Remote Server
Craft Agents can run as a remote server, letting you keep long-running sessions alive on a remote machine, access them from multiple clients (desktop app, browser, or CLI), and run compute-heavy tasks on a powerful server.Prerequisites
Choose the setup path that fits your deployment: If you’re running from source, install Bun with:Quick setup from source
Clone and run the install script:Docker container
If you just want a deployable server, use the public GitHub Container Registry package: Use thelatest container tag:
http://your-server:9100 immediately after the container starts. For any networked deployment, terminate TLS at a reverse proxy or mount certificates and set CRAFT_RPC_TLS_CERT / CRAFT_RPC_TLS_KEY.
If you prefer Docker Compose:
Docker troubleshooting
Sessions return empty responses (no errors) When running with--user and a custom HOME directory, the Claude Agent SDK needs $HOME/.claude/ to be writable. If the HOME directory is read-only (e.g., owned by root), the SDK silently returns empty responses with no error logged.
Fix: Mount a writable volume at the HOME path. For example, if running as a host user whose home is /Users/alice:
docker-home→/Users/alice— writable HOME for the SDK (~/.claude/).craft-agent→/Users/alice/.craft-agent— workspace data (overlays on top)
The default Docker image uses
HOME=/home/craftagents with a pre-created writable directory. This issue only occurs when overriding HOME to match a host user path.http://your-server:9100 returns a 404 or connection error:
CRAFT_WEBUI_DIRnot set — The Docker image sets this to/app/apps/webui/distby default. If yourdocker-compose.ymlor.envfile overrides environment variables, make sureCRAFT_WEBUI_DIRis included or not overridden to empty.- Volume shadows the app directory — Mounting a volume over
/appreplaces the built WebUI assets. Only mount volumes to/home/craftagents/.craft-agent(or your custom HOME path), not to/app. - Older image tag — Pre-0.8.0 images don’t include the WebUI. Use
latestor0.8.0+.
Manual setup from source
Web UI
The server can serve a browser-accessible web UI on the same port.- Docker image: already includes the Web UI
- Run from source: build and enable it with:
Accessing the Web UI
Openhttps://your-server:9100 (or http:// without TLS) in any browser. You’ll see a login page.
Authentication
Enter the server token as the password. The server issues a session cookie on successful login.- Login attempts are rate-limited to 5 per 60 seconds per IP
- The session persists until you log out or the cookie expires
What you can do
The web UI provides the same session interface as the desktop app — create sessions, send messages, manage workspaces. OAuth flows for Claude and Copilot work directly in the browser.Connecting Clients
Desktop App (Hybrid Mode)
Connect to a remote server while keeping local workspaces:- Click the workspace dropdown in the sidebar
- Select Add Workspace… → Connect to Remote Server
- Enter the server URL (e.g.,
wss://192.168.1.100:9100) and token - Click Test Connection to verify
- Select an existing workspace or create a new one on the server
Desktop App (Thin Client)
Launch the app as a pure thin client — all logic runs on the server:Web UI
Open the server URL in any browser and log in with the token. See Web UI above.CLI Client
Use the terminal client for scripting and automation:Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
CRAFT_SERVER_TOKEN | Yes | — | Bearer token for authentication |
CRAFT_SERVER_URL | No | — | Server URL for client connections |
CRAFT_RPC_HOST | No | 127.0.0.1 | Bind address (0.0.0.0 for remote) |
CRAFT_RPC_PORT | No | 9100 | Bind port |
CRAFT_RPC_TLS_CERT | Yes* | — | PEM certificate file (enables wss://) |
CRAFT_RPC_TLS_KEY | Yes* | — | PEM private key file |
CRAFT_RPC_TLS_CA | No | — | PEM CA chain file (optional) |
CRAFT_DEBUG | No | false | Enable debug logging |
localhost-only development.
Running at Startup
Linux (systemd)
Create the environment file at/path/to/craft-agents-oss/.env:
/etc/systemd/system/craft-agents.service:
macOS (launchd)
Create a plist at~/Library/LaunchAgents/com.craft.agents-server.plist:
Secure Access
Exposing the server directly to the internet is not recommended. Instead, use one of these approaches:Tailscale (recommended)
Tailscale creates a private mesh network between your devices. Install it on both the server and client machines — no port forwarding, no certificates, no firewall rules needed.Reverse proxy (nginx, Caddy)
Place the server behind a reverse proxy that handles TLS termination and access control. This is the standard approach for production deployments. Caddy (automatic HTTPS):CRAFT_RPC_HOST=127.0.0.1) and let the proxy handle external access.
Cloudflare Tunnel
Cloudflare Tunnel exposes your server over HTTPS without opening ports or managing certificates. Installcloudflared and run:
https://<random>.trycloudflare.com URL you can open in any browser. For a permanent custom domain:
Cloudflare Tunnel handles TLS termination automatically — no need to set
CRAFT_RPC_TLS_CERT / CRAFT_RPC_TLS_KEY. Keep CRAFT_RPC_HOST=127.0.0.1 so the server only listens locally.SSH tunnel
For quick, ad-hoc access without any setup:ws://localhost:9100 from the desktop app or browser. The tunnel encrypts all traffic over SSH.
Browser tool
The built-in browser bridges from the remote server to the connected desktop client — pages open on your local machine, using your cookies and signed-in sessions. The browser tool is available when at least one desktop client is connected; web UI and CLI clients cannot host browser windows. See Browser on remote workspaces for the security model and theallowRemoteEvaluate switch.