diff --git a/cli/create.go b/cli/create.go
index 3f52e59e8ad90..db8253ddb5d03 100644
--- a/cli/create.go
+++ b/cli/create.go
@@ -29,7 +29,12 @@ const PresetNone = "none"
 
 var ErrNoPresetFound = xerrors.New("no preset found")
 
-func (r *RootCmd) create() *serpent.Command {
+type createOptions struct {
+	beforeCreate func(ctx context.Context, client *codersdk.Client, template codersdk.Template, templateVersionID uuid.UUID) error
+	afterCreate  func(ctx context.Context, inv *serpent.Invocation, client *codersdk.Client, workspace codersdk.Workspace) error
+}
+
+func (r *RootCmd) create(opts createOptions) *serpent.Command {
 	var (
 		templateName    string
 		templateVersion string
@@ -305,6 +310,13 @@ func (r *RootCmd) create() *serpent.Command {
 				_, _ = fmt.Fprintf(inv.Stdout, "%s", cliui.Bold("No preset applied."))
 			}
 
+			if opts.beforeCreate != nil {
+				err = opts.beforeCreate(inv.Context(), client, template, templateVersionID)
+				if err != nil {
+					return xerrors.Errorf("before create: %w", err)
+				}
+			}
+
 			richParameters, err := prepWorkspaceBuild(inv, client, prepWorkspaceBuildArgs{
 				Action:            WorkspaceCreate,
 				TemplateVersionID: templateVersionID,
@@ -366,6 +378,14 @@ func (r *RootCmd) create() *serpent.Command {
 				cliui.Keyword(workspace.Name),
 				cliui.Timestamp(time.Now()),
 			)
+
+			if opts.afterCreate != nil {
+				err = opts.afterCreate(inv.Context(), inv, client, workspace)
+				if err != nil {
+					return err
+				}
+			}
+
 			return nil
 		},
 	}
diff --git a/cli/externalworkspaces.go b/cli/externalworkspaces.go
new file mode 100644
index 0000000000000..5ea1d2d8c9410
--- /dev/null
+++ b/cli/externalworkspaces.go
@@ -0,0 +1,271 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/pretty"
+	"github.com/coder/serpent"
+)
+
+type externalAgent struct {
+	WorkspaceName string `json:"-"`
+	AgentName     string `json:"-"`
+	AuthType      string `json:"auth_type"`
+	AuthToken     string `json:"auth_token"`
+	InitScript    string `json:"init_script"`
+}
+
+func (r *RootCmd) externalWorkspaces() *serpent.Command {
+	orgContext := NewOrganizationContext()
+
+	cmd := &serpent.Command{
+		Use:   "external-workspaces [subcommand]",
+		Short: "Create or manage external workspaces",
+		Handler: func(inv *serpent.Invocation) error {
+			return inv.Command.HelpHandler(inv)
+		},
+		Children: []*serpent.Command{
+			r.externalWorkspaceCreate(),
+			r.externalWorkspaceAgentInstructions(),
+			r.externalWorkspaceList(),
+		},
+	}
+
+	orgContext.AttachOptions(cmd)
+	return cmd
+}
+
+// externalWorkspaceCreate extends `coder create` to create an external workspace.
+func (r *RootCmd) externalWorkspaceCreate() *serpent.Command {
+	opts := createOptions{
+		beforeCreate: func(ctx context.Context, client *codersdk.Client, _ codersdk.Template, templateVersionID uuid.UUID) error {
+			resources, err := client.TemplateVersionResources(ctx, templateVersionID)
+			if err != nil {
+				return xerrors.Errorf("get template version resources: %w", err)
+			}
+			if len(resources) == 0 {
+				return xerrors.Errorf("no resources found for template version %q", templateVersionID)
+			}
+
+			var hasExternalAgent bool
+			for _, resource := range resources {
+				if resource.Type == "coder_external_agent" {
+					hasExternalAgent = true
+					break
+				}
+			}
+
+			if !hasExternalAgent {
+				return xerrors.Errorf("template version %q does not have an external agent. Only templates with external agents can be used for external workspace creation", templateVersionID)
+			}
+
+			return nil
+		},
+		afterCreate: func(ctx context.Context, inv *serpent.Invocation, client *codersdk.Client, workspace codersdk.Workspace) error {
+			workspace, err := client.WorkspaceByOwnerAndName(ctx, codersdk.Me, workspace.Name, codersdk.WorkspaceOptions{})
+			if err != nil {
+				return xerrors.Errorf("get workspace by name: %w", err)
+			}
+
+			externalAgents, err := fetchExternalAgents(inv, client, workspace, workspace.LatestBuild.Resources)
+			if err != nil {
+				return xerrors.Errorf("fetch external agents: %w", err)
+			}
+
+			formatted := formatExternalAgent(workspace.Name, externalAgents)
+			_, err = fmt.Fprintln(inv.Stdout, formatted)
+			return err
+		},
+	}
+
+	cmd := r.create(opts)
+	cmd.Use = "create [workspace]"
+	cmd.Short = "Create a new external workspace"
+	cmd.Middleware = serpent.Chain(
+		cmd.Middleware,
+		serpent.RequireNArgs(1),
+	)
+
+	for i := range cmd.Options {
+		if cmd.Options[i].Flag == "template" {
+			cmd.Options[i].Required = true
+		}
+	}
+
+	return cmd
+}
+
+// externalWorkspaceAgentInstructions prints the instructions for an external agent.
+func (r *RootCmd) externalWorkspaceAgentInstructions() *serpent.Command {
+	client := new(codersdk.Client)
+	formatter := cliui.NewOutputFormatter(
+		cliui.ChangeFormatterData(cliui.TextFormat(), func(data any) (any, error) {
+			agent, ok := data.(externalAgent)
+			if !ok {
+				return "", xerrors.Errorf("expected externalAgent, got %T", data)
+			}
+
+			return formatExternalAgent(agent.WorkspaceName, []externalAgent{agent}), nil
+		}),
+		cliui.JSONFormat(),
+	)
+
+	cmd := &serpent.Command{
+		Use:        "agent-instructions [user/]workspace[.agent]",
+		Short:      "Get the instructions for an external agent",
+		Middleware: serpent.Chain(r.InitClient(client), serpent.RequireNArgs(1)),
+		Handler: func(inv *serpent.Invocation) error {
+			workspace, workspaceAgent, _, err := getWorkspaceAndAgent(inv.Context(), inv, client, false, inv.Args[0])
+			if err != nil {
+				return xerrors.Errorf("find workspace and agent: %w", err)
+			}
+
+			credentials, err := client.WorkspaceExternalAgentCredentials(inv.Context(), workspace.ID, workspaceAgent.Name)
+			if err != nil {
+				return xerrors.Errorf("get external agent token for agent %q: %w", workspaceAgent.Name, err)
+			}
+
+			agentInfo := externalAgent{
+				WorkspaceName: workspace.Name,
+				AgentName:     workspaceAgent.Name,
+				AuthType:      "token",
+				AuthToken:     credentials.AgentToken,
+				InitScript:    credentials.Command,
+			}
+
+			out, err := formatter.Format(inv.Context(), agentInfo)
+			if err != nil {
+				return err
+			}
+
+			_, err = fmt.Fprintln(inv.Stdout, out)
+			return err
+		},
+	}
+
+	formatter.AttachOptions(&cmd.Options)
+	return cmd
+}
+
+func (r *RootCmd) externalWorkspaceList() *serpent.Command {
+	var (
+		filter    cliui.WorkspaceFilter
+		formatter = cliui.NewOutputFormatter(
+			cliui.TableFormat(
+				[]workspaceListRow{},
+				[]string{
+					"workspace",
+					"template",
+					"status",
+					"healthy",
+					"last built",
+					"current version",
+					"outdated",
+				},
+			),
+			cliui.JSONFormat(),
+		)
+	)
+	client := new(codersdk.Client)
+	cmd := &serpent.Command{
+		Annotations: workspaceCommand,
+		Use:         "list",
+		Short:       "List external workspaces",
+		Aliases:     []string{"ls"},
+		Middleware: serpent.Chain(
+			serpent.RequireNArgs(0),
+			r.InitClient(client),
+		),
+		Handler: func(inv *serpent.Invocation) error {
+			baseFilter := filter.Filter()
+
