Skip to main content
Deploy services in MeshAgent so they are available to the projects or rooms that need them. This page covers the two main CLI paths for deployment: In MeshAgent, you can deploy fixed or templated services project-wide or to specific rooms, either as MeshAgent-managed container services or as external services that MeshAgent routes to; for more detail, see Intro to Services.

Deploy a process-based agent with meshagent process

Use meshagent process when you are deploying a process-backed agent. On this page, the two commands that matter are meshagent process deploy and meshagent process spec.

Deploy directly with meshagent process deploy

bash
meshagent process deploy \
  --service-name my-chatbot \
  --agent-name my-chatbot \
  --channel chat \
  --web-search \
  --storage \
  --room myroom
meshagent process deploy is the fastest path when the CLI flags already describe the agent you want. MeshAgent generates the starting service manifest for you and deploys it immediately, so you do not need to write the manifest yourself first. Use this when:
  • the built-in CLI flags already describe the agent you want
  • you do not need to inspect the manifest first
  • you want the shortest path to a room or project service
With meshagent process deploy, pass --room myroom for a room service. Omit --room to deploy the service project-wide.

Generate a starting manifest with meshagent process spec

meshagent process spec generates the starting service manifest for a process-based service but stops before deployment.
bash
meshagent process spec \
  --service-name my-chatbot \
  --agent-name my-chatbot \
  --channel chat \
  --web-search \
  --storage > meshagent.yaml

# Deploy into one room
meshagent service create --file meshagent.yaml --room myroom

# Deploy across the whole project
meshagent service create --file meshagent.yaml --global
Use this when:
  • you want MeshAgent to generate the starting service manifest for you
  • you want to review or customize it before deployment
  • you need fields that are easier to manage in the file than in CLI flags

Deploy from a manifest with meshagent service

Use meshagent service when you want to review, customize, validate, deploy, update, or delete the service manifest yourself. The examples below show three common cases:
  • a Service with a container
  • a ServiceTemplate with a container
  • a Service with an external runtime

Example 1: Service with container

Use kind: Service when the configuration is fixed at deploy time. 
kind: Service
version: v1
metadata:
  name: my-chatbot
  description: "A chatbot with web search and storage"
  annotations:
    meshagent.service.id: "my-chatbot"
agents:
  - name: my-chatbot
    description: "A helpful chatbot"
    annotations:
      meshagent.agent.type: "ChatBot"
container:
  image: "meshagent/cli:default"
  command: >-
    meshagent process join
    --agent-name my-chatbot
    --channel chat
    --web-search
    --storage
    --rule "You are a helpful assistant. Use web search to find current information and save important findings to storage."
    --room-rules "agents/my-chatbot/rules.md"
  environment:
    - name: MESHAGENT_TOKEN
      token:
        identity: my-chatbot
  storage:
    room:
      - path: /data
        read_only: false
This example uses kind: Service with a container. MeshAgent runs the meshagent/cli:default image, and the container starts meshagent process join ... inside it. Validate and deploy it:
bash
meshagent service validate --file meshagent.yaml
meshagent service create --file meshagent.yaml --room myroom
Use --global instead of --room myroom to deploy the same manifest as a project service.

Example 2: ServiceTemplate with container

Use kind: ServiceTemplate when the manifest shape stays the same but some values should be supplied during deployment or install. 
kind: ServiceTemplate
version: v1
metadata:
  name: my-language-chatbot
  description: "A chatbot with web search and storage that responds in your chosen language"
  annotations:
    meshagent.service.id: "my-language-chatbot"
variables:
  - name: language
    description: "The language the chatbot should respond in (e.g. English, Spanish, French)"
agents:
  - name: my-language-chatbot
    description: "A helpful chatbot"
    annotations:
      meshagent.agent.type: "ChatBot"
container:
  image: "meshagent/cli:default"
  command: >-
    meshagent process join
    --agent-name my-language-chatbot
    --channel chat
    --web-search
    --storage
    --rule "You are a helpful assistant. Always respond in {{ language }}. Use web search to find current information and save important findings to storage."
    --room-rules "agents/my-language-chatbot/rules.md"
  environment:
    - name: MESHAGENT_TOKEN
      token:
        identity: my-language-chatbot
  storage:
    room:
      - path: /data
        read_only: false
This example adds a language variable and uses {{ language }} inside the container.command. Validate and deploy it:
bash
meshagent service validate-template --file meshagent.yaml

meshagent service create-template \
  --file meshagent.yaml \
  --value language=Spanish \
  --room myroom
Use --global instead of --room myroom to deploy the rendered service project-wide. If you want to inspect the rendered YAML first, use meshagent service render-template --file meshagent.yaml --value language=Spanish.

