Skip to main content
Deploy services in MeshAgent so they are available to the projects or rooms that need them. This page covers the two main CLI paths for deployment: In MeshAgent, you can deploy fixed or templated services project-wide or to specific rooms, either as MeshAgent-managed container services or as external services that MeshAgent routes to; for more detail, see Intro to Services.

Deploy a process-based agent with meshagent process

Use meshagent process when you are deploying a process-backed agent. On this page, the two commands that matter are meshagent process deploy and meshagent process spec.

Deploy directly with meshagent process deploy

bash
meshagent process deploy \
  --service-name my-chatbot \
  --agent-name my-chatbot \
  --channel chat \
  --require-web-search \
  --require-storage \
  --room myroom
meshagent process deploy is the fastest path when the CLI flags already describe the agent you want. MeshAgent generates the starting service manifest for you and deploys it immediately, so you do not need to write the manifest yourself first. Use this when:
  • the built-in CLI flags already describe the agent you want
  • you do not need to inspect the manifest first
  • you want the shortest path to a room or project service
With meshagent process deploy, pass --room myroom for a room service. Omit --room to deploy the service project-wide.

Generate a starting manifest with meshagent process spec

meshagent process spec generates the starting service manifest for a process-based service but stops before deployment.
bash
meshagent process spec \
  --service-name my-chatbot \
  --agent-name my-chatbot \
  --channel chat \
  --require-web-search \
  --require-storage > meshagent.yaml

# Deploy into one room
meshagent service create --file meshagent.yaml --room myroom

# Deploy across the whole project
meshagent service create --file meshagent.yaml --global
Use this when:
  • you want MeshAgent to generate the starting service manifest for you
  • you want to review or customize it before deployment
  • you need fields that are easier to manage in the file than in CLI flags

Deploy from a manifest with meshagent service

Use meshagent service when you want to review, customize, validate, deploy, update, or delete the service manifest yourself. The examples below show three common cases:
  • a Service with a container
  • a ServiceTemplate with a container
  • a Service with an external runtime

Example 1: Service with container

Use kind: Service when the configuration is fixed at deploy time. 
kind: Service
version: v1
metadata:
  name: my-chatbot
  description: "A chatbot with web search and storage"
  annotations:
    meshagent.service.id: "my-chatbot"
agents:
  - name: my-chatbot
    description: "A helpful chatbot"
    annotations:
      meshagent.agent.type: "ChatBot"
container:
  image: "meshagent/cli:default"
  command: >-
    meshagent process join
    --agent-name my-chatbot
    --channel chat
    --require-web-search
    --require-storage
    --rule "You are a helpful assistant. Use web search to find current information and save important findings to storage."
    --room-rules "agents/my-chatbot/rules.txt"
  environment:
    - name: MESHAGENT_TOKEN
      token:
        identity: my-chatbot
  storage:
    room:
      - path: /data
        read_only: false
This example uses kind: Service with a container. MeshAgent runs the meshagent/cli:default image, and the container starts meshagent process join ... inside it. Validate and deploy it:
bash
meshagent service validate --file meshagent.yaml
meshagent service create --file meshagent.yaml --room myroom
Use --global instead of --room myroom to deploy the same manifest as a project service.

Example 2: ServiceTemplate with container

Use kind: ServiceTemplate when the manifest shape stays the same but some values should be supplied during deployment or install. 
kind: ServiceTemplate
version: v1
metadata:
  name: my-language-chatbot
  description: "A chatbot with web search and storage that responds in your chosen language"
  annotations:
    meshagent.service.id: "my-language-chatbot"
variables:
  - name: language
    description: "The language the chatbot should respond in (e.g. English, Spanish, French)"
agents:
  - name: my-language-chatbot
    description: "A helpful chatbot"
    annotations:
      meshagent.agent.type: "ChatBot"
container:
  image: "meshagent/cli:default"
  command: >-
    meshagent process join
    --agent-name my-language-chatbot
    --channel chat
    --require-web-search
    --require-storage
    --rule "You are a helpful assistant. Always respond in {{ language }}. Use web search to find current information and save important findings to storage."
    --room-rules "agents/my-language-chatbot/rules.txt"
  environment:
    - name: MESHAGENT_TOKEN
      token:
        identity: my-language-chatbot
  storage:
    room:
      - path: /data
        read_only: false
This example adds a language variable and uses {{ language }} inside the container.command. Validate and deploy it:
bash
meshagent service validate-template --file meshagent.yaml

meshagent service create-template \
  --file meshagent.yaml \
  --value language=Spanish \
  --room myroom
Use --global instead of --room myroom to deploy the rendered service project-wide. If you want to inspect the rendered YAML first, use meshagent service render-template --file meshagent.yaml --value language=Spanish.