+			if baseFilter.FilterQuery == "" {
+				baseFilter.FilterQuery = "has-external-agent:true"
+			} else {
+				baseFilter.FilterQuery += " has-external-agent:true"
+			}
+
+			res, err := queryConvertWorkspaces(inv.Context(), client, baseFilter, workspaceListRowFromWorkspace)
+			if err != nil {
+				return err
+			}
+
+			if len(res) == 0 && formatter.FormatID() != cliui.JSONFormat().ID() {
+				pretty.Fprintf(inv.Stderr, cliui.DefaultStyles.Prompt, "No workspaces found! Create one:\n")
+				_, _ = fmt.Fprintln(inv.Stderr)
+				_, _ = fmt.Fprintln(inv.Stderr, "  "+pretty.Sprint(cliui.DefaultStyles.Code, "coder external-workspaces create <name>"))
+				_, _ = fmt.Fprintln(inv.Stderr)
+				return nil
+			}
+
+			out, err := formatter.Format(inv.Context(), res)
+			if err != nil {
+				return err
+			}
+
+			_, err = fmt.Fprintln(inv.Stdout, out)
+			return err
+		},
+	}
+	filter.AttachOptions(&cmd.Options)
+	formatter.AttachOptions(&cmd.Options)
+	return cmd
+}
+
+// fetchExternalAgents fetches the external agents for a workspace.
+func fetchExternalAgents(inv *serpent.Invocation, client *codersdk.Client, workspace codersdk.Workspace, resources []codersdk.WorkspaceResource) ([]externalAgent, error) {
+	if len(resources) == 0 {
+		return nil, xerrors.Errorf("no resources found for workspace")
+	}
+
+	var externalAgents []externalAgent
+
+	for _, resource := range resources {
+		if resource.Type != "coder_external_agent" || len(resource.Agents) == 0 {
+			continue
+		}
+
+		agent := resource.Agents[0]
+		credentials, err := client.WorkspaceExternalAgentCredentials(inv.Context(), workspace.ID, agent.Name)
+		if err != nil {
+			return nil, xerrors.Errorf("get external agent token for agent %q: %w", agent.Name, err)
+		}
+
+		externalAgents = append(externalAgents, externalAgent{
+			AgentName:  agent.Name,
+			AuthType:   "token",
+			AuthToken:  credentials.AgentToken,
+			InitScript: credentials.Command,
+		})
+	}
+
+	return externalAgents, nil
+}
+
+// formatExternalAgent formats the instructions for an external agent.
+func formatExternalAgent(workspaceName string, externalAgents []externalAgent) string {
+	var output strings.Builder
+	_, _ = output.WriteString(fmt.Sprintf("\nPlease run the following commands to attach external agent to the workspace %s:\n\n", cliui.Keyword(workspaceName)))
+
+	for i, agent := range externalAgents {
+		if len(externalAgents) > 1 {
+			_, _ = output.WriteString(fmt.Sprintf("For agent %s:\n", cliui.Keyword(agent.AgentName)))
+		}
+
+		_, _ = output.WriteString(fmt.Sprintf("%s\n", pretty.Sprint(cliui.DefaultStyles.Code, fmt.Sprintf("export CODER_AGENT_TOKEN=%s", agent.AuthToken))))
+		_, _ = output.WriteString(fmt.Sprintf("%s\n", pretty.Sprint(cliui.DefaultStyles.Code, fmt.Sprintf("curl -fsSL %s | sh", agent.InitScript))))
+
+		if i < len(externalAgents)-1 {
+			_, _ = output.WriteString("\n")
+		}
+	}
+
+	return output.String()
+}
diff --git a/cli/externalworkspaces_test.go b/cli/externalworkspaces_test.go
new file mode 100644
index 0000000000000..cf89ec4c2cb0c
--- /dev/null
+++ b/cli/externalworkspaces_test.go
@@ -0,0 +1,468 @@
+package cli_test
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/cli/clitest"
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/provisioner/echo"
+	"github.com/coder/coder/v2/provisionersdk/proto"
+	"github.com/coder/coder/v2/pty/ptytest"
+	"github.com/coder/coder/v2/testutil"
+)
+
+// completeWithExternalAgent creates a template version with an external agent resource
+func completeWithExternalAgent() *echo.Responses {
+	return &echo.Responses{
+		Parse: echo.ParseComplete,
+		ProvisionPlan: []*proto.Response{
+			{
+				Type: &proto.Response_Plan{
+					Plan: &proto.PlanComplete{
+						Resources: []*proto.Resource{
+							{
+								Type: "coder_external_agent",
+								Name: "main",
+								Agents: []*proto.Agent{
+									{
+										Name:            "external-agent",
+										OperatingSystem: "linux",
+										Architecture:    "amd64",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		ProvisionApply: []*proto.Response{
+			{
+				Type: &proto.Response_Apply{
+					Apply: &proto.ApplyComplete{
+						Resources: []*proto.Resource{
+							{
+								Type: "coder_external_agent",
+								Name: "main",
+								Agents: []*proto.Agent{
+									{
+										Name:            "external-agent",
+										OperatingSystem: "linux",
+										Architecture:    "amd64",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+// completeWithRegularAgent creates a template version with a regular agent (no external agent)
+func completeWithRegularAgent() *echo.Responses {
+	return &echo.Responses{
+		Parse: echo.ParseComplete,
+		ProvisionPlan: []*proto.Response{
+			{
+				Type: &proto.Response_Plan{
+					Plan: &proto.PlanComplete{
+						Resources: []*proto.Resource{
+							{
+								Type: "compute",
+								Name: "main",
+								Agents: []*proto.Agent{
+									{
+										Name:            "regular-agent",
+										OperatingSystem: "linux",
+										Architecture:    "amd64",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		ProvisionApply: []*proto.Response{
+			{
+				Type: &proto.Response_Apply{
+					Apply: &proto.ApplyComplete{
+						Resources: []*proto.Resource{
+							{
+								Type: "compute",
+								Name: "main",
+								Agents: []*proto.Agent{
+									{
+										Name:            "regular-agent",
+										OperatingSystem: "linux",
+										Architecture:    "amd64",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestExternalWorkspaces(t *testing.T) {
+	t.Parallel()
+
+	t.Run("Create", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, completeWithExternalAgent())
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
+
+		args := []string{
+			"external-workspaces",
+			"create",
+			"my-external-workspace",
+			"--template", template.Name,
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t).Attach(inv)
+		go func() {
+			defer close(doneChan)
+			err := inv.Run()
+			assert.NoError(t, err)
+		}()
+
+		// Expect the workspace creation confirmation
+		pty.ExpectMatch("coder_external_agent.main")
+		pty.ExpectMatch("external-agent (linux, amd64)")
+		pty.ExpectMatch("Confirm create")
+		pty.WriteLine("yes")
+
+		// Expect the external agent instructions
+		pty.ExpectMatch("Please run the following commands to attach external agent")
+		pty.ExpectMatch("export CODER_AGENT_TOKEN=")
+		pty.ExpectMatch("curl -fsSL")
+
+		<-doneChan
+
+		// Verify the workspace was created
+		ws, err := member.WorkspaceByOwnerAndName(context.Background(), codersdk.Me, "my-external-workspace", codersdk.WorkspaceOptions{})
+		require.NoError(t, err)
+		assert.Equal(t, template.Name, ws.TemplateName)
+	})
+
+	t.Run("CreateWithoutTemplate", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+
+		args := []string{
+			"external-workspaces",
+			"create",
+			"my-external-workspace",
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+
+		err := inv.Run()
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "Missing values for the required flags: template")
+	})
+
