How to deploy an AI agent: the path from laptop to production
Knowing how to deploy an AI agent is a different skill from building one. The agent that works on your laptop, reading your local .env and printing to your terminal, is maybe 40 percent of the job. The other 60 percent is making it run unattended: surviving crashes, holding secrets safely, keeping its memory, and telling you when something breaks. This guide walks the practical path, from packaging your code to picking one of four deploy targets, with real commands and honest cost numbers for 2026.
We will assume you already have a working agent: a script or service that loops, calls a model, maybe reads a queue or a chat, and takes actions. The question is how to get it running 24/7 somewhere that is not your MacBook with the lid closed.
The route has four stages: package it, pick a target, wire up secrets and restarts, then add observability. Skip any one and you get paged. Let's take them in order.
Step 1: package the agent with Docker
The first practical question in how to deploy an AI agent is packaging. Whatever you deploy to, a container is the unit that travels cleanly between your laptop and a server. It pins your runtime version, your system libraries, and your dependencies so "works on my machine" becomes "works everywhere." Even the simplest deploy targets accept a Docker image.
Here is a lean Dockerfile for a Node-based agent. The same shape works for Python; swap the base image and the install step.
# Dockerfile
FROM node:22-slim AS build
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
COPY . .
FROM node:22-slim
WORKDIR /app
# run as a non-root user
RUN useradd --system --create-home agent
COPY --from=build /app /app
USER agent
ENV NODE_ENV=production
CMD ["node", "index.js"]# Dockerfile
FROM node:22-slim AS build
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
COPY . .
FROM node:22-slim
WORKDIR /app
# run as a non-root user
RUN useradd --system --create-home agent
COPY --from=build /app /app
USER agent
ENV NODE_ENV=production
CMD ["node", "index.js"]Build it and run it locally to confirm it behaves the same as node index.js did:
docker build -t agent:latest .
docker run --rm --env-file .env agent:latestdocker build -t agent:latest .
docker run --rm --env-file .env agent:latestTwo things worth doing now, before you deploy anything. Run as a non-root user, as the Dockerfile does above, so a compromised agent does not own the whole container. And keep the image small by using a slim base and copying only what you need; a 200 MB image pulls and restarts far faster than a 1.5 GB one.
Step 2: choose one of four deploy targets
This is the decision that matters most. There are four realistic places to run a containerized agent, and they trade simplicity against control and cost. For a deeper split on the first option specifically, see AI agent VPS hosting; for the general local-versus-cloud framing, run AI agent in the cloud covers it.
Target A: a raw VPS
Rent a Linux box from Hetzner (around $5/month for 4 GB RAM) or DigitalOcean ($6/month), install Docker, and run your image with a restart policy:
docker run -d \
--name agent \
--restart unless-stopped \
--env-file /opt/agent/.env \
-v /opt/agent/workspace:/workspace \
agent:latestdocker run -d \
--name agent \
--restart unless-stopped \
--env-file /opt/agent/.env \
-v /opt/agent/workspace:/workspace \
agent:latestCheapest option, full control, but you own every piece of reliability yourself: restarts, backups, secrets, updates. Great for one agent and one operator.
Target B: a PaaS (Fly.io, Railway, Render)
Platform-as-a-service hides the server. You push code or an image and the platform runs it. Fly.io deploys your container close to users and handles restarts and rolling deploys:
fly launch --no-deploy
fly secrets set OPENAI_API_KEY=sk-... TELEGRAM_TOKEN=...
fly deployfly launch --no-deploy
fly secrets set OPENAI_API_KEY=sk-... TELEGRAM_TOKEN=...
fly deployRailway is even simpler for a single service and starts around $5/month plus usage. The tradeoff: less control over the underlying host, and background-worker pricing can climb once your agent runs a full month non-stop, since these platforms are tuned for request-driven web apps, not always-on loops.
