So I don't get all the hate...
I prefer to delegate as much as possible to AI services once I have a mature process that is easy to validate. Buying a domain name feels pretty mature to me etc, so I don't get where all the hate is coming from?
(Maybe I'm way to deep in the whole AI/Jack Dorsey/Block model?)
Fragoel2 | 10 days ago
hansmayer | 10 days ago
Ylpertnodi | 10 days ago
awei | 10 days ago
lionkor | 10 days ago
"POST /some/api"
to?
awei | 10 days ago
tietjens | 10 days ago
wjekkekene | 10 days ago
wild_pointer | 10 days ago
elAhmo | 10 days ago
nurettin | 10 days ago
archargelod | 10 days ago
hleszek | 10 days ago
efitz | 10 days ago
It’s a straightforward technical problem to wrap an API or MCP or something around the “create an account” function.
But what will a court do when the agent creates a million accounts, mines bitcoin for a month, and then cannot or will not pay?
palata | 10 days ago
It's already not clear what it means for humans to do it, but it doesn't prevent every single service from asking it. At least an AI has a chance to ingest it all.
lijok | 10 days ago
bojangleslover | 10 days ago
M95D | 10 days ago
alt227 | 10 days ago
AI agent calls a human on their phone (even engage in an email chain), whilst talking to the human they analyse the likelyhood of diffferent fraud vectors, and choose the most likely one to work on this particular victim. Whilst keeping the human talking in chit chat to raise their confidence levels, in the background it buys a domain which fits the users fraud profile, and quickly makes a basic website on it. Maybe its a fake login page, maybe it just hosts malware, who knows at this point. The agent then emails the user from a mailbox on the new domain which directs the user to the new domain and commits the fraud. The email from the domain ties up with what the agent is saying on the phone, so it all looks legit to the human. Immediately after the call it deletes the website, directs the new domains dns to blackhole and discards it from its posession.
This is all possible right now. I am also interested to see what is built with this technology in the future, but interested in a very worried way.
gregjw | 10 days ago
NikolaosC | 10 days ago
laurentiurad | 10 days ago
oatlgr | 10 days ago
khalic | 10 days ago
bandrami | 10 days ago
swingboy | 10 days ago
jwpapi | 10 days ago
ivolimmen | 10 days ago
mkovach | 10 days ago
Agents can now participate in the oldest internet tradition: impulsively creating weird little websites at 2 am with unjustified confidence. But with no alcohol involved, which removes 93.74% of the impressiveness.
In a sense, AI has finally progressed to the point where Drew Curtis started fark.com, and I'm hesitant to label that a 'milestone'.
10289437ah | 10 days ago
The more chaos on the Internet, the more Cloudflare earns. It is a horrible company.
They are still losing money unlike Akamai, so there is hope they go bankrupt.
eric-burel | 10 days ago
cedws | 10 days ago
SpyCoder77 | 10 days ago
Edit: composer 2 found a way to fix the initialization by setting an environment variable and it worked after doing that, but the docs didn't say to set the variable and Rami didn't know I should do that, so it is a bug
jacobheric | 10 days ago
tiffanyh | 10 days ago
jacobheric | 10 days ago
tiffanyh | 10 days ago
Sorry if this is a naive question.
jacobheric | 10 days ago
xena | 10 days ago
tiffanyh | 10 days ago
aleqs | 9 days ago
In theory, this is a cool idea, but in practice I think this being done through a proprietary, locked-in Stripe product, is going to ultimately hinder adoption.
The security implications here are also concerning - from what I can tell - Stripe seems to have access to all of the keys/credentials for third party accounts/resources provisioned via Stripe Projects.
So stripe has centralized control over payments, KYC, credentials/keys (full lifecycle, not just storage), the provider marketplace, and even over the availability/reliability of anything built with on top of Stripe Projects (since now your credential/key lifecycle has Stripe on the hot path).
This is like a more janky/less reliable loveable, without the handrails, and with a mere illusion of less lock-in.
Imo, this kind of thing will only work long-term as an open protocol without Stripe lock-in, and I know certain people/companies are already working in this direction.
jacobheric | 9 days ago
aleqs | 9 days ago
keremimo | 10 days ago
Bruh.
daft_pink | 10 days ago
creatonez | 10 days ago
ksajadi | 10 days ago
Ccecil | 10 days ago
Now they can make websites full of info to back up their misinformation.
Which will feed future generations of AI.
Finally we are back to "You can't believe everything you read online".
stormed | 10 days ago
baigy | 10 days ago
liorco555 | 10 days ago
frozenseven | 10 days ago
etothet | 10 days ago
Note: I am a CloudFlare customer, but on a very low plan and probably have no use for this.
nickdothutton | 10 days ago
[] Joke, there are no certifications.
zuzululu | 10 days ago
arian_ | 10 days ago
lugao | 9 days ago
Maybe they should fix the regular flow before automating it with agents?
cdrnsf | 9 days ago
deferredgrant | 9 days ago
cactacea | 9 days ago
What are the practical, legitimate use cases for buying domains at scale? I really can't think of a single one. I can however think of quite a few nefarious ones.
david_shi | 9 days ago
Cursor and Claude Code are also agents, and making it easier to run these operations from those interfaces assuming some margin of error is ok is a genuinely useful feature.
dakolli | 9 days ago