+	t.Run("CreateWithRegularTemplate", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, completeWithRegularAgent())
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
+
+		args := []string{
+			"external-workspaces",
+			"create",
+			"my-external-workspace",
+			"--template", template.Name,
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+
+		err := inv.Run()
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "does not have an external agent")
+	})
+
+	t.Run("List", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, completeWithExternalAgent())
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
+
+		// Create an external workspace
+		ws := coderdtest.CreateWorkspace(t, member, template.ID)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
+
+		args := []string{
+			"external-workspaces",
+			"list",
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+		pty := ptytest.New(t).Attach(inv)
+
+		ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancelFunc()
+		done := make(chan any)
+		go func() {
+			errC := inv.WithContext(ctx).Run()
+			assert.NoError(t, errC)
+			close(done)
+		}()
+		pty.ExpectMatch(ws.Name)
+		pty.ExpectMatch(template.Name)
+		cancelFunc()
+		<-done
+	})
+
+	t.Run("ListJSON", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, completeWithExternalAgent())
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
+
+		// Create an external workspace
+		ws := coderdtest.CreateWorkspace(t, member, template.ID)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
+
+		args := []string{
+			"external-workspaces",
+			"list",
+			"--output=json",
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+
+		ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancelFunc()
+
+		out := bytes.NewBuffer(nil)
+		inv.Stdout = out
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		var workspaces []codersdk.Workspace
+		require.NoError(t, json.Unmarshal(out.Bytes(), &workspaces))
+		require.Len(t, workspaces, 1)
+		assert.Equal(t, ws.Name, workspaces[0].Name)
+	})
+
+	t.Run("ListNoWorkspaces", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+
+		args := []string{
+			"external-workspaces",
+			"list",
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+		pty := ptytest.New(t).Attach(inv)
+
+		ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancelFunc()
+		done := make(chan any)
+		go func() {
+			errC := inv.WithContext(ctx).Run()
+			assert.NoError(t, errC)
+			close(done)
+		}()
+		pty.ExpectMatch("No workspaces found!")
+		pty.ExpectMatch("coder external-workspaces create")
+		cancelFunc()
+		<-done
+	})
+
+	t.Run("AgentInstructions", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, completeWithExternalAgent())
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
+
+		// Create an external workspace
+		ws := coderdtest.CreateWorkspace(t, member, template.ID)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
+
+		args := []string{
+			"external-workspaces",
+			"agent-instructions",
+			ws.Name,
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+		pty := ptytest.New(t).Attach(inv)
+
+		ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancelFunc()
+		done := make(chan any)
+		go func() {
+			errC := inv.WithContext(ctx).Run()
+			assert.NoError(t, errC)
+			close(done)
+		}()
+		pty.ExpectMatch("Please run the following commands to attach external agent to the workspace")
+		pty.ExpectMatch("export CODER_AGENT_TOKEN=")
+		pty.ExpectMatch("curl -fsSL")
+		cancelFunc()
+		<-done
+	})
+
+	t.Run("AgentInstructionsJSON", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, completeWithExternalAgent())
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
+
+		// Create an external workspace
+		ws := coderdtest.CreateWorkspace(t, member, template.ID)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
+
+		args := []string{
+			"external-workspaces",
+			"agent-instructions",
+			ws.Name,
+			"--output=json",
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+
+		ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancelFunc()
+
+		out := bytes.NewBuffer(nil)
+		inv.Stdout = out
+		err := inv.WithContext(ctx).Run()
+		require.NoError(t, err)
+
+		var agentInfo map[string]interface{}
+		require.NoError(t, json.Unmarshal(out.Bytes(), &agentInfo))
+		assert.Equal(t, "token", agentInfo["auth_type"])
+		assert.NotEmpty(t, agentInfo["auth_token"])
+		assert.NotEmpty(t, agentInfo["init_script"])
+	})
+
+	t.Run("AgentInstructionsNonExistentWorkspace", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+
+		args := []string{
+			"external-workspaces",
+			"agent-instructions",
+			"non-existent-workspace",
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+
+		err := inv.Run()
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "Resource not found")
+	})
+
+	t.Run("AgentInstructionsNonExistentAgent", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, completeWithExternalAgent())
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
+
+		// Create an external workspace
+		ws := coderdtest.CreateWorkspace(t, member, template.ID)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, ws.LatestBuild.ID)
+
+		args := []string{
+			"external-workspaces",
+			"agent-instructions",
+			ws.Name + ".non-existent-agent",
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+
+		err := inv.Run()
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "agent not found by name")
+	})
+
+	t.Run("CreateWithTemplateVersion", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, completeWithExternalAgent())
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
+
+		args := []string{
+			"external-workspaces",
+			"create",
+			"my-external-workspace",
+			"--template", template.Name,
+			"--template-version", version.Name,
+			"-y",
+		}
+		inv, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, member, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t).Attach(inv)
+		go func() {
+			defer close(doneChan)
+			err := inv.Run()
+			assert.NoError(t, err)
+		}()
+
+		// Expect the workspace creation confirmation
+		pty.ExpectMatch("coder_external_agent.main")
+		pty.ExpectMatch("external-agent (linux, amd64)")
+
+		// Expect the external agent instructions
+		pty.ExpectMatch("Please run the following commands to attach external agent")
+		pty.ExpectMatch("export CODER_AGENT_TOKEN=")
+		pty.ExpectMatch("curl -fsSL")
+
+		<-doneChan
+
+		// Verify the workspace was created
+		ws, err := member.WorkspaceByOwnerAndName(context.Background(), codersdk.Me, "my-external-workspace", codersdk.WorkspaceOptions{})
+		require.NoError(t, err)
+		assert.Equal(t, template.Name, ws.TemplateName)
+	})
+}
diff --git a/cli/root.go b/cli/root.go
index 54215a67401dd..94f0287981e81 100644
--- a/cli/root.go
+++ b/cli/root.go
@@ -108,7 +108,7 @@ func (r *RootCmd) CoreSubcommands() []*serpent.Command {
 		// Workspace Commands
 		r.autoupdate(),
 		r.configSSH(),
-		r.create(),
+		r.create(createOptions{}),
 		r.deleteWorkspace(),
 		r.favorite(),
 		r.list(),
@@ -126,6 +126,7 @@ func (r *RootCmd) CoreSubcommands() []*serpent.Command {
 		r.unfavorite(),
 		r.update(),
 		r.whoami(),
+		r.externalWorkspaces(),
 