Example 3: Service with external

Use external when MeshAgent should route to a service you already host elsewhere instead of running a container for you. 
kind: Service
version: v1
metadata:
  name: mcp-deepwiki
  description: "Expose the DeepWiki MCP server"
ports:
  - num: 443
    type: http
    endpoints:
      - path: /mcp
        mcp:
          label: "mcp-deepwiki"
          description: "MCP DeepWiki tools"
          allowed_tools:
            - tool_names: ["search", "read_page"]
              read_only: true
external:
  url: "https://mcp.deepwiki.com"
This example is a fixed Service that routes to an MCP server hosted outside MeshAgent. MeshAgent does not run the MCP server. It uses the external.url and ports.endpoints config to register that server’s tools in the room. Validate and deploy it:
bash
meshagent service validate --file mcp-service.yaml
meshagent service create --file mcp-service.yaml --room myroom
If you need installer-provided values such as a URL, label, or OAuth settings, you can use external inside a ServiceTemplate too. For a longer walkthrough, see Connect to an External MCP Server.

Manage deployed services

Use meshagent service after deployment to inspect and manage what you deployed.
bash
# List project services
meshagent service list

# List room services
meshagent service list --room myroom

# View details for one service
meshagent service show SERVICE_ID

# Update a deployed Service
meshagent service update --file meshagent.yaml --room myroom --id SERVICE_ID

# Update a deployed ServiceTemplate
meshagent service update-template --file meshagent.yaml --value key=value --room myroom --id SERVICE_ID

# Delete a deployed service
meshagent service delete SERVICE_ID --room myroom
Omit --room myroom when you are updating, listing, or deleting a project service instead.

Service configuration field reference

Top-level fields

FieldRequiredDescription
versionYesSchema version. Always v1.
kindYesService or ServiceTemplate.
metadataYesService identity and display information.
agentsNoAgent identities exposed by this service.
portsNoNetwork ports and HTTP endpoints MeshAgent can route to.
container*Container configuration. Mutually exclusive with external.
external*External service URL. Mutually exclusive with container.
variablesNoUser-provided inputs for templating. ServiceTemplate only.
* Either container or external is required, but not both.

metadata

Identifies the service and provides information displayed in the UI.
FieldTypeRequiredDescription
namestringYesUnique service name.
descriptionstringNoDescription shown in UI.
repostringNoSource code repository URL.
iconstringNoIcon or emoji for UI display.
annotationsobjectNoKey-value metadata. See Annotations.

agents

Declares the participant identities this service provides. MeshAgent uses this to route requests, apply policies, and display agents in the UI.
FieldTypeRequiredDescription
namestringYesUnique agent identity within the service.
descriptionstringNoDisplay text describing the agent.
annotationsobjectNoKey-value metadata. See Annotations.

container

Defines a container for MeshAgent to run. Fields marked are only available in Service, not ServiceTemplate.
FieldTypeRequiredDescription
imagestringYesContainer image (for example meshagent/cli:default).
commandstringNoCommand to execute when the container starts.
working_dirstringNoAbsolute working directory used when starting the container command.
environmentlistNoEnvironment variables to set in the container.
secretslistNoIDs of project keys secrets to inject as environment variables. Service only.
pull_secretstringNoProject secret ID for authenticating with a private container registry. Service only.
storageobjectNoStorage volumes to mount into the container.
api_keyobjectNoAuto-provision an admin API key and inject it into the container.
on_demandbooleanNoWhen true, the container runs only when explicitly invoked.
writable_root_fsbooleanNoAllow writes to the container’s root filesystem for the life of that container instance. Default: read-only.
privatebooleanNoAdvanced setting that keeps interactive container access private to the owning service. Default: true.

container.environment

Each entry sets an environment variable in the container. A variable can come from a literal value, a MeshAgent token, or a room secret.
FieldTypeRequiredDescription
namestringYesEnvironment variable name.
valuestringNoLiteral string value.
tokenobjectNoRequest a participant token to be generated and injected as the value.
secretobjectNoLoad a room secret for a specific identity and inject it as the value.
Use:
  • value for plain configuration
  • token for MeshAgent API access
  • secret for room-scoped credentials
token fields:
FieldTypeRequiredDescription
identitystringYesParticipant identity the token is issued for.
apiobjectNoAPI scope granted to the token. See API Scopes.
rolestringNoParticipant role (for example user, agent, or tool).
secret fields:
FieldTypeRequiredDescription
identitystringYesParticipant or service identity that owns the room secret.
idstringYesRoom secret ID to load.
This pattern is common for room services: token gives the service access to MeshAgent, while secret gives it an external credential.

container.storage

Mounts storage volumes into the container.
FieldTypeDescription
roomlistPer-room storage. Read/write by default.
projectlistProject-wide shared storage. Read-only by default.
imageslistContent from another container image. Read-only by default.
fileslistInline text content mounted as a file. Read-only by default.
empty_dirslistWritable temporary directories mounted into the container.
Room and project mount fields:
FieldTypeRequiredDescription
pathstringYesMount path inside the container.
subpathstringNoSubdirectory within the storage volume.
read_onlybooleanNoWhether the mount is read-only.
Image mount fields:
FieldTypeRequiredDescription
imagestringYesSource container image.
pathstringYesMount path inside the container.
subpathstringNoSubdirectory within the image.
read_onlybooleanNoWhether the mount is read-only.
File mount fields:
FieldTypeRequiredDescription
pathstringYesMount path inside the container.
textstringYesFile contents.
read_onlybooleanNoWhether the mount is read-only.
Empty directory mount fields:
FieldTypeRequiredDescription
pathstringYesMount path inside the container.
read_onlybooleanNoWhether the temporary directory is read-only.