Example 3: Service with external

Use external when MeshAgent should route to a service you already host elsewhere instead of running a container for you. 
kind: Service
version: v1
metadata:
  name: mcp-deepwiki
  description: "Expose the DeepWiki MCP server"
ports:
  - num: 443
    type: http
    endpoints:
      - path: /mcp
        mcp:
          label: "mcp-deepwiki"
          description: "MCP DeepWiki tools"
          allowed_tools:
            - tool_names: ["search", "read_page"]
              read_only: true
external:
  url: "https://mcp.deepwiki.com"
This example is a fixed Service that routes to an MCP server hosted outside MeshAgent. MeshAgent does not run the MCP server. It uses the external.url and ports.endpoints config to register that server’s tools in the room. Validate and deploy it:
bash
meshagent service validate --file mcp-service.yaml
meshagent service create --file mcp-service.yaml --room myroom
If you need installer-provided values such as a URL, label, or OAuth settings, you can use external inside a ServiceTemplate too. For a longer walkthrough, see Connect to an External MCP Server.

Manage deployed services

Use meshagent service after deployment to inspect and manage what you deployed.
bash
# List project services
meshagent service list

# List room services
meshagent service list --room myroom

# View details for one service
meshagent service show SERVICE_ID

# Update a deployed Service
meshagent service update --file meshagent.yaml --room myroom --id SERVICE_ID

# Update a deployed ServiceTemplate
meshagent service update-template --file meshagent.yaml --value key=value --room myroom --id SERVICE_ID

# Delete a deployed service
meshagent service delete SERVICE_ID --room myroom
Omit --room myroom when you are updating, listing, or deleting a project service instead.

Service configuration field reference

Top-level fields

FieldRequiredDescription
versionYesSchema version. Always v1.
kindYesService or ServiceTemplate.
metadataYesService identity and display information.
agentsNoAgent identities exposed by this service.
filesNoFiles MeshAgent should seed into room storage if they do not already exist.
portsNoNetwork ports and HTTP endpoints MeshAgent can route to.
container*Container configuration. Mutually exclusive with external.
external*External service URL. Mutually exclusive with container.
variablesNoUser-provided inputs for templating. ServiceTemplate only.
* Either container or external is required, but not both.

metadata

Identifies the service and provides information displayed in the UI.
FieldTypeRequiredDescription
namestringYesUnique service name.
descriptionstringNoDescription shown in UI.
repostringNoSource code repository URL.
iconstringNoIcon or emoji for UI display.
annotationsobjectNoKey-value metadata. See Annotations.

agents

Declares the participant identities this service provides. MeshAgent uses this to route requests, apply policies, and display agents in the UI.
FieldTypeRequiredDescription
namestringYesUnique agent identity within the service.
descriptionstringNoDisplay text describing the agent.
annotationsobjectNoKey-value metadata. See Annotations.
channelsobjectNoChannel-specific routing config for mail, messaging, queues, and toolkits.
emailobjectNoMailbox settings for this agent identity.
heartbeatobjectNoRecurring queue turn for this agent.

agents.channels

Use channels when one deployed agent should participate in more than one entry point.
FieldTypeRequiredDescription
emaillistNoInbound email channels for the agent.
messaginglistNoMessaging channels and optional named prompts.
queuelistNoQueue channels the agent should consume.
toolkitlistNoToolkits the agent should register or expose.
Queue channel entries support:
FieldTypeRequiredDescription
queuestringYesQueue name the agent should consume.
threading_modestringNoThreading mode for queue-delivered work, such as default-new.
message_schemaobjectNoJSON schema describing expected queue payload shape.
Messaging channel entries support:
FieldTypeRequiredDescription
protocolstringNoMessaging protocol. Defaults to meshagent.agent-message.v1.
promptslistNoNamed prompts available on that messaging channel.

agents.email

Use email when the agent identity itself should have mailbox settings attached to it.
FieldTypeRequiredDescription
addressstringYesEmail address for the agent.
publicbooleanNoWhether anyone can send to it. Defaults to false.