 		// Hidden
 		r.connectCmd(),
diff --git a/cli/testdata/coder_--help.golden b/cli/testdata/coder_--help.golden
index 09dd4c3bce3a5..b92b090fd491d 100644
--- a/cli/testdata/coder_--help.golden
+++ b/cli/testdata/coder_--help.golden
@@ -14,54 +14,57 @@ USAGE:
        $ coder templates init
 
 SUBCOMMANDS:
-    autoupdate        Toggle auto-update policy for a workspace
-    completion        Install or update shell completion scripts for the
-                      detected or chosen shell.
-    config-ssh        Add an SSH Host entry for your workspaces "ssh
-                      workspace.coder"
-    create            Create a workspace
-    delete            Delete a workspace
-    dotfiles          Personalize your workspace by applying a canonical
-                      dotfiles repository
-    external-auth     Manage external authentication
-    favorite          Add a workspace to your favorites
-    list              List workspaces
-    login             Authenticate with Coder deployment
-    logout            Unauthenticate your local session
-    netcheck          Print network debug information for DERP and STUN
-    notifications     Manage Coder notifications
-    open              Open a workspace
-    organizations     Organization related commands
-    ping              Ping a workspace
-    port-forward      Forward ports from a workspace to the local machine. For
-                      reverse port forwarding, use "coder ssh -R".
-    provisioner       View and manage provisioner daemons and jobs
-    publickey         Output your Coder public key used for Git operations
-    rename            Rename a workspace
-    reset-password    Directly connect to the database to reset a user's
-                      password
-    restart           Restart a workspace
-    schedule          Schedule automated start and stop times for workspaces
-    server            Start a Coder server
-    show              Display details of a workspace's resources and agents
-    speedtest         Run upload and download tests from your machine to a
-                      workspace
-    ssh               Start a shell into a workspace or run a command
-    start             Start a workspace
-    stat              Show resource usage for the current workspace.
-    state             Manually manage Terraform state to fix broken workspaces
-    stop              Stop a workspace
-    support           Commands for troubleshooting issues with a Coder
-                      deployment.
-    templates         Manage templates
-    tokens            Manage personal access tokens
-    unfavorite        Remove a workspace from your favorites
-    update            Will update and start a given workspace if it is out of
-                      date. If the workspace is already running, it will be
-                      stopped first.
-    users             Manage users
-    version           Show coder version
-    whoami            Fetch authenticated user info for Coder deployment
+    autoupdate             Toggle auto-update policy for a workspace
+    completion             Install or update shell completion scripts for the
+                           detected or chosen shell.
+    config-ssh             Add an SSH Host entry for your workspaces "ssh
+                           workspace.coder"
+    create                 Create a workspace
+    delete                 Delete a workspace
+    dotfiles               Personalize your workspace by applying a canonical
+                           dotfiles repository
+    external-auth          Manage external authentication
+    external-workspaces    Create or manage external workspaces
+    favorite               Add a workspace to your favorites
+    list                   List workspaces
+    login                  Authenticate with Coder deployment
+    logout                 Unauthenticate your local session
+    netcheck               Print network debug information for DERP and STUN
+    notifications          Manage Coder notifications
+    open                   Open a workspace
+    organizations          Organization related commands
+    ping                   Ping a workspace
+    port-forward           Forward ports from a workspace to the local machine.
+                           For reverse port forwarding, use "coder ssh -R".
+    provisioner            View and manage provisioner daemons and jobs
+    publickey              Output your Coder public key used for Git operations
+    rename                 Rename a workspace
+    reset-password         Directly connect to the database to reset a user's
+                           password
+    restart                Restart a workspace
+    schedule               Schedule automated start and stop times for
+                           workspaces
+    server                 Start a Coder server
+    show                   Display details of a workspace's resources and agents
+    speedtest              Run upload and download tests from your machine to a
+                           workspace
+    ssh                    Start a shell into a workspace or run a command
+    start                  Start a workspace
+    stat                   Show resource usage for the current workspace.
+    state                  Manually manage Terraform state to fix broken
+                           workspaces
+    stop                   Stop a workspace
+    support                Commands for troubleshooting issues with a Coder
+                           deployment.
+    templates              Manage templates
+    tokens                 Manage personal access tokens
+    unfavorite             Remove a workspace from your favorites
+    update                 Will update and start a given workspace if it is out
+                           of date. If the workspace is already running, it will
+                           be stopped first.
+    users                  Manage users
+    version                Show coder version
+    whoami                 Fetch authenticated user info for Coder deployment
 
