# Endpoint Sessions

> Source: https://parallelworks.com/docs/run/sessions/endpoints

# Endpoint Sessions

An **endpoint session** exposes an app running on **a machine you control** — your workstation, a server, a VM, or any host that can reach the platform — through ACTIVATE, without deploying it or opening any inbound ports. The `pw` CLI dials out and registers a reverse tunnel, so **no inbound network access to that machine is required**; nothing on it has to accept incoming connections.

A [tunnel session](/docs/run/sessions/) exposes an app running on a remote compute resource, where an agent on the cluster initiates the tunnel. An endpoint session is independent of any cluster or agent — the `pw` CLI dials out on its own, so you can expose an app from any machine you run it on.

## Expose a local app

Run `pw endpoints http` next to an app listening on a port (or a Unix socket):

```bash
# Expose a local app on port 3000
pw endpoints http 3000
```

The CLI prints a public URL (for example `https://my-app.<sessions-domain>/`) and forwards traffic to your local app until you stop it with `Ctrl+C`. Use `pw endpoints https` instead when your local app speaks TLS.

A few common options:

- `--name <name>` — give the session a stable name; re-running takes over the same endpoint.
- `--subdomain <label>` — choose the subdomain instead of getting a random one.
- `--open` — open the URL in your browser once the tunnel is up.
- `--public` — let anyone with the link reach the endpoint without logging in (requires your organization to allow public sessions).

See the [`pw endpoints` CLI reference](/docs/cli/pw/endpoints) for the full list of commands and flags.

## Expose a local AI model

Add `--openai` to an [OpenAI-compatible server](/docs/ai/ai-providers/custom-openai-compatible/) (vLLM, Ollama, llama.cpp) to register it as a model in **Chat**, with no manual provider setup. Add `--auth-file` if the server needs an API key.

```bash
# A /v1 server already listening on port 11434
pw endpoints http --openai --name my-llm 11434
```

Or launch and expose it in one command with `pw endpoints run` (`{port}` is the assigned local port):

```bash
# llama.cpp takes --port directly
pw endpoints run --openai -- llama-server -hf ggml-org/gpt-oss-20b-GGUF --port {port}

# Ollama binds via OLLAMA_HOST and needs --rewrite-host (see Troubleshooting)
pw endpoints run --openai --rewrite-host -- sh -c 'OLLAMA_HOST=127.0.0.1:{port} ollama serve'
```

## Troubleshooting

### A local app rejects the tunneled request

Requests reach your app with the public endpoint host (`*.<sessions-domain>`), not `localhost`, and an app that trusts only `localhost` rejects them.

**A dev server blocks live reload** (Next.js, Vite, and similar): it treats the tunneled Hot Module Reload socket as **cross-origin** and closes it, so the page loads but never updates. Allow the endpoint host in the dev server's config, then restart:

- **Next.js** — add the host to [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) in `next.config.js`:

  ```js
  module.exports = {
    allowedDevOrigins: ['my-app.<sessions-domain>'],
  }
  ```

- **Vite** — add the host to `server.allowedHosts` in `vite.config.js`.

Production builds are unaffected.

**A server returns `403` on every request**: some servers reject a non-local `Host` to guard against [DNS rebinding](https://en.wikipedia.org/wiki/DNS_rebinding) (Ollama, for example). Add `--rewrite-host` so the server sees `localhost`:

```bash
pw endpoints http --rewrite-host 11434
```

If the server has its own allowed-hosts list, pass it the endpoint host with the `{host}` token instead: `pw endpoints run -- my-server --allowed-host {host}`.

:::note
These are settings on your local app, not limits of endpoint sessions. `--rewrite-host` changes only the `Host` your app sees, not the public URL.
:::
