Endpoint Sessions
An endpoint session exposes an app running on a machine you control — your workstation, a server, a VM, or any host that can reach the platform — through ACTIVATE, without deploying it or opening any inbound ports. The pw CLI dials out and registers a reverse tunnel, so no inbound network access to that machine is required; nothing on it has to accept incoming connections.
A tunnel session exposes an app running on a remote compute resource, where an agent on the cluster initiates the tunnel. An endpoint session is independent of any cluster or agent — the pw CLI dials out on its own, so you can expose an app from any machine you run it on.
Expose a local app
Run pw endpoints http next to an app listening on a port (or a Unix socket):
# Expose a local app on port 3000
pw endpoints http 3000The CLI prints a public URL (for example https://my-app.<sessions-domain>/) and forwards traffic to your local app until you stop it with Ctrl+C. Use pw endpoints https instead when your local app speaks TLS.
A few common options:
--name <name>— give the session a stable name; re-running takes over the same endpoint.--subdomain <label>— choose the subdomain instead of getting a random one.--open— open the URL in your browser once the tunnel is up.--public— let anyone with the link reach the endpoint without logging in (requires your organization to allow public sessions).
See the pw endpoints CLI reference for the full list of commands and flags.
Expose a local AI model
Add --openai to an OpenAI-compatible server (vLLM, Ollama, llama.cpp) to register it as a model in Chat, with no manual provider setup. Add --auth-file if the server needs an API key.
# A /v1 server already listening on port 11434
pw endpoints http --openai --name my-llm 11434Or launch and expose it in one command with pw endpoints run ({port} is the assigned local port):
# llama.cpp takes --port directly
pw endpoints run --openai -- llama-server -hf ggml-org/gpt-oss-20b-GGUF --port {port}
# Ollama binds via OLLAMA_HOST and needs --rewrite-host (see Troubleshooting)
pw endpoints run --openai --rewrite-host -- sh -c 'OLLAMA_HOST=127.0.0.1:{port} ollama serve'Troubleshooting
A local app rejects the tunneled request
Requests reach your app with the public endpoint host (*.<sessions-domain>), not localhost, and an app that trusts only localhost rejects them.
A dev server blocks live reload (Next.js, Vite, and similar): it treats the tunneled Hot Module Reload socket as cross-origin and closes it, so the page loads but never updates. Allow the endpoint host in the dev server's config, then restart:
-
Next.js — add the host to
allowedDevOriginsinnext.config.js:module.exports = { allowedDevOrigins: ['my-app.<sessions-domain>'], } -
Vite — add the host to
server.allowedHostsinvite.config.js.
Production builds are unaffected.
A server returns 403 on every request: some servers reject a non-local Host to guard against DNS rebinding (Ollama, for example). Add --rewrite-host so the server sees localhost:
pw endpoints http --rewrite-host 11434If the server has its own allowed-hosts list, pass it the endpoint host with the {host} token instead: pw endpoints run -- my-server --allowed-host {host}.
These are settings on your local app, not limits of endpoint sessions. --rewrite-host changes only the Host your app sees, not the public URL.