 GLOBAL OPTIONS: 
 Global options are applied to all commands. They can be set using environment
diff --git a/cli/testdata/coder_external-workspaces_--help.golden b/cli/testdata/coder_external-workspaces_--help.golden
new file mode 100644
index 0000000000000..d8b1ca8363f66
--- /dev/null
+++ b/cli/testdata/coder_external-workspaces_--help.golden
@@ -0,0 +1,18 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder external-workspaces [flags] [subcommand]
+
+  Create or manage external workspaces
+
+SUBCOMMANDS:
+    agent-instructions    Get the instructions for an external agent
+    create                Create a new external workspace
+    list                  List external workspaces
+
+OPTIONS:
+  -O, --org string, $CODER_ORGANIZATION
+          Select which organization (uuid or name) to use.
+
+———
+Run `coder --help` for a list of global options.
diff --git a/cli/testdata/coder_external-workspaces_agent-instructions_--help.golden b/cli/testdata/coder_external-workspaces_agent-instructions_--help.golden
new file mode 100644
index 0000000000000..150a21313ed8c
--- /dev/null
+++ b/cli/testdata/coder_external-workspaces_agent-instructions_--help.golden
@@ -0,0 +1,13 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder external-workspaces agent-instructions [flags] [user/]workspace[.agent]
+
+  Get the instructions for an external agent
+
+OPTIONS:
+  -o, --output text|json (default: text)
+          Output format.
+
+———
+Run `coder --help` for a list of global options.
diff --git a/cli/testdata/coder_external-workspaces_create_--help.golden b/cli/testdata/coder_external-workspaces_create_--help.golden
new file mode 100644
index 0000000000000..208d2cc2296d7
--- /dev/null
+++ b/cli/testdata/coder_external-workspaces_create_--help.golden
@@ -0,0 +1,56 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder external-workspaces create [flags] [workspace]
+
+  Create a new external workspace
+
+    - Create a workspace for another user (if you have permission):
+  
+       $ coder create <username>/<workspace_name>
+
+OPTIONS:
+  -O, --org string, $CODER_ORGANIZATION
+          Select which organization (uuid or name) to use.
+
+      --automatic-updates string, $CODER_WORKSPACE_AUTOMATIC_UPDATES (default: never)
+          Specify automatic updates setting for the workspace (accepts 'always'
+          or 'never').
+
+      --copy-parameters-from string, $CODER_WORKSPACE_COPY_PARAMETERS_FROM
+          Specify the source workspace name to copy parameters from.
+
+      --parameter string-array, $CODER_RICH_PARAMETER
+          Rich parameter value in the format "name=value".
+
+      --parameter-default string-array, $CODER_RICH_PARAMETER_DEFAULT
+          Rich parameter default values in the format "name=value".
+
+      --preset string, $CODER_PRESET_NAME
+          Specify the name of a template version preset. Use 'none' to
+          explicitly indicate that no preset should be used.
+
+      --rich-parameter-file string, $CODER_RICH_PARAMETER_FILE
+          Specify a file path with values for rich parameters defined in the
+          template. The file should be in YAML format, containing key-value
+          pairs for the parameters.
+
+      --start-at string, $CODER_WORKSPACE_START_AT
+          Specify the workspace autostart schedule. Check coder schedule start
+          --help for the syntax.
+
+      --stop-after duration, $CODER_WORKSPACE_STOP_AFTER
+          Specify a duration after which the workspace should shut down (e.g.
+          8h).
+
+  -t, --template string, $CODER_TEMPLATE_NAME
+          Specify a template name.
+
+      --template-version string, $CODER_TEMPLATE_VERSION
+          Specify a template version name.
+
+  -y, --yes bool
+          Bypass prompts.
+
+———
+Run `coder --help` for a list of global options.
diff --git a/cli/testdata/coder_external-workspaces_list_--help.golden b/cli/testdata/coder_external-workspaces_list_--help.golden
new file mode 100644
index 0000000000000..1210bea5aa186
--- /dev/null
+++ b/cli/testdata/coder_external-workspaces_list_--help.golden
@@ -0,0 +1,24 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder external-workspaces list [flags]
+
+  List external workspaces
+
+  Aliases: ls
+
+OPTIONS:
+  -a, --all bool
+          Specifies whether all workspaces will be listed or not.
+
+  -c, --column [favorite|workspace|organization id|organization name|template|status|healthy|last built|current version|outdated|starts at|starts next|stops after|stops next|daily cost] (default: workspace,template,status,healthy,last built,current version,outdated)
+          Columns to display in table output.
+
+  -o, --output table|json (default: table)
+          Output format.
+
+      --search string (default: owner:me)
+          Search for a workspace with a query.
+
+———
+Run `coder --help` for a list of global options.
diff --git a/cli/testdata/coder_list_--output_json.golden b/cli/testdata/coder_list_--output_json.golden
index ba560a39f59d7..82b73f7b24989 100644
--- a/cli/testdata/coder_list_--output_json.golden
+++ b/cli/testdata/coder_list_--output_json.golden
@@ -70,7 +70,8 @@
         "most_recently_seen": null
       },
       "template_version_preset_id": null,
-      "has_ai_task": false
+      "has_ai_task": false,
+      "has_external_agent": false
     },
     "latest_app_status": null,
     "outdated": false,
diff --git a/cli/testdata/coder_provisioner_list_--output_json.golden b/cli/testdata/coder_provisioner_list_--output_json.golden
index b92794ab07e18..ad26225c2ed10 100644
--- a/cli/testdata/coder_provisioner_list_--output_json.golden
+++ b/cli/testdata/coder_provisioner_list_--output_json.golden
@@ -7,7 +7,7 @@
     "last_seen_at": "====[timestamp]=====",
     "name": "test-daemon",
     "version": "v0.0.0-devel",
-    "api_version": "1.8",
+    "api_version": "1.9",
     "provisioners": [
       "echo"
     ],
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
index 0a8b2c07793c3..b11f357108c03 100644
--- a/coderd/apidoc/docs.go
+++ b/coderd/apidoc/docs.go
@@ -1280,6 +1280,39 @@ const docTemplate = `{
                 }
             }
         },
+        "/init-script/{os}/{arch}": {
+            "get": {
+                "produces": [
+                    "text/plain"
+                ],
+                "tags": [
+                    "InitScript"
+                ],
+                "summary": "Get agent init script",
+                "operationId": "get-agent-init-script",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Operating system",
+                        "name": "os",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Architecture",
+                        "name": "arch",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "Success"
+                    }
+                }
+            }
+        },
         "/insights/daus": {
             "get": {
                 "security": [
@@ -9835,7 +9868,7 @@ const docTemplate = `{
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Search query in the format ` + "`" + `key:value` + "`" + `. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task.",
+                        "description": "Search query in the format ` + "`" + `key:value` + "`" + `. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task, has-external-agent.",
                         "name": "q",
                         "in": "query"
                     },
@@ -10271,6 +10304,48 @@ const docTemplate = `{
                 }
             }
         },
+        "/workspaces/{workspace}/external-agent/{agent}/credentials": {
+            "get": {
+                "security": [
+                    {
+                        "CoderSessionToken": []
+                    }
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Agents"
+                ],
+                "summary": "Get workspace external agent credentials",
+                "operationId": "get-workspace-external-agent-credentials",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "format": "uuid",
+                        "description": "Workspace ID",
+                        "name": "workspace",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Agent name",
+                        "name": "agent",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/codersdk.ExternalAgentCredentials"
+                        }
+                    }
+                }
+            }
+        },
         "/workspaces/{workspace}/favorite": {
             "put": {
                 "security": [
@@ -12901,6 +12976,17 @@ const docTemplate = `{
                 "ExperimentWorkspaceSharing"
             ]
         },
+        "codersdk.ExternalAgentCredentials": {
+            "type": "object",
+            "properties": {
+                "agent_token": {
+                    "type": "string"
+                },
+                "command": {
+                    "type": "string"
+                }
+            }
+        },
         "codersdk.ExternalAuth": {
             "type": "object",
             "properties": {
@@ -18673,6 +18759,9 @@ const docTemplate = `{
                 "has_ai_task": {
                     "type": "boolean"
                 },
+                "has_external_agent": {
+                    "type": "boolean"
+                },
                 "id": {
                     "type": "string",
                     "format": "uuid"
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
index cd6537de0e210..461938a4510eb 100644
--- a/coderd/apidoc/swagger.json
+++ b/coderd/apidoc/swagger.json
@@ -1108,6 +1108,35 @@
 				}
 			}
 		},
+		"/init-script/{os}/{arch}": {
+			"get": {
+				"produces": ["text/plain"],
+				"tags": ["InitScript"],
+				"summary": "Get agent init script",
+				"operationId": "get-agent-init-script",
+				"parameters": [
+					{
+						"type": "string",
+						"description": "Operating system",
+						"name": "os",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"description": "Architecture",
+						"name": "arch",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "Success"
+					}
+				}
+			}
+		},
 		"/insights/daus": {
 			"get": {
 				"security": [
@@ -8693,7 +8722,7 @@
 				"parameters": [
 					{
 						"type": "string",
-						"description": "Search query in the format `key:value`. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task.",
+						"description": "Search query in the format `key:value`. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task, has-external-agent.",
 						"name": "q",
 						"in": "query"
 					},
@@ -9085,6 +9114,44 @@
 				}
 			}
 		},
+		"/workspaces/{workspace}/external-agent/{agent}/credentials": {
+			"get": {
+				"security": [
+					{
+						"CoderSessionToken": []
+					}
+				],
+				"produces": ["application/json"],
+				"tags": ["Agents"],
+				"summary": "Get workspace external agent credentials",
+				"operationId": "get-workspace-external-agent-credentials",
+				"parameters": [
+					{
+						"type": "string",
+						"format": "uuid",
+						"description": "Workspace ID",
+						"name": "workspace",
+						"in": "path",
+						"required": true
+					},
+					{
+						"type": "string",
+						"description": "Agent name",
+						"name": "agent",
+						"in": "path",
+						"required": true
+					}
+				],
+				"responses": {
+					"200": {
+						"description": "OK",
+						"schema": {
+							"$ref": "#/definitions/codersdk.ExternalAgentCredentials"
+						}
+					}
+				}
+			}
+		},
 		"/workspaces/{workspace}/favorite": {
 			"put": {
 				"security": [
@@ -11563,6 +11630,17 @@
 				"ExperimentWorkspaceSharing"
 			]
 		},
+		"codersdk.ExternalAgentCredentials": {
+			"type": "object",
+			"properties": {
+				"agent_token": {
+					"type": "string"
+				},
+				"command": {
+					"type": "string"
+				}
+			}
+		},
 		"codersdk.ExternalAuth": {
 			"type": "object",
 			"properties": {
@@ -17077,6 +17155,9 @@
 				"has_ai_task": {
 					"type": "boolean"
 				},
+				"has_external_agent": {
+					"type": "boolean"
+				},
 				"id": {
 					"type": "string",
 					"format": "uuid"
diff --git a/coderd/coderd.go b/coderd/coderd.go
index 78ae849fd1894..3cd76c8c79a17 100644
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@@ -1421,6 +1421,9 @@ func New(options *Options) *API {
 					r.Post("/", api.postWorkspaceAgentPortShare)
 					r.Delete("/", api.deleteWorkspaceAgentPortShare)
 				})
+				r.Route("/external-agent", func(r chi.Router) {
+					r.Get("/{agent}/credentials", api.workspaceExternalAgentCredentials)
+				})
 				r.Get("/timings", api.workspaceTimings)
 				r.Route("/acl", func(r chi.Router) {
 					r.Use(
@@ -1557,6 +1560,9 @@ func New(options *Options) *API {
 			r.Use(apiKeyMiddleware)
 			r.Get("/", api.tailnetRPCConn)
 		})
+		r.Route("/init-script", func(r chi.Router) {
+			r.Get("/{os}/{arch}", api.initScript)
+		})
 	})
 
 	if options.SwaggerEndpoint {
diff --git a/coderd/coderdtest/swaggerparser.go b/coderd/coderdtest/swaggerparser.go
index 7cef0d8d9f9cb..b94473ee83bda 100644
--- a/coderd/coderdtest/swaggerparser.go
+++ b/coderd/coderdtest/swaggerparser.go
@@ -310,7 +310,8 @@ func assertSecurityDefined(t *testing.T, comment SwaggerComment) {
 		comment.router == "/" ||
 		comment.router == "/users/login" ||
 		comment.router == "/users/otp/request" ||
-		comment.router == "/users/otp/change-password" {
+		comment.router == "/users/otp/change-password" ||
+		comment.router == "/init-script/{os}/{arch}" {
 		return // endpoints do not require authorization
 	}
 	assert.Containsf(t, authorizedSecurityTags, comment.security, "@Security must be either of these options: %v", authorizedSecurityTags)
@@ -361,7 +362,8 @@ func assertProduce(t *testing.T, comment SwaggerComment) {
 			(comment.router == "/licenses/{id}" && comment.method == "delete") ||
 			(comment.router == "/debug/coordinator" && comment.method == "get") ||
 			(comment.router == "/debug/tailnet" && comment.method == "get") ||
-			(comment.router == "/workspaces/{workspace}/acl" && comment.method == "patch") {
+			(comment.router == "/workspaces/{workspace}/acl" && comment.method == "patch") ||
+			(comment.router == "/init-script/{os}/{arch}" && comment.method == "get") {
 			return // Exception: HTTP 200 is returned without response entity
 		}
 