Target C: Kubernetes (self-managed)
Run your own cluster (managed control plane on a cloud, or bare k3s on VPSes) and deploy the agent as a Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: agent
spec:
replicas: 1
selector:
matchLabels: { app: agent }
template:
metadata:
labels: { app: agent }
spec:
containers:
- name: agent
image: ghcr.io/your-org/agent:latest
envFrom:
- secretRef:
name: agent-secrets
resources:
limits:
memory: "1Gi"
cpu: "500m"apiVersion: apps/v1
kind: Deployment
metadata:
name: agent
spec:
replicas: 1
selector:
matchLabels: { app: agent }
template:
metadata:
labels: { app: agent }
spec:
containers:
- name: agent
image: ghcr.io/your-org/agent:latest
envFrom:
- secretRef:
name: agent-secrets
resources:
limits:
memory: "1Gi"
cpu: "500m"Kubernetes gives you real restarts, resource limits, secrets, and horizontal scaling for many agents. The cost is expertise: you now operate a cluster, patch nodes, and debug networking. Overkill for one agent, powerful for a fleet.
Target D: a managed agent runtime
A managed runtime runs the agent for you on infrastructure you never touch, with agent-specific features built in: persistent workspace, scoped secrets, RBAC, egress rules, and observability. You get the Kubernetes benefits from Target C without operating Kubernetes. More on this at the end.
Which deploy target should I use?
Here is the comparison side by side. Read the last two rows first; they usually decide it.
| Factor | Raw VPS | PaaS (Fly/Railway) | Kubernetes (DIY) | Managed runtime |
|---|---|---|---|---|
| Starting cost | ~$5/mo | ~$5-20/mo | ~$30/mo + your time | Per-agent plan |
| Setup effort | Low | Lowest | High | Low |
| Restarts | You configure | Built in | Built in | Built in |
| Persistent state | Manual snapshots | Volumes, add-on cost | PVCs, you manage | Built in per agent |
| Secrets | .env files | Platform secrets | K8s secrets | Scoped store, rotation |
| RBAC | Root SSH only | Basic team roles | You configure | Per user and agent |
| Scales to many agents | Poorly | Moderately | Yes | Yes |
| Ops burden on you | High | Low | Highest | Lowest |
| Best for | 1 agent, 1 person | 1-3 agents, fast | Large teams with ops | Fleets without ops staff |
The honest read: a raw VPS or a PaaS is right for your first one to three agents. Kubernetes is right when you have a platform team who wants to own the cluster. A managed runtime is right when you need the Kubernetes feature set but do not want to hire for it.
Step 3: secrets and restarts, the two things people skip
Two mistakes cause most agent outages. Fix both before you call it deployed.
Secrets. Never bake API keys into the image or commit them. Every target above has a real place for secrets: fly secrets set, Kubernetes Secret objects, or a managed store. Rotate them on a schedule and keep them out of your git history. If a key ever lands in a commit, treat it as leaked and rotate immediately.
Restarts. Your agent will crash. Plan for it. On a VPS, --restart unless-stopped (Docker) or Restart=always (systemd). On a PaaS or Kubernetes, restart is default behavior. Add a crash-loop backoff so a broken agent does not hammer your model API and run up a bill: Kubernetes does this automatically, and systemd does it with StartLimitBurst.
A short checklist before you flip the switch:
Secrets injected at runtime, never in the image.
Restart policy in place and tested by killing the process.
A persistent volume mounted for any state the agent must keep.
Resource limits set so one agent cannot eat the whole host.
Log output going somewhere you can read remotely.
Step 4: observability, so you find out before your users do
A deployed agent you cannot see into is a liability. At minimum you need structured logs shipped off the box. Better, you also want metrics: how many actions per hour, token spend, error rate, and restart count.
On a VPS or Kubernetes you typically wire up a stack yourself. A common 2026 choice is Grafana with Loki for logs and Prometheus for metrics. The official docs at https://grafana.com/docs/ walk through it, but budget a day or two to get it clean, plus ongoing upkeep.
