How routes work
- A service in the room listens on an HTTP port.
- That port is marked as
publishedin the service config. - The route maps a domain and one or more paths to that room and published port.
- When a request arrives, MeshAgent matches the route path, resolves the room and port, applies the port’s security rules, and then proxies the request to the service.
Create a route
Use a MeshAgent-managed domain such as*.meshagent.app:
- Deploy a service that exposes an HTTP endpoint and marks its port as published.
- Create a route:
- The route is ready as soon as it is created.
Mark the port as published
In your service config, the HTTP port must be marked as published:Public and private published ports
published: true makes a port routable from a route.
public controls whether that routed URL is open to the internet or protected by MeshAgent:
public: true: MeshAgent forwards requests without requiring room authentication.public: false: MeshAgent requires the caller to authenticate before the request can reach the app.- If you omit
public, the port is treated as private.
Integrated security for browser apps
For browser-based apps, use cookie validation so MeshAgent behaves like an identity-aware proxy in front of your route. This is the easiest way to publish a private app without making the app itself handle MeshAgent tokens directly.meshagent.request.validation.method: cookie on the port or on a specific endpoint. Endpoint annotations override port annotations.
With that configuration, the request flow looks like this:
- A user visits the routed URL.
- If they do not already have a valid MeshAgent IAP session for that route, MeshAgent redirects the browser to sign in.
- After sign-in, MeshAgent stores a secure, HTTP-only session cookie and retries the request through the route.
- On each request, MeshAgent validates that the session still maps to a participant token for the target room.
- If the user is not allowed in the room, the request is rejected before it reaches your app.
GET requests are redirected into the login flow automatically. Non-GET requests without a valid session are rejected until the browser has signed in.
Headers your app receives
When a request passes through cookie-based IAP, MeshAgent removes the internal__meshagent_iap cookie before forwarding the request to your app and adds trusted identity headers:
| Header | Meaning |
|---|---|
X-MESHAGENT-USER | The participant token name, typically the signed-in user’s email or display identity. |
X-MESHAGENT-API-SCOPE | The participant token API permissions, serialized as JSON. If the token has no API grant, this is {}. |
X-MESHAGENT-USER or X-MESHAGENT-API-SCOPE headers before forwarding the request, so callers cannot spoof them without actually going through MeshAgent IAP.
Queue-backed routes
Routes are not limited to proxying traffic into an HTTP app. They can also turn incoming HTTP requests into queue messages for agents or workers inside the room. This is useful when you want:- a stable public URL
- no always-on HTTP app inside the room
- an internal queue that workers can process asynchronously
meshagent.request.queue is configured on the matched port or endpoint, MeshAgent enqueues the request body instead of proxying the request to a destination app.
- A request arrives at the route.
- MeshAgent validates the caller using the configured route auth method.
- If validation succeeds, MeshAgent publishes the request body to the queue.
- MeshAgent returns
202 Accepted.
Required annotations
| Annotation | Purpose |
|---|---|
meshagent.request.queue | Queue name to publish into. |
meshagent.request.validation.method | Optional request validation method. Supported values are bearer, jwt, and cookie. |
Liveness and startup behavior
liveness is the HTTP path MeshAgent uses to decide when a published port is actually ready to serve traffic.
liveness URL and waits for it to return 2xx. Once the service is live, MeshAgent retries the original request.
This matters during startup, cold starts, and restarts:
- With a liveness URL, MeshAgent can wait for the app to finish booting instead of immediately failing the first request.
- Without a liveness URL, an early request is more likely to fail with a bad gateway while the process is still starting.
- Cheap to evaluate.
- Available without external user auth.
- Wired to real readiness, not just process start.
/healthz or /ready returning 200 only after the app is ready to serve the same traffic the route will send.