Menu

Sign In Create Free Account
Docs PromptWire Version 1.x Remote Setup

Remote Setup

Connecting to a production or staging site via HTTPS. Covers API key setup, IP allowlisting, HTTPS enforcement, and hybrid configuration.

Deploy the API endpoint

Copy the API endpoint file from api/promptwire-api.php in the PromptWire module to your remote ProcessWire site root (the same directory as index.php). Rename it to something non-obvious so the URL isn't guessable from public documentation:

scp site/modules/PromptWire/api/promptwire-api.php user@server:/var/www/html/my-pw-bridge.php

The filename can be anything you choose. The MCP server uses the full PW_REMOTE_URL value as-is, so just make sure the URL you configure matches the filename you picked.

The endpoint bootstraps ProcessWire and runs the same command router as the local CLI. All tools work identically over HTTPS. The endpoint enforces HTTPS; requests over plain HTTP are rejected with a 403 before the API key is checked.

Set your API key

Copy the example config to your remote site's site/ directory:

cp api/config-promptwire.example.php /path/to/remote-site/site/config-promptwire.php

Edit site/config-promptwire.php and set a strong random key:

<?php
define('PROMPTWIRE_API_KEY', 'your-strong-random-key-here');

Generate one with openssl rand -hex 32. This key must match the PW_REMOTE_KEY value in your local .cursor/mcp.json.

Optional: restrict by IP

For an extra layer of protection, restrict API access to your machine's public IP:

<?php
define('PROMPTWIRE_API_KEY', 'your-strong-random-key-here');
define('PROMPTWIRE_ALLOWED_IPS', '1.2.3.4');

Find your IP with curl ifconfig.me. Multiple IPs can be comma-separated.

If your IP changes regularly (mobile tethering, VPN), you can leave the allowlist disabled. API key authentication is still required for every request.

Optional: allow HTTP for local dev

If your local development server doesn't have TLS configured and you're testing remote commands against it, you can bypass HTTPS enforcement:

define('PROMPTWIRE_ALLOW_HTTP', true);

Do not set this on a public-facing server. On production, HTTPS enforcement protects the API key from being transmitted in plain text.

Configure Cursor

Add a remote server entry to .cursor/mcp.json:

{
  "mcpServers": {
    "PromptWire: My Site (Production)": {
      "command": "node",
      "args": ["/path/to/site/modules/PromptWire/mcp-server/dist/index.js"],
      "env": {
        "PW_REMOTE_URL": "https://www.example.com/my-pw-bridge.php",
        "PW_REMOTE_KEY": "your-strong-random-key-here"
      }
    }
  }
}

Replace my-pw-bridge.php with whatever you named the file on your server.

Verify the connection

In Cursor chat, ask the agent to check the remote site's health. It should return the ProcessWire version, page count, and template count from the production server.

If the connection fails, the error message will tell you why:

  • 401: API key mismatch. Check that PW_REMOTE_KEY matches the PROMPTWIRE_API_KEY defined on the server.
  • 403: Either your IP is not in the allowlist (PROMPTWIRE_ALLOWED_IPS) or the request was made over plain HTTP. The endpoint enforces HTTPS; check that your URL starts with https://.
  • 404: The API file is missing or not at the expected URL. Confirm the file exists in the site root and that PW_REMOTE_URL matches the filename you chose.
  • 500: ProcessWire or the PromptWire module failed to load on the remote server. Check that the module is installed and the CommandRouter is accessible at site/modules/PromptWire/src/Cli/CommandRouter.php.

Hybrid setup

The most useful configuration is hybrid: set both PW_PATH (local) and PW_REMOTE_URL (remote) on a single MCP server entry. Reads use the fast local CLI. Writes can target local, remote, or both.

{
  "mcpServers": {
    "PromptWire: My Site": {
      "command": "node",
      "args": ["/path/to/site/modules/PromptWire/mcp-server/dist/index.js"],
      "env": {
        "PW_PATH": "/path/to/local/processwire",
        "PW_REMOTE_URL": "https://www.example.com/my-pw-bridge.php",
        "PW_REMOTE_KEY": "your-api-key-here"
      }
    }
  }
}

When you push content or publish pages, you can specify targets: "local", "remote", or "both". If not specified, push defaults to local when PW_PATH is present.

Security considerations

The API endpoint gives authenticated callers full read/write access to your ProcessWire site. Treat the API key like a database password.

  • HTTPS is enforced by the API endpoint. If you see a 403 with no further detail, check that your PW_REMOTE_URL starts with https://. For local development without TLS, define PROMPTWIRE_ALLOW_HTTP in config-promptwire.php.
  • Keep config-promptwire.php inside the site/ directory. ProcessWire's default .htaccess blocks direct access to files in site/.
  • Use a strong, unique key per site. Do not reuse keys across projects.
  • Consider IP allowlisting if your IP is stable.
  • Do not deploy .cursor/, .pw-sync/, or site/assets/pw-mcp/ to production — these are local development directories and may contain API keys. See Security for the full list of deployment exclusions.

Next steps

  • Security — essential reading before going live. Covers API key management, IP allowlisting, deployment exclusions, and what should and shouldn't be on a production server.
  • Content Sync — the pull/push workflow for syncing content between local and remote.
  • Schema Sync — comparing and pushing field and template changes across environments.

Last updated