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
index d5cc334f5ff7f..4f68e510f19af 100644
--- a/coderd/database/dbauthz/dbauthz.go
+++ b/coderd/database/dbauthz/dbauthz.go
@@ -4691,9 +4691,9 @@ func (q *querier) UpdateTemplateScheduleByID(ctx context.Context, arg database.U
 	return update(q.log, q.auth, fetch, q.db.UpdateTemplateScheduleByID)(ctx, arg)
 }
 
-func (q *querier) UpdateTemplateVersionAITaskByJobID(ctx context.Context, arg database.UpdateTemplateVersionAITaskByJobIDParams) error {
-	// An actor is allowed to update the template version AI task flag if they are authorized to update the template.
-	tv, err := q.db.GetTemplateVersionByJobID(ctx, arg.JobID)
+func (q *querier) UpdateTemplateVersionByID(ctx context.Context, arg database.UpdateTemplateVersionByIDParams) error {
+	// An actor is allowed to update the template version if they are authorized to update the template.
+	tv, err := q.db.GetTemplateVersionByID(ctx, arg.ID)
 	if err != nil {
 		return err
 	}
@@ -4710,12 +4710,12 @@ func (q *querier) UpdateTemplateVersionAITaskByJobID(ctx context.Context, arg da
 	if err := q.authorizeContext(ctx, policy.ActionUpdate, obj); err != nil {
 		return err
 	}
-	return q.db.UpdateTemplateVersionAITaskByJobID(ctx, arg)
+	return q.db.UpdateTemplateVersionByID(ctx, arg)
 }
 
-func (q *querier) UpdateTemplateVersionByID(ctx context.Context, arg database.UpdateTemplateVersionByIDParams) error {
-	// An actor is allowed to update the template version if they are authorized to update the template.
-	tv, err := q.db.GetTemplateVersionByID(ctx, arg.ID)
+func (q *querier) UpdateTemplateVersionDescriptionByJobID(ctx context.Context, arg database.UpdateTemplateVersionDescriptionByJobIDParams) error {
+	// An actor is allowed to update the template version description if they are authorized to update the template.
+	tv, err := q.db.GetTemplateVersionByJobID(ctx, arg.JobID)
 	if err != nil {
 		return err
 	}
@@ -4732,11 +4732,11 @@ func (q *querier) UpdateTemplateVersionByID(ctx context.Context, arg database.Up
 	if err := q.authorizeContext(ctx, policy.ActionUpdate, obj); err != nil {
 		return err
 	}
-	return q.db.UpdateTemplateVersionByID(ctx, arg)
+	return q.db.UpdateTemplateVersionDescriptionByJobID(ctx, arg)
 }
 
-func (q *querier) UpdateTemplateVersionDescriptionByJobID(ctx context.Context, arg database.UpdateTemplateVersionDescriptionByJobIDParams) error {
-	// An actor is allowed to update the template version description if they are authorized to update the template.
+func (q *querier) UpdateTemplateVersionExternalAuthProvidersByJobID(ctx context.Context, arg database.UpdateTemplateVersionExternalAuthProvidersByJobIDParams) error {
+	// An actor is allowed to update the template version external auth providers if they are authorized to update the template.
 	tv, err := q.db.GetTemplateVersionByJobID(ctx, arg.JobID)
 	if err != nil {
 		return err
@@ -4754,11 +4754,11 @@ func (q *querier) UpdateTemplateVersionDescriptionByJobID(ctx context.Context, a
 	if err := q.authorizeContext(ctx, policy.ActionUpdate, obj); err != nil {
 		return err
 	}
-	return q.db.UpdateTemplateVersionDescriptionByJobID(ctx, arg)
+	return q.db.UpdateTemplateVersionExternalAuthProvidersByJobID(ctx, arg)
 }
 
-func (q *querier) UpdateTemplateVersionExternalAuthProvidersByJobID(ctx context.Context, arg database.UpdateTemplateVersionExternalAuthProvidersByJobIDParams) error {
-	// An actor is allowed to update the template version external auth providers if they are authorized to update the template.
+func (q *querier) UpdateTemplateVersionFlagsByJobID(ctx context.Context, arg database.UpdateTemplateVersionFlagsByJobIDParams) error {
+	// An actor is allowed to update the template version ai task and external agent flag if they are authorized to update the template.
 	tv, err := q.db.GetTemplateVersionByJobID(ctx, arg.JobID)
 	if err != nil {
 		return err
@@ -4776,7 +4776,7 @@ func (q *querier) UpdateTemplateVersionExternalAuthProvidersByJobID(ctx context.
 	if err := q.authorizeContext(ctx, policy.ActionUpdate, obj); err != nil {
 		return err
 	}
-	return q.db.UpdateTemplateVersionExternalAuthProvidersByJobID(ctx, arg)
+	return q.db.UpdateTemplateVersionFlagsByJobID(ctx, arg)
 }
 
 func (q *querier) UpdateTemplateWorkspacesLastUsedAt(ctx context.Context, arg database.UpdateTemplateWorkspacesLastUsedAtParams) error {
@@ -5094,7 +5094,15 @@ func (q *querier) UpdateWorkspaceAutostart(ctx context.Context, arg database.Upd
 	return update(q.log, q.auth, fetch, q.db.UpdateWorkspaceAutostart)(ctx, arg)
 }
 
-func (q *querier) UpdateWorkspaceBuildAITaskByID(ctx context.Context, arg database.UpdateWorkspaceBuildAITaskByIDParams) error {
+// UpdateWorkspaceBuildCostByID is used by the provisioning system to update the cost of a workspace build.
+func (q *querier) UpdateWorkspaceBuildCostByID(ctx context.Context, arg database.UpdateWorkspaceBuildCostByIDParams) error {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
+		return err
+	}
+	return q.db.UpdateWorkspaceBuildCostByID(ctx, arg)
+}
+
+func (q *querier) UpdateWorkspaceBuildDeadlineByID(ctx context.Context, arg database.UpdateWorkspaceBuildDeadlineByIDParams) error {
 	build, err := q.db.GetWorkspaceBuildByID(ctx, arg.ID)
 	if err != nil {
 		return err
@@ -5109,18 +5117,10 @@ func (q *querier) UpdateWorkspaceBuildAITaskByID(ctx context.Context, arg databa
 	if err != nil {
 		return err
 	}
-	return q.db.UpdateWorkspaceBuildAITaskByID(ctx, arg)
-}
-
-// UpdateWorkspaceBuildCostByID is used by the provisioning system to update the cost of a workspace build.
-func (q *querier) UpdateWorkspaceBuildCostByID(ctx context.Context, arg database.UpdateWorkspaceBuildCostByIDParams) error {
-	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
-		return err
-	}
-	return q.db.UpdateWorkspaceBuildCostByID(ctx, arg)
+	return q.db.UpdateWorkspaceBuildDeadlineByID(ctx, arg)
 }
 
