Agents

Expose any private service to paying consumers — without opening firewall ports, without a public IP address, and without changing your existing setup.

The problem agents solve

Most API monetization requires your service to be publicly reachable. That means:

A static public IP address
Firewall rules allowing inbound traffic
A domain name and TLS certificate
Exposure of your server's location to the public internet

This rules out most private services: a Minecraft server on your home network, a private SAP instance, a local weather station, a corporate ERP, a game server behind CGNAT. These services work fine but cannot be sold because they are not reachable.

Agents solve this by reversing the connection. Instead of waiting for consumers to connect to your service, your service connects outbound to your Sertone control center. Your control center then relays consumer requests through that persistent connection — and your service never needs to be publicly visible.

How it works

Agent connects outbound
The agent process runs on the same machine as your private service. It connects out to your Sertone control center over a persistent WebSocket. No inbound ports required.

↓

Consumer calls your API
The consumer makes a normal HTTPS call to your control center. The control center receives the request and identifies it as destined for an agent-connected service.

↓

Request relayed through agent
The control center forwards the HTTP request through the agent's WebSocket connection. The agent receives it, calls your local service (on localhost), and sends the response back.

↓

Response delivered, payment settled
The response travels back through the relay. The consumer gets the result. USDC settlement runs automatically — just like any other Sertone API.

Real-world uses

Your private service	APIs you can sell
Minecraft server (home network)	Server status, player list, in-game commands, whitelist management
SAP / ERP system (corporate network)	Inventory queries, order lookup, employee directory
Home automation hub (local network)	Sensor readings, device control, energy usage
Private AI model (no GPU hosting fees)	Text generation, classification, embeddings
Database / data warehouse	Read-only query APIs, analytics endpoints, export feeds
Legacy system (SOAP, XML-RPC)	Modernize to REST while keeping the original service untouched

Setting Up an Agent

Requirements

Your Sertone control center already installed and running
Docker 20.10+ on the machine where your private service runs
Outbound HTTPS access from that machine (port 443)

Step 1: Generate a pairing token

In your control center's web console, open My Services and select Add Agent Connection. Give it a name (e.g. "Minecraft Server") and generate a pairing token. Copy the token — it is shown only once.

Step 2: Run the agent

On the machine where your private service runs, start the agent process using the pairing token from step 1 and the address of your control center:

docker run -d \
  --name sertone-agent \
  --network host \
  -e PAIRING_TOKEN=your_token_here \
  -e CONTROL_CENTER=https://your-control-center-address \
  sertonenet/gateway:latest --mode agent

The agent connects to your control center and appears as "Connected" within a few seconds.

Step 3: Register APIs pointing to your local service

Back in the control center, configure the endpoints you want to expose:

API path — the path consumers will call (e.g., /status)
Target URL — where the agent should forward requests on the local machine (e.g., http://localhost:8080/api/status)
Method — GET, POST, etc.
Price — per-call price in USDC

Your API is now registered in the global catalog. Consumers can discover and call it immediately.

Security

Your service stays private

The agent connects outbound only. Your private service's IP address and network location are never exposed. Consumers never connect directly to your machine — all traffic goes through your control center, which you own and control.

Authenticated relay

The WebSocket connection between the agent and your control center is authenticated with the pairing token and secured with TLS. A compromised token can be revoked instantly from the control center — the agent disconnects within seconds.

Request filtering

Requests are filtered by your control center before being forwarded. Only requests for registered APIs reach your private service. Invalid paths, unauthorized consumers, and malformed requests are rejected at the control center before they ever touch the agent.

Example: Minecraft Server APIs

Here is a complete walkthrough of turning a Minecraft Java Edition server into a set of monetized APIs.

Architecture

Consumer → Sertone network → Your control center → Agent → Minecraft server
                                                          ↑
                                        (localhost, same machine, no port open)

The three APIs

GET /mc/status — Server status

{
  "online": true,
  "version": "1.21.4",
  "players_online": 7,
  "players_max": 20,
  "motd": "Welcome to the server!",
  "latency_ms": 12
}

GET /mc/players — Current player list

{
  "online": ["Steve", "Alex", "Notch"],
  "count": 3,
  "max": 20
}

POST /mc/say — Broadcast a message in-game

// Request
{ "message": "Hello from the API!" }

// Response
{ "sent": true, "at": "2026-04-19T22:00:00Z" }

How the Minecraft plugin works

A lightweight Minecraft plugin (Bukkit/Spigot/Paper) exposes these three endpoints locally on http://localhost:8123. The agent forwards consumer requests to this local server. The Minecraft server process and the API server never see the public internet.

Consumers call the APIs at normal Sertone API prices (e.g., $0.001/call). The plugin author earns 95% of every call, settled automatically in USDC.

See the A2A Agent demo for a live interactive example of how agents discover and call each other through the network.

Frequently asked questions

Can an agent expose multiple services?

Yes. Each registered API can target a different local URL. One agent can proxy requests to a Minecraft server, a local Python API, and a home automation hub — all at the same time.

What happens if the agent disconnects?

The agent reconnects automatically with exponential backoff. While disconnected, calls to its APIs return a service unavailable response. The control center shows the agent status as "Disconnected" and sends an alert if configured.

Does this work with WebSocket or SSE services?

Yes. The agent relay supports streaming protocols. SSE streams and WebSocket connections are relayed transparently through the persistent connection.

Can I run multiple agent instances for redundancy?

Yes. Register two agents with the same APIs. The control center round-robins requests across available agents automatically. If one goes down, the other takes all traffic.

Is there a cost to run the agent?

The agent image is free. It uses minimal resources — roughly the same as a very light web server. On a typical VPS it uses under 50MB of RAM and less than 1% CPU when idle.

Next steps

Registering APIs → Quick Start → A2A Agent demo →