container.api_key

Provisions an admin API key and injects it into the container. Service only.
FieldTypeRequiredDescription
rolestringYesAlways admin.
namestringYesName for the API key.
auto_provisionbooleanNoAutomatically provision on deployment.

external

Routes traffic to a service running outside MeshAgent. Requires ports to define how MeshAgent reaches the service.
FieldTypeRequiredDescription
urlstringYesURL where the service is running.

ports

Defines network ports the service listens on and how MeshAgent routes HTTP traffic to them.
FieldTypeRequiredDescription
num"*" or intYesPort number, or "*" for auto-assignment.
typestringNoProtocol: http or tcp.
livenessstringNoHTTP path for health checks.
endpointslistNoEndpoints served on this port.
publishedbooleanNoExpose the port to the internet.
publicbooleanNoWhen false, requests must include a participant token.
annotationsobjectNoKey-value metadata.

ports.endpoints

Each endpoint maps a URL path to either a MeshAgent-native service or an MCP server.
FieldTypeRequiredDescription
pathstringYesURL path for this endpoint.
meshagentobjectNoMeshAgent-native endpoint. Mutually exclusive with mcp.
mcpobjectNoMCP server endpoint. Mutually exclusive with meshagent.
annotationsobjectNoKey-value metadata.
meshagent endpoint
Connects the endpoint to a MeshAgent participant identity.
FieldTypeRequiredDescription
identitystringYesParticipant identity for this endpoint.
apiobjectNoAPI scope overrides. See API Scopes.
mcp endpoint
Registers an MCP server as a toolkit in the room.
FieldTypeRequiredDescription
labelstringYesToolkit display name.
descriptionstringNoDescription of what the toolkit provides.
allowed_toolslistNoFilters which tools are exposed.
headersobjectNoCustom HTTP headers to include in requests.
require_approvalstringNoalways or never.
oauthobjectNoOAuth client configuration.
openai_connector_idstringNoOpenAI connector ID.
allowed_tools entries:
FieldTypeRequiredDescription
tool_nameslistYesTool names to allow.
read_onlybooleanNoTreat the tools as read-only.
oauth fields:
FieldTypeRequiredDescription
client_idstringYesOAuth client ID.
client_secretstringNoOAuth client secret.
authorization_endpointstringYesAuthorization endpoint URL.
token_endpointstringYesToken endpoint URL.
no_pkcebooleanNoDisable PKCE (Proof Key for Code Exchange).
scopeslistNoOAuth scopes to request.

variables (ServiceTemplate only)

Defines user-provided inputs for a ServiceTemplate. Values are substituted into the YAML using {{ variable_name }} syntax. Template values are rendered into the manifest before validation, so they can be used anywhere the resulting YAML remains valid.
FieldTypeRequiredDescription
namestringYesVariable identifier. Referenced as {{ name }} in templates.
titlestringNoHuman-readable label shown in install UI.
descriptionstringNoHelp text shown in UI and Powerboards.
enumlistNoRestricts input to specific values. Displayed as a dropdown.
optionalbooleanNoWhether the variable can be left blank.
obscurebooleanNoHides the value in UI. Use for sensitive data.
typestringNoType hint (for example email).
annotationsobjectNoKey-value metadata. See Annotations.

Annotations

Annotations are key-value strings attached to services, agents, or variables. MeshAgent and Powerboards use specific annotation keys to control behavior. You can also define custom annotations.

Service annotations

Set in metadata.annotations.
KeyDescription
meshagent.service.idUnique identifier for the service.
meshagent.service.readmeURL or inline content for the service documentation.

Agent annotations

Set in agents[].annotations.
KeyDescription
meshagent.agent.typeInternal agent type metadata used by service manifests and generated specs.
meshagent.agent.widgetUI widget to display for this agent.
meshagent.agent.scheduleJSON string defining a scheduled task and its payload.
meshagent.agent.shell.commandShell command for Shell-type agents.
meshagent.agent.database.schemaDatabase schema metadata for the agent.

Variable annotations

Set in variables[].annotations.
KeyDescription
meshagent.secret.idSecret ID to create or update when Powerboards stores the value as a room secret.
meshagent.secret.identityIdentity that should own the created room secret.
meshagent.secret.nameDisplay name to use for the created room secret.
meshagent.secret.typeSecret type metadata for the stored room secret.

Event annotations

Set in agents[].annotations. Subscribe an agent to room events. The value is the name of a queue that a queue-consuming agent can process.
KeyDescription
meshagent.events.service.createdFires when a service is created in the room.
meshagent.events.service.updatedFires when a service is updated.
meshagent.events.room.user.grant.createFires when a user is added to the room.
meshagent.events.room.user.grant.deleteFires when a user is removed from the room.
meshagent.events.room.user.grant.updateFires when a user’s room grant is updated.