agents.heartbeat

Use heartbeat when the agent should enqueue a recurring turn for itself without creating a separate scheduled-task resource by hand.
FieldTypeRequiredDescription
queuestringYesQueue that receives the recurring work item.
thread_idstringNoOptional thread path or template. Time tokens such as {YYYY}, {MM}, {DD}, {HH}, and {mm} are expanded at runtime.
promptlistYesPrompt content for each heartbeat turn. Uses typed content items such as text and file.
minutesintegerYesInterval, in minutes, between heartbeats.
Heartbeat prompt items use the same typed content model as agent turns:
FieldTypeRequiredDescription
typestringYestext or file.
textstringNoText content when type: text.
urlstringNoFile URL when type: file, including room:///... references.
Example: 
agents:
  - name: assistant
    email:
      address: assistant@example.com
      public: true
    heartbeat:
      queue: heartbeats
      thread_id: /agents/assistant/threads/heartbeats/{YYYY}/{MM}/{DD}/{HH}/{mm}/heartbeat.thread
      prompt:
        - type: file
          url: room:///agents/assistant/heartbeat.md
        - type: text
          text: Review unresolved room work and summarize what changed.
      minutes: 60

files

Top-level files seed room storage before the service starts. MeshAgent creates each file only if it does not already exist, which makes this useful for editable starter content such as prompts, rules, or templates.
FieldTypeRequiredDescription
pathstringYesRoom-storage path to create.
textstringYesInitial file contents.
Use top-level files when the content should live in room storage and remain editable after deploy. Use container.storage.files when the file should be mounted inside the running container itself.

container

Defines a container for MeshAgent to run. Fields marked are only available in Service, not ServiceTemplate.
FieldTypeRequiredDescription
imagestringYesContainer image (for example meshagent/cli:default).
commandstringNoCommand to execute when the container starts.
working_dirstringNoAbsolute working directory used when starting the container command.
environmentlistNoEnvironment variables to set in the container.
secretslistNoIDs of project keys secrets to inject as environment variables. Service only.
pull_secretstringNoProject secret ID for authenticating with a private container registry. Service only.
storageobjectNoStorage volumes to mount into the container.
on_demandbooleanNoWhen true, the container runs only when explicitly invoked.
writable_root_fsbooleanNoAllow writes to the container’s root filesystem for the life of that container instance. Default: read-only.
privatebooleanNoAdvanced setting that keeps interactive container access private to the owning service. Default: true.

container.environment

Each entry sets an environment variable in the container. A variable can come from a literal value, a MeshAgent token, or a room secret.
FieldTypeRequiredDescription
namestringYesEnvironment variable name.
valuestringNoLiteral string value.
tokenobjectNoRequest a participant token to be generated and injected as the value.
secretobjectNoLoad a room secret for a specific identity and inject it as the value.
Use:
  • value for plain configuration
  • token for MeshAgent API access
  • secret for room-scoped credentials
token fields:
FieldTypeRequiredDescription
identitystringYesParticipant identity the token is issued for.
apiobjectNoAPI scope granted to the token. See API Scopes.
rolestringNoParticipant role (for example user, agent, or tool).
secret fields:
FieldTypeRequiredDescription
identitystringYesParticipant or service identity that owns the room secret.
idstringYesRoom secret ID to load.
This pattern is common for room services: token gives the service access to MeshAgent, while secret gives it an external credential.

container.storage

Mounts storage volumes into the container.
FieldTypeDescription
roomlistPer-room storage. Read/write by default.
projectlistProject-wide shared storage. Read-only by default.
imageslistContent from another container image. Read-only by default.
fileslistInline text content mounted as a file. Read-only by default.
empty_dirslistWritable temporary directories mounted into the container.
configslistMeshAgent runtime config mounts such as spec.json and members.json.
Room and project mount fields:
FieldTypeRequiredDescription
pathstringYesMount path inside the container.
subpathstringNoSubdirectory within the storage volume.
read_onlybooleanNoWhether the mount is read-only.
Image mount fields:
FieldTypeRequiredDescription
imagestringYesSource container image.
pathstringYesMount path inside the container.
subpathstringNoSubdirectory within the image.
read_onlybooleanNoWhether the mount is read-only.
File mount fields:
FieldTypeRequiredDescription
pathstringYesMount path inside the container.
textstringYesFile contents.
read_onlybooleanNoWhether the mount is read-only.
Empty directory mount fields:
FieldTypeRequiredDescription
pathstringYesMount path inside the container.
read_onlybooleanNoWhether the temporary directory is read-only.
Config mount fields:
FieldTypeRequiredDescription
pathstringYesDirectory inside the container where MeshAgent runtime config files should be mounted. Defaults to /var/run/meshagent.
Config mounts are useful when a shell tool or helper process inside the container needs access to runtime files such as spec.json and members.json.

