Two systems that extend every Bloxx site — the PWA layer turns websites into installable apps, and the MCP server lets AI assistants read, write, and deploy content programmatically.
Deploy once and your customers get a home-screen icon, offline access, push notifications, and share-sheet integration. Generated at deploy time with no runtime dependencies.
Native Android install banner plus a custom iOS Safari tooltip with scroll + idle triggers. Smart cooldown prevents prompt fatigue — configurable from 1 to 90 days.
Network-first for HTML pages with stale-while-revalidate for static assets. Precaches up to 8 pages, Bootstrap CSS, fonts, and your logo — your site works without a connection.
VAPID-based Web Push with subscription management, endpoint validation for all major browsers, and rate-limited storage. Scaffolding ready — send endpoint coming soon.
Users can share content directly to your PWA from the OS share sheet. GET-based — no backend needed. Shared data arrives as query params and fires analytics beacons.
New deploys trigger service worker updates. Users see a non-intrusive toast with a refresh button. Auto-dismisses after 30 seconds. No action needed from the site owner.
10 lifecycle events tracked via beacons — from first eligibility check through install, dismiss, update, share, and push subscription. See exactly how your app funnel performs.
Five generators read your site settings and produce all PWA artifacts as strings — manifest JSON, service worker JS, client script, and CSS. No runtime dependencies, no build step.
All configurable from Settings → Mobile App. Numeric values are clamped server-side to prevent invalid inputs.
| Setting | Default | Range | Description |
|---|---|---|---|
| pwa.enabled | true | — | Master toggle for all PWA features |
| pwa.scrollThreshold | 300 | 50 – 1000 | Pixels scrolled before iOS tooltip shows |
| pwa.idleDelay | 15 | 5 – 60 | Seconds idle before iOS tooltip shows |
| pwa.dismissCooldown | 7 | 1 – 90 | Days before dismissed prompt returns |
| pwa.ctaTextOverride | (auto) | ≤ 40 chars | Custom CTA (overrides vertical default) |
| pwa.shareTarget | false | — | Enable OS share sheet integration |
| pwa.pushEnabled | false | — | Enable push notification subscription |
The core PWA works out of the box — just deploy. Push notifications require a few extra steps.
Installs, offline, and updates. Zero config.
The PWA manifest, service worker, and client script are generated automatically at deploy time. Nothing to configure.
Go to Settings → Mobile App. Adjust scroll threshold, idle delay, and dismiss cooldown to match your audience's behavior.
Override the auto-generated CTA text or leave it blank for vertical-based defaults like "Order from" or "Book with."
Requires VAPID keys and a D1 migration.
npx web-push generate-vapid-keys
cd editor echo "YOUR_PUBLIC_KEY" | wrangler pages secret put VAPID_PUBLIC_KEY echo "YOUR_PRIVATE_KEY" | wrangler pages secret put VAPID_PRIVATE_KEY
wrangler d1 execute bloxx-db \
--file=migrations/0073_push_subscriptions.sql \
--remote
Settings → Mobile App → Enable Push Notifications → ON, then redeploy.
An 18-tool Model Context Protocol server that gives Claude, Cursor, and other AI clients full read/write/publish access to your Bloxx site — gated by API keys with granular permissions.
Read pages, inspect DOM structure, update sections by CSS selector, batch-update SEO metadata — all through structured tool calls with dry-run previews and ETag protection.
Pull AI citation health, competitor snapshots, page audits, and prioritized suggestions. Your AI assistant can diagnose problems and fix them in the same session.
Deploy all drafts or selectively push specific pages to live — with deploy locks preventing concurrent deploys from different sessions.
List collections, query items with filters and pagination, upsert with schema validation. Full headless CMS access for AI-driven content workflows.
Enqueue AI blog posts asynchronously and track job status. Integrates with the Cloudflare Queue pipeline for reliable, rate-aware generation.
Three permission tiers (read / edit / publish), SHA-256 hashed keys, 60 req/min rate limiting, full audit logging, optional key expiry, and instant revocation.
Every tool enforces permission checks, rate limits, and audit logging. Tools that modify content use ETag-based optimistic concurrency.
| Tool | Permission | Description |
|---|---|---|
content_list_pages | List pages with titles, slugs, word counts. Keyword filter + pagination. | |
content_get_page_structure | Lightweight DOM outline (~2-5KB). Use before editing. | |
content_get_page | Full HTML + SEO metadata + ETag. | |
content_update_page | Update section by CSS selector. Dry-run → apply with ETag. | |
content_revert_page | Undo last MCP edit (1-hour buffer, 1 level deep). | |
content_update_seo | Batch SEO metadata — title, description, OG tags. Up to 20 pages. |
| Tool | Permission | Description |
|---|---|---|
intel_citation_health | AI citation rate, provider breakdown, trend data, gaps, benchmarks. | |
intel_competitor_snapshot | Competitor citation comparison. Supports limit 1-10. | |
intel_page_audit | SEO + accessibility audit. Score 0-100, letter grade, issues list. | |
intel_suggestions | Prioritized improvements with ready-to-execute tool calls. |
| Tool | Permission | Description |
|---|---|---|
publish_deploy | Deploy drafts to live. Optional page_slugs for selective deploy. Deploy locks prevent conflicts. |
| Tool | Module | Permission | Description |
|---|---|---|---|
blog_generate | Blog | Enqueue blog generation (async). Returns job ID. Boss plan required. | |
blog_get_status | Blog | Check blog generation job status. | |
collections_list | Collections | List all CMS collections with schemas + item counts. | |
collections_get_items | Collections | Get items. Filter by status, paginate. Returns ETag. | |
collections_upsert_item | Collections | Create/update with schema validation + ETag protection. | |
settings_update | Settings | Update name, branding, analytics, SEO settings. |
Works with Claude Code, Claude Desktop, Cursor, and Windsurf. Stateless HTTP — no WebSocket, no SSE.
Generate a key, then configure your AI client.
In the Bloxx editor: Settings → MCP API Keys → Create Key. Choose a label and permission level (read, read+edit, or read+edit+publish). Copy the key — it's shown only once.
Add the MCP server to your AI client's config. See the code examples for Claude Code, Claude Desktop, and Cursor.
Ask your AI: "List my pages." It should call content_list_pages and return your site data.
Copy-paste into your AI client's config file.
{
"mcpServers": {
"bloxx": {
"type": "streamable-http",
"url": "https://bloxx-mcp-server.bloxx-prod.workers.dev/mcp",
"headers": {
"Authorization": "Bearer blx_sk_YOUR_KEY"
}
}
}
}
Type: HTTP URL: https://bloxx-mcp-server.bloxx-prod.workers.dev/mcp Headers: Authorization: Bearer blx_sk_YOUR_KEY
curl https://bloxx-mcp-server.bloxx-prod.workers.dev/health
# → {"ok":true,"version":"1.0.0"}
Defense-in-depth from API key hashing to service worker CORS isolation.
SHA-256 hashed storage, blx_sk_ prefix format, optional expiry, instant soft-delete revocation from the dashboard.
MCP: 60 req/min per API key with D1 bucketing. Push subscriptions: 10 req/min per IP. Both cleaned up by cron.
Every MCP tool call logged — tool name, duration, result code, input summary. 90-day retention with daily cron cleanup.
MCP edits enforce Bootstrap-only HTML — no custom CSS, inline styles, script tags, or data: URIs allowed.
Service worker uses exact-origin allowlist — not prefix matching. Blocks cross-origin fetch hijacking.
CTA text escaped via JSON.stringify. Icon paths validated against traversal. Push endpoints checked against known browser origins.