> For the complete documentation index, see [llms.txt](/llms.txt).
> A full single-fetch corpus is available at [llms-full.txt](/llms-full.txt).
---
title: Serverless endpoints
description: Run AGNT5 components from Cloudflare Workers, Vercel or Next.js route handlers, Deno, Hono, and Node.js HTTP servers without running a persistent worker process.
last_verified: 2026-07-04
---

A **serverless endpoint** is an HTTPS deployment that serves an AGNT5 manifest and accepts signed invoke requests. AGNT5 can dispatch functions, workflows, tools, and agents to that endpoint instead of routing them to a persistent worker.

Serverless endpoints are in beta for Cloudflare Workers, Vercel or Next.js route handlers, Deno, Hono, and generic Node.js HTTP servers. AWS Lambda and Google Cloud Run are planned after beta.

## Choose a host

| Host | Use when | SDK entrypoint |
| --- | --- | --- |
| Cloudflare Workers | You want a fetch-native worker with fast global startup. | `@agnt5/sdk/serverless` |
| Vercel or Next.js | You want route handlers deployed with a Next.js or Vercel app. | `@agnt5/sdk/serverless` |
| Deno | You want a fetch-native Deno server or Deno Deploy endpoint. | `@agnt5/sdk/serverless` |
| Hono | You want one Hono app that can run on Node, Cloudflare Workers, Deno, Bun, or another Hono adapter. | `@agnt5/sdk/serverless` |
| Generic Node.js | You want to mount AGNT5 on `node:http`, Express, Fastify, Koa, or a similar Node host. | `@agnt5/sdk/serverless/node` |

Use the same component definitions across hosts. The host adapter only changes how HTTP requests reach the AGNT5 serverless protocol handler.

## Expose the protocol routes

Each endpoint must expose two routes:

- `GET /.well-known/agnt5`: returns the manifest AGNT5 registers.
- `POST /agnt5/invoke`: receives signed invoke requests from AGNT5.

For fetch-native hosts, export the handler from `@agnt5/sdk/serverless`:

```ts
const hello = workflow("hello", async (_ctx, input: { name?: string }) => ({
  message: `hello ${input.name ?? "world"}`,
}));

export default serve({
  serviceName: "my-serverless-agent",
  serviceVersion: process.env.VERCEL_GIT_COMMIT_SHA ?? "local",
  signingSecret: () => process.env.AGNT5_SERVERLESS_SIGNING_SECRET,
  workflows: [hello],
});
```

For generic Node.js hosts, adapt incoming Node request and response objects:

```ts
const hello = workflow("hello", async (_ctx, input: { name?: string }) => ({
  message: `hello ${input.name ?? "world"}`,
}));

const agnt5 = serveNode({
  serviceName: "my-node-agent",
  serviceVersion: process.env.GIT_SHA ?? "local",
  signingSecret: () => process.env.AGNT5_SERVERLESS_SIGNING_SECRET,
  workflows: [hello],
});

http.createServer((request, response) => {
  void agnt5(request, response);
}).listen(8787);
```

## Sync the deployment

After the provider deploys your endpoint, sync it with AGNT5. Sync creates or reuses an immutable AGNT5 deployment, imports the manifest, stores the signing secret reference, and can activate the component routes for an environment.

```bash
( umask 077 && openssl rand -base64 32 > .agnt5-serverless-secret )
# Store "$(cat .agnt5-serverless-secret)" in the provider's
# AGNT5_SERVERLESS_SIGNING_SECRET environment variable, then deploy.
export AGNT5_SERVERLESS_SIGNING_SECRET="$(cat .agnt5-serverless-secret)"

agnt5 serverless sync https://<endpoint-host> \
  --provider cloudflare \
  --env production \
  --immutable-ref <provider-version-or-git-sha> \
  --signing-secret-env AGNT5_SERVERLESS_SIGNING_SECRET \
  --request-timeout-ms 30000 \
  --yield-before-timeout-ms 1000
```

Use `--provider vercel` for Vercel and `--provider node` for a generic Node.js, Deno, or Hono Node endpoint. Use `--provider cloudflare` when Hono runs on Cloudflare Workers. Pass `--activate=false` when you want to import the endpoint without changing active route ownership, and pass `--replace-route-owners` only when you intend the endpoint to take over matching component routes in that environment.

## Validate the endpoint

Check that the manifest route is reachable before syncing:

```bash
curl https://<endpoint-host>/.well-known/agnt5
```

AGNT5 release branches also include provider smokes for the beta hosts:

```bash
export AGNT5_SERVERLESS_SIGNING_SECRET="$(cat .agnt5-serverless-secret)"
export VERCEL_AUTOMATION_BYPASS_SECRET=<vercel-bypass-secret-if-protected>

just test-e2e-workerless-cloudflare-smoke https://<cloudflare-worker-host>
just test-e2e-workerless-vercel-smoke https://<vercel-host>
just test-e2e-workerless-node-smoke https://<node-host>
```

Use the Node smoke for Hono on Node. Use the Cloudflare or Vercel smoke when Hono runs on those providers. Deno does not have a dedicated smoke yet; validate `/.well-known/agnt5`, then run the synced AGNT5 workflow after deploy.

The deployed smokes expect `https://` endpoint URLs; `http://` is accepted only for local loopback targets such as `127.0.0.1`. They fail before network calls unless `AGNT5_SERVERLESS_SIGNING_SECRET`, `AGNT5_WORKERLESS_SIGNING_SECRET`, or `WORKERLESS_SIGNING_SECRET` is set, and their output includes `signing=enabled` when direct invoke requests are signed. Vercel Deployment Protection can additionally use `VERCEL_AUTOMATION_BYPASS_SECRET` or `VERCEL_PROTECTION_BYPASS_SECRET`. The Node smoke can also start a local `node:http` server with the SDK adapter when no endpoint URL is passed.

## Beta limits

Serverless endpoints currently support signed dispatch, manifest sync, encrypted signing secret references, component route ownership, durable step checkpoints, timeout suspension, retries, concurrency, throttle, rate-limit, latest-run-wins debounce, static priority, queue-mode singleton keys, and idempotency metadata.

Batch declarations are rejected for workerless beta until aggregate batching enforcement exists. Keep batch policies on persistent workers for now.

Shared beta environments also require AGNT5 operator enablement. Operators enable the workerless dispatch gates and global workerless gate before a shared environment sends traffic to serverless endpoints.

## Next steps

- [Deploying](/docs/run/deploying.md): deploy and verify a managed worker.
- [Environments](/docs/run/environments.md): promote and roll back deployment pointers.
- [Workflows](/docs/build/workflows.md): define the components your endpoint serves.
- [Integrations](/docs/integrations/overview.md): configure provider and secret connections.
