Skip to content
▚ Run it yourself

Your infra. Your data. Your rules.

ByteDesk Agent Browser is open-source and self-hostable — a single Go binary plus Chrome. Run it on a laptop for dev or split the planes for scale. Nothing phones home.

Why self-host

Own the browser your agents drive.

Data stays in your infra

Sessions, page content, screenshots, and provider credentials never leave the box you run it on. No third party sits between your agents and the pages they browse.

No lock-in

100% Anchor wire-compatible and open-source. Migration is a base-URL change today; leaving is deleting a binary. Nothing proprietary holds your workloads.

Auditable OSS

One Go codebase you can read end to end — the CDP gateway, the perform-web-task loop, the MCP server, the auth path. Fork it, patch it, ship it.

What it takes to run

Two dependencies: Go and Chrome.

Build the server from ./cmd/server and run it. It manages Chrome itself and listens on PORT. For development that single process is the whole system — sessions, CDP gateway, perform-web-task loop, and MCP server all live in it.

For scale, the same binary splits into a control plane (API, auth, scheduling) and a data plane (the warm browser pool), so you can autoscale the pool independently. The architecture doc walks the plane split and the warm-pool model.

Build & run
git clone https://github.com/ByteDeskAI/bytedesk-agent-browser
cd bytedesk-agent-browser

go build ./cmd/server && ./server
# PORT=8080 ./server   # override the listen port
# ./demo/run_demo.sh   # end-to-end smoke test

Auth defaults to the dev key bdab-dev-key — set your own before exposing the port.

Security posture

What's enforced today — and what isn't yet.

API-key auth

Every request carries an anchor-api-key header; unauthenticated calls are rejected before they reach a session. Rotate keys by config — the dev default is bdab-dev-key, replace it in production.

Execute-code isolation

Agent-driven actions run against a real Chrome the server owns, not your host shell. Code execution is moving toward per-session sandboxing — keep the server on a network you trust in the meantime.

Provider secret handling

Model credentials are read from env or the provider registry and used server-side only — they are never returned in responses or streamed over /ws. ACP lets you skip raw keys entirely and drive an already-logged-in CLI.

Be honest about the gaps: production-grade hardening is on the roadmap, not shipped. Until it lands, run the server on a trusted network and terminate TLS at your own edge.

Zero-data-retention controls Per-session sandboxing (gVisor) Patched-Chromium stealth build
Deploy targets

Runs wherever you run things.

Bare VM

Copy the binary and a Chrome, set PORT, run it. The whole thing is one process — the simplest deploy is scp plus a shell.

Docker

Package the server and Chrome in one image. Mount your provider keys as env; expose the HTTP + CDP port.

systemd / Nomad

Run it as a supervised long-lived service. Restart-on-failure, journald logs, and env-file secrets — no orchestration required.

Kubernetes

For scale, split the control plane from the browser data plane and run the pool as its own deployment. See the architecture doc for the plane split.

Self-host in minutes

Clone, build, run. It's a single Go binary plus Chrome.