external

Routes traffic to a service running outside MeshAgent. Requires ports to define how MeshAgent reaches the service.
FieldTypeRequiredDescription
urlstringYesURL where the service is running.

ports

Defines network ports the service listens on and how MeshAgent routes HTTP traffic to them.
FieldTypeRequiredDescription
num"*" or intYesPort number, or "*" for auto-assignment.
typestringNoProtocol: http or tcp.
livenessstringNoHTTP path for health checks.
endpointslistNoEndpoints served on this port.
publishedbooleanNoExpose the port to the internet.
publicbooleanNoWhen false, requests must include a participant token.
annotationsobjectNoKey-value metadata.

ports.endpoints

Each endpoint maps a URL path to either a MeshAgent-native service or an MCP server.
FieldTypeRequiredDescription
pathstringYesURL path for this endpoint.
meshagentobjectNoMeshAgent-native endpoint. Mutually exclusive with mcp.
mcpobjectNoMCP server endpoint. Mutually exclusive with meshagent.
annotationsobjectNoKey-value metadata.
meshagent endpoint
Connects the endpoint to a MeshAgent participant identity.
FieldTypeRequiredDescription
identitystringYesParticipant identity for this endpoint.
apiobjectNoAPI scope overrides. See API Scopes.
mcp endpoint
Registers an MCP server as a toolkit in the room.
FieldTypeRequiredDescription
labelstringYesToolkit display name.
descriptionstringNoDescription of what the toolkit provides.
allowed_toolslistNoFilters which tools are exposed.
headersobjectNoCustom HTTP headers to include in requests.
require_approvalstringNoalways or never.
oauthobjectNoOAuth client configuration.
openai_connector_idstringNoOpenAI connector ID.
allowed_tools entries:
FieldTypeRequiredDescription
tool_nameslistYesTool names to allow.
read_onlybooleanNoTreat the tools as read-only.
oauth fields:
FieldTypeRequiredDescription
client_idstringYesOAuth client ID.
client_secretstringNoOAuth client secret.
authorization_endpointstringYesAuthorization endpoint URL.
token_endpointstringYesToken endpoint URL.
no_pkcebooleanNoDisable PKCE (Proof Key for Code Exchange).
scopeslistNoOAuth scopes to request.

variables (ServiceTemplate only)

Defines user-provided inputs for a ServiceTemplate. Values are substituted into the YAML using {{ variable_name }} syntax. Template values are rendered into the manifest before validation, so they can be used anywhere the resulting YAML remains valid.
FieldTypeRequiredDescription
namestringYesVariable identifier. Referenced as {{ name }} in templates.
titlestringNoHuman-readable label shown in install UI.
descriptionstringNoHelp text shown in UI and Powerboards.
enumlistNoRestricts input to specific values. Displayed as a dropdown.
optionalbooleanNoWhether the variable can be left blank.
obscurebooleanNoHides the value in UI. Use for sensitive data.
typestringNoType hint (for example email).
annotationsobjectNoKey-value metadata. See Annotations.

Annotations

Annotations are key-value strings attached to services, agents, or variables. MeshAgent and Powerboards use specific annotation keys to control behavior. You can also define custom annotations.

Service annotations

Set in metadata.annotations.
KeyDescription
meshagent.service.idUnique identifier for the service.
meshagent.service.readmeURL or inline content for the service documentation.

Agent annotations

Set in agents[].annotations.
KeyDescription
meshagent.agent.typeInternal agent type metadata used by service manifests and generated specs.
meshagent.agent.widgetUI widget to display for this agent.
meshagent.agent.scheduleJSON string defining a scheduled task and its payload.
meshagent.agent.shell.commandShell command for Shell-type agents.
meshagent.agent.database.schemaDatabase schema metadata for the agent.

Variable annotations

Set in variables[].annotations.
KeyDescription
meshagent.secret.idSecret ID to create or update when Powerboards stores the value as a room secret.
meshagent.secret.identityIdentity that should own the created room secret.
meshagent.secret.nameDisplay name to use for the created room secret.
meshagent.secret.typeSecret type metadata for the stored room secret.

Event annotations

Set in agents[].annotations. Subscribe an agent to room events. The value is the name of a queue that a queue-consuming agent can process.
KeyDescription
meshagent.events.service.createdFires when a service is created in the room.
meshagent.events.service.updatedFires when a service is updated.
meshagent.events.room.user.grant.createFires when a user is added to the room.
meshagent.events.room.user.grant.deleteFires when a user is removed from the room.
meshagent.events.room.user.grant.updateFires when a user’s room grant is updated.