Getting Started
Use this page to deploy your own Rafiki on Cloudflare and Modal.
What You Are Deploying
Rafiki runs as two connected pieces:
- a Cloudflare Worker plus Durable Objects for the public URL, auth, sessions, and streaming
- a Modal backend for agent execution, tools, and artifacts
Deploy Modal first, then Cloudflare, then run one smoke test through the Worker.
Before You Start
- Python 3.11+
uv- Node.js 20+
- a Modal account
- a Cloudflare account
uv run modal setupwrangler login
Step 1: Configure Shared Secrets
These are the main secrets you set during deployment:
INTERNAL_AUTH_SECRETSESSION_SIGNING_SECRETOPENAI_API_KEY
Where they belong:
INTERNAL_AUTH_SECRET: local.env, Modalinternal-auth-secret, and the Cloudflare Worker secretSESSION_SIGNING_SECRET: Cloudflare Worker secret and your token-minting environmentOPENAI_API_KEY: Modalopenai-secret
Shared-secret rule:
INTERNAL_AUTH_SECRETmust match in your local.env, Modalinternal-auth-secret, and the Cloudflare Worker secret.
Step 2: Deploy the Modal Backend
Use Deploy to Modal for the exact commands.
Minimum path:
cp .env.example .env
# edit .env and set INTERNAL_AUTH_SECRET=<shared-internal-secret>
uv sync --extra dev
source .venv/bin/activate
uv run modal setup
uv run modal deploy -m modal_backend.deploy
For local development, use uv run modal serve -m modal_backend.main instead.
Step 3: Deploy the Cloudflare Worker
Use Deploy to Cloudflare for the exact commands.
Minimum path:
cd edge-control-plane
npm install
wrangler login
wrangler secret put INTERNAL_AUTH_SECRET
wrangler secret put SESSION_SIGNING_SECRET
npm run deploy
Step 4: Verify With /health and One /query
Use Verify Deployment for the exact commands.
The shortest proof is:
GET /healthon your Worker URL- mint a session token with
edge-control-plane/scripts/generate-session-token.js - send one
POST /querythrough the Worker
After Your Stack Is Live
- API Usage Guide for supported routes and payloads
- Worker API Reference for low-level API details
- How Rafiki Fits Together for the system map