The signals that actually matter for an agent:
Restart count. A rising count means a crash loop you have not noticed.
Token spend per hour. Catches a runaway loop before the invoice does.
Action success rate. Tells you the agent is doing work, not just staying alive.
Egress destinations. What the agent is talking to; unexpected hosts are a red flag.
What does it cost to run an agent 24/7?
Ballpark monthly numbers for a single always-on agent, compute only, before model API spend:
| Target | Rough monthly cost | Notes |
|---|---|---|
| Raw VPS (Hetzner) | $5-6 | Add your time for ops |
| PaaS (Railway/Fly) | $5-25 | Climbs for full-month workers |
| Kubernetes (DIY) | $30+ | Plus significant ops time |
| Managed runtime | Per-agent plan | Ops time near zero |
Model API spend usually dwarfs compute. A chatty agent on a mid-tier model can burn far more in tokens than in server rent, so optimize prompts before you optimize the box. For a full breakdown of the ongoing numbers, see cost to run an AI agent 24/7.
How do I update an agent without downtime?
Deploying once is easy. Deploying the tenth version, while the agent is mid-task, is where things get sharp. A stateless request-handler can be replaced with a rolling deploy: bring up the new version, shift traffic, retire the old one. An always-on agent that holds in-flight work needs more care, because killing it mid-action can leave a half-finished task or a dangling API call.
Two practical patterns handle this:
Drain then swap. Signal the agent to stop accepting new work, let it finish the current task, then replace it. On Kubernetes this is a
preStophook plus a sensibleterminationGracePeriodSeconds. On a VPS it is aSIGTERMyour code catches to finish cleanly before exit.Idempotent tasks. Design each unit of work so that running it twice is safe. Then an interrupted task can simply be retried by the new version without double-charging a user or sending a duplicate message.
On a raw VPS you script this yourself. On a PaaS you get rolling deploys but limited control over graceful drain. On Kubernetes and managed runtimes, graceful termination is a first-class setting. Whichever target you pick, decide your update story before you need it, not during an incident.
Common questions about deploying an AI agent
Do I need Kubernetes to deploy an AI agent? No. For one or two agents a VPS or a PaaS is simpler and cheaper. Kubernetes earns its complexity once you run many agents or a team needs shared, controlled infrastructure.
Can I just leave it on my laptop? For building, yes. For production, no; a laptop sleeps, reboots, and drops off WiFi. Anything users depend on belongs on a server or a managed runtime.
How do I stop a runaway loop from burning my API budget? Cap it in code with a per-hour token or request ceiling, and alert on spend. A crash-loop backoff on the deploy side stops a restart storm from compounding the bill.
When to reach for a managed runtime
If you are deploying your third agent and reconfiguring secrets, restarts, volumes, and dashboards by hand each time, that repetition is the signal to go managed. Sokko is a managed platform built specifically for running AI agents like OpenClaw, Hermes, Paperclip, and OpenSRE around the clock. It is secure, always-on infrastructure we run, so you never touch a server. It gives you the persistent workspace, scoped secret store, RBAC, egress allow-rules, and observability from the steps above as defaults, without asking you to run the infrastructure yourself. For a single hobby agent, a $5 VPS is still the right call. For a growing fleet where the ops work is starting to outweigh the agent work, a managed runtime is the cheaper option once you count your own hours. If you want to see the deploy flow end to end, deploying your first agent walks through it. For the dashboard path, the quickstart gets you to a live agent in about a minute.
Wrapping up
Learning how to deploy an AI agent comes down to four steps: package it in a container, pick a target that matches your stage, wire up secrets and restarts properly, and add enough observability to sleep at night. Start on a raw VPS or a PaaS while you have one or two agents. Move to Kubernetes or a managed runtime when you have a fleet, a team, or state you cannot lose. The right answer changes as you grow, so match the tool to where you are today rather than where you hope to be in a year.