Documentation

Production Deployment

Deploy a generated Hono API server with explicit networking, security, and streaming configuration.

A generated Hono export is runnable, but production readiness depends on your hosting, security, and operational requirements. Treat its README security declarations as a checklist, not as an assurance that controls are already present.

Build the deployment artifact

Use Node.js >=24 and the package manager version declared in package.json. Before deployment, run:

pnpm install
pnpm typecheck
pnpm start

The generated project runs TypeScript with tsx; it does not emit a separate dist directory by default.

Configure host and port

The server defaults to:

HOST=127.0.0.1
PORT=3001

Use HOST=0.0.0.0 in a container or any environment where the process must accept traffic from outside its own network namespace. Most managed platforms inject PORT; preserve that value instead of hard-coding a different port.

Use GET /healthz for a basic process health check:

curl https://api.example.com/healthz

Configure environment variables

The generated .env.example lists the pattern's required variables alongside HOST, PORT, and CORS settings. Configure real values through your deployment platform's secret store.

At minimum, verify:

  • every variable marked required in the README is present
  • provider credentials belong to the server, never the browser
  • production and preview environments use separate credentials where possible
  • logs and error reports do not print secrets or complete sensitive prompts

Add authentication and authorization

The Next.js preview's entitlement and authentication middleware is not part of the Hono export. Read the generated README:

  • included means the exported server closure contains that control
  • consumer-required means you must add it
  • none means the pattern does not provide it

Authenticate requests before expensive model or tool execution. Then authorize the caller for the requested resource; authentication alone does not establish that a user may access every tool or dataset.

Add rate limits and request controls

Preview rate limits often live outside the exported route closure. If the README does not say rate limiting is included, add a durable limiter backed by storage that works across every server instance.

Also define limits appropriate for the pattern:

  • maximum request size
  • request and model timeouts
  • concurrent streams per user or tenant
  • tool execution budgets
  • upstream provider retry policy

The generated Hono entry point passes the Web Request to the pattern handler; request parsing and validation still belong to the handler or middleware you add.

Preserve streaming

AI responses may stream for longer than ordinary JSON requests. Configure every layer between the browser and Hono accordingly:

  • disable response buffering for streaming routes
  • allow the required idle and total request duration
  • do not transform streaming response bodies
  • forward disconnects so work can stop when the client leaves
  • test from the deployed frontend, not only with a local direct request

Next.js maxDuration exports that remain in copied route modules do not configure Hono or your deployment platform. Set timeouts in the host, proxy, and server controls that actually handle the request.

Production checklist

  • Node.js >=24 is selected.
  • HOST and PORT match the hosting environment.
  • CORS_ORIGINS lists only trusted frontend origins.
  • Required secrets are configured outside source control.
  • Authentication and authorization match the README declaration.
  • Distributed rate limiting protects model and tool calls.
  • Request size, timeout, and concurrency limits are explicit.
  • Proxy buffering is disabled for streaming routes.
  • /healthz, logs, metrics, and alerts are connected.
  • Shutdown and deployment draining behavior is tested on the chosen host.

If a deployed request behaves differently from local development, use the Hono troubleshooting guide.