-func (q *querier) UpdateWorkspaceBuildDeadlineByID(ctx context.Context, arg database.UpdateWorkspaceBuildDeadlineByIDParams) error {
+func (q *querier) UpdateWorkspaceBuildFlagsByID(ctx context.Context, arg database.UpdateWorkspaceBuildFlagsByIDParams) error {
 	build, err := q.db.GetWorkspaceBuildByID(ctx, arg.ID)
 	if err != nil {
 		return err
@@ -5135,7 +5135,7 @@ func (q *querier) UpdateWorkspaceBuildDeadlineByID(ctx context.Context, arg data
 	if err != nil {
 		return err
 	}
-	return q.db.UpdateWorkspaceBuildDeadlineByID(ctx, arg)
+	return q.db.UpdateWorkspaceBuildFlagsByID(ctx, arg)
 }
 
 func (q *querier) UpdateWorkspaceBuildProvisionerStateByID(ctx context.Context, arg database.UpdateWorkspaceBuildProvisionerStateByIDParams) error {
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
index 82b7b47c892b2..1f51ec8c804e1 100644
--- a/coderd/database/dbauthz/dbauthz_test.go
+++ b/coderd/database/dbauthz/dbauthz_test.go
@@ -1521,7 +1521,7 @@ func (s *MethodTestSuite) TestTemplate() {
 			ID: t1.ID,
 		}).Asserts(t1, policy.ActionUpdate)
 	}))
-	s.Run("UpdateTemplateVersionAITaskByJobID", s.Subtest(func(db database.Store, check *expects) {
+	s.Run("UpdateTemplateVersionFlagsByJobID", s.Subtest(func(db database.Store, check *expects) {
 		dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
 		o := dbgen.Organization(s.T(), db, database.Organization{})
 		u := dbgen.User(s.T(), db, database.User{})
@@ -1534,9 +1534,10 @@ func (s *MethodTestSuite) TestTemplate() {
 			JobID:          job.ID,
 			TemplateID:     uuid.NullUUID{UUID: t.ID, Valid: true},
 		})
-		check.Args(database.UpdateTemplateVersionAITaskByJobIDParams{
-			JobID:     job.ID,
-			HasAITask: sql.NullBool{Bool: true, Valid: true},
+		check.Args(database.UpdateTemplateVersionFlagsByJobIDParams{
+			JobID:            job.ID,
+			HasAITask:        sql.NullBool{Bool: true, Valid: true},
+			HasExternalAgent: sql.NullBool{Bool: true, Valid: true},
 		}).Asserts(t, policy.ActionUpdate)
 	}))
 	s.Run("UpdateTemplateWorkspacesLastUsedAt", s.Subtest(func(db database.Store, check *expects) {
@@ -3227,7 +3228,7 @@ func (s *MethodTestSuite) TestWorkspace() {
 			Deadline:  b.Deadline,
 		}).Asserts(w, policy.ActionUpdate)
 	}))
-	s.Run("UpdateWorkspaceBuildAITaskByID", s.Subtest(func(db database.Store, check *expects) {
+	s.Run("UpdateWorkspaceBuildFlagsByID", s.Subtest(func(db database.Store, check *expects) {
 		u := dbgen.User(s.T(), db, database.User{})
 		o := dbgen.Organization(s.T(), db, database.Organization{})
 		tpl := dbgen.Template(s.T(), db, database.Template{
@@ -3255,10 +3256,12 @@ func (s *MethodTestSuite) TestWorkspace() {
 		res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: b.JobID})
 		agt := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
 		app := dbgen.WorkspaceApp(s.T(), db, database.WorkspaceApp{AgentID: agt.ID})
-		check.Args(database.UpdateWorkspaceBuildAITaskByIDParams{
-			HasAITask:    sql.NullBool{Bool: true, Valid: true},
-			SidebarAppID: uuid.NullUUID{UUID: app.ID, Valid: true},
-			ID:           b.ID,
+		check.Args(database.UpdateWorkspaceBuildFlagsByIDParams{
+			ID:               b.ID,
+			HasAITask:        sql.NullBool{Bool: true, Valid: true},
+			HasExternalAgent: sql.NullBool{Bool: true, Valid: true},
+			SidebarAppID:     uuid.NullUUID{UUID: app.ID, Valid: true},
+			UpdatedAt:        b.UpdatedAt,
 		}).Asserts(w, policy.ActionUpdate)
 	}))
 	s.Run("SoftDeleteWorkspaceByID", s.Subtest(func(db database.Store, check *expects) {
diff --git a/coderd/database/dbgen/dbgen.go b/coderd/database/dbgen/dbgen.go
index 11e02d0f651e9..e776c3d9c388f 100644
--- a/coderd/database/dbgen/dbgen.go
+++ b/coderd/database/dbgen/dbgen.go
@@ -437,6 +437,7 @@ func WorkspaceBuild(t testing.TB, db database.Store, orig database.WorkspaceBuil
 	jobID := takeFirst(orig.JobID, uuid.New())
 	hasAITask := takeFirst(orig.HasAITask, sql.NullBool{})
 	sidebarAppID := takeFirst(orig.AITaskSidebarAppID, uuid.NullUUID{})
+	hasExternalAgent := takeFirst(orig.HasExternalAgent, sql.NullBool{})
 	var build database.WorkspaceBuild
 	err := db.InTx(func(db database.Store) error {
 		err := db.InsertWorkspaceBuild(genCtx, database.InsertWorkspaceBuildParams{
@@ -470,12 +471,13 @@ func WorkspaceBuild(t testing.TB, db database.Store, orig database.WorkspaceBuil
 			require.NoError(t, err)
 		}
 
-		if hasAITask.Valid {
-			require.NoError(t, db.UpdateWorkspaceBuildAITaskByID(genCtx, database.UpdateWorkspaceBuildAITaskByIDParams{
-				HasAITask:    hasAITask,
-				SidebarAppID: sidebarAppID,
-				UpdatedAt:    dbtime.Now(),
-				ID:           buildID,
+		if hasAITask.Valid || hasExternalAgent.Valid {
+			require.NoError(t, db.UpdateWorkspaceBuildFlagsByID(genCtx, database.UpdateWorkspaceBuildFlagsByIDParams{
+				ID:               buildID,
+				HasAITask:        hasAITask,
+				HasExternalAgent: hasExternalAgent,
+				SidebarAppID:     sidebarAppID,
+				UpdatedAt:        dbtime.Now(),
 			}))
 		}
 
@@ -1028,6 +1030,7 @@ func ExternalAuthLink(t testing.TB, db database.Store, orig database.ExternalAut
 func TemplateVersion(t testing.TB, db database.Store, orig database.TemplateVersion) database.TemplateVersion {
 	var version database.TemplateVersion
 	hasAITask := takeFirst(orig.HasAITask, sql.NullBool{})
+	hasExternalAgent := takeFirst(orig.HasExternalAgent, sql.NullBool{})
 	jobID := takeFirst(orig.JobID, uuid.New())
 	err := db.InTx(func(db database.Store) error {
 		versionID := takeFirst(orig.ID, uuid.New())
@@ -1048,11 +1051,12 @@ func TemplateVersion(t testing.TB, db database.Store, orig database.TemplateVers
 			return err
 		}
 
-		if hasAITask.Valid {
-			require.NoError(t, db.UpdateTemplateVersionAITaskByJobID(genCtx, database.UpdateTemplateVersionAITaskByJobIDParams{
-				JobID:     jobID,
-				HasAITask: hasAITask,
-				UpdatedAt: dbtime.Now(),
+		if hasAITask.Valid || hasExternalAgent.Valid {
+			require.NoError(t, db.UpdateTemplateVersionFlagsByJobID(genCtx, database.UpdateTemplateVersionFlagsByJobIDParams{
+				JobID:            jobID,
+				HasAITask:        hasAITask,
+				HasExternalAgent: hasExternalAgent,
+				UpdatedAt:        dbtime.Now(),
 			}))
 		}
 
diff --git a/coderd/database/dbmetrics/querymetrics.go b/coderd/database/dbmetrics/querymetrics.go
index e0606f9e40665..65ec7e864a9e2 100644
--- a/coderd/database/dbmetrics/querymetrics.go
+++ b/coderd/database/dbmetrics/querymetrics.go
@@ -2903,13 +2903,6 @@ func (m queryMetricsStore) UpdateTemplateScheduleByID(ctx context.Context, arg d
 	return err
 }
 
-func (m queryMetricsStore) UpdateTemplateVersionAITaskByJobID(ctx context.Context, arg database.UpdateTemplateVersionAITaskByJobIDParams) error {
-	start := time.Now()
-	r0 := m.s.UpdateTemplateVersionAITaskByJobID(ctx, arg)
-	m.queryLatencies.WithLabelValues("UpdateTemplateVersionAITaskByJobID").Observe(time.Since(start).Seconds())
-	return r0
-}
-
 func (m queryMetricsStore) UpdateTemplateVersionByID(ctx context.Context, arg database.UpdateTemplateVersionByIDParams) error {
 	start := time.Now()
 	err := m.s.UpdateTemplateVersionByID(ctx, arg)
@@ -2931,6 +2924,13 @@ func (m queryMetricsStore) UpdateTemplateVersionExternalAuthProvidersByJobID(ctx
 	return err
 }
 
+func (m queryMetricsStore) UpdateTemplateVersionFlagsByJobID(ctx context.Context, arg database.UpdateTemplateVersionFlagsByJobIDParams) error {
+	start := time.Now()
+	r0 := m.s.UpdateTemplateVersionFlagsByJobID(ctx, arg)
+	m.queryLatencies.WithLabelValues("UpdateTemplateVersionFlagsByJobID").Observe(time.Since(start).Seconds())
+	return r0
+}
+
 func (m queryMetricsStore) UpdateTemplateWorkspacesLastUsedAt(ctx context.Context, arg database.UpdateTemplateWorkspacesLastUsedAtParams) error {
 	start := time.Now()
 	r0 := m.s.UpdateTemplateWorkspacesLastUsedAt(ctx, arg)
@@ -3127,13 +3127,6 @@ func (m queryMetricsStore) UpdateWorkspaceAutostart(ctx context.Context, arg dat
 	return err
 }
 
-func (m queryMetricsStore) UpdateWorkspaceBuildAITaskByID(ctx context.Context, arg database.UpdateWorkspaceBuildAITaskByIDParams) error {
-	start := time.Now()
-	r0 := m.s.UpdateWorkspaceBuildAITaskByID(ctx, arg)
-	m.queryLatencies.WithLabelValues("UpdateWorkspaceBuildAITaskByID").Observe(time.Since(start).Seconds())
-	return r0
-}
-
 func (m queryMetricsStore) UpdateWorkspaceBuildCostByID(ctx context.Context, arg database.UpdateWorkspaceBuildCostByIDParams) error {
 	start := time.Now()
 	err := m.s.UpdateWorkspaceBuildCostByID(ctx, arg)
@@ -3148,6 +3141,13 @@ func (m queryMetricsStore) UpdateWorkspaceBuildDeadlineByID(ctx context.Context,
 	return r0
 }
 
+func (m queryMetricsStore) UpdateWorkspaceBuildFlagsByID(ctx context.Context, arg database.UpdateWorkspaceBuildFlagsByIDParams) error {
+	start := time.Now()
+	r0 := m.s.UpdateWorkspaceBuildFlagsByID(ctx, arg)
+	m.queryLatencies.WithLabelValues("UpdateWorkspaceBuildFlagsByID").Observe(time.Since(start).Seconds())
+	return r0
+}
+
 func (m queryMetricsStore) UpdateWorkspaceBuildProvisionerStateByID(ctx context.Context, arg database.UpdateWorkspaceBuildProvisionerStateByIDParams) error {
 	start := time.Now()
 	r0 := m.s.UpdateWorkspaceBuildProvisionerStateByID(ctx, arg)
diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go
index 22807f0e3569d..64a2cf75fd5f2 100644
--- a/coderd/database/dbmock/dbmock.go
+++ b/coderd/database/dbmock/dbmock.go
@@ -6200,20 +6200,6 @@ func (mr *MockStoreMockRecorder) UpdateTemplateScheduleByID(ctx, arg any) *gomoc
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateTemplateScheduleByID", reflect.TypeOf((*MockStore)(nil).UpdateTemplateScheduleByID), ctx, arg)
 }
 
-// UpdateTemplateVersionAITaskByJobID mocks base method.
-func (m *MockStore) UpdateTemplateVersionAITaskByJobID(ctx context.Context, arg database.UpdateTemplateVersionAITaskByJobIDParams) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateTemplateVersionAITaskByJobID", ctx, arg)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpdateTemplateVersionAITaskByJobID indicates an expected call of UpdateTemplateVersionAITaskByJobID.
-func (mr *MockStoreMockRecorder) UpdateTemplateVersionAITaskByJobID(ctx, arg any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateTemplateVersionAITaskByJobID", reflect.TypeOf((*MockStore)(nil).UpdateTemplateVersionAITaskByJobID), ctx, arg)
-}
-
 // UpdateTemplateVersionByID mocks base method.
 func (m *MockStore) UpdateTemplateVersionByID(ctx context.Context, arg database.UpdateTemplateVersionByIDParams) error {
 	m.ctrl.T.Helper()
@@ -6256,6 +6242,20 @@ func (mr *MockStoreMockRecorder) UpdateTemplateVersionExternalAuthProvidersByJob
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateTemplateVersionExternalAuthProvidersByJobID", reflect.TypeOf((*MockStore)(nil).UpdateTemplateVersionExternalAuthProvidersByJobID), ctx, arg)
 }
 
+// UpdateTemplateVersionFlagsByJobID mocks base method.
+func (m *MockStore) UpdateTemplateVersionFlagsByJobID(ctx context.Context, arg database.UpdateTemplateVersionFlagsByJobIDParams) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateTemplateVersionFlagsByJobID", ctx, arg)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateTemplateVersionFlagsByJobID indicates an expected call of UpdateTemplateVersionFlagsByJobID.
+func (mr *MockStoreMockRecorder) UpdateTemplateVersionFlagsByJobID(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateTemplateVersionFlagsByJobID", reflect.TypeOf((*MockStore)(nil).UpdateTemplateVersionFlagsByJobID), ctx, arg)
+}
+
 // UpdateTemplateWorkspacesLastUsedAt mocks base method.
 func (m *MockStore) UpdateTemplateWorkspacesLastUsedAt(ctx context.Context, arg database.UpdateTemplateWorkspacesLastUsedAtParams) error {
 	m.ctrl.T.Helper()
@@ -6661,20 +6661,6 @@ func (mr *MockStoreMockRecorder) UpdateWorkspaceAutostart(ctx, arg any) *gomock.
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateWorkspaceAutostart", reflect.TypeOf((*MockStore)(nil).UpdateWorkspaceAutostart), ctx, arg)
 }
 
-// UpdateWorkspaceBuildAITaskByID mocks base method.
-func (m *MockStore) UpdateWorkspaceBuildAITaskByID(ctx context.Context, arg database.UpdateWorkspaceBuildAITaskByIDParams) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateWorkspaceBuildAITaskByID", ctx, arg)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// UpdateWorkspaceBuildAITaskByID indicates an expected call of UpdateWorkspaceBuildAITaskByID.
-func (mr *MockStoreMockRecorder) UpdateWorkspaceBuildAITaskByID(ctx, arg any) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateWorkspaceBuildAITaskByID", reflect.TypeOf((*MockStore)(nil).UpdateWorkspaceBuildAITaskByID), ctx, arg)
-}
-
 // UpdateWorkspaceBuildCostByID mocks base method.
 func (m *MockStore) UpdateWorkspaceBuildCostByID(ctx context.Context, arg database.UpdateWorkspaceBuildCostByIDParams) error {
 	m.ctrl.T.Helper()
@@ -6703,6 +6689,20 @@ func (mr *MockStoreMockRecorder) UpdateWorkspaceBuildDeadlineByID(ctx, arg any)
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateWorkspaceBuildDeadlineByID", reflect.TypeOf((*MockStore)(nil).UpdateWorkspaceBuildDeadlineByID), ctx, arg)
 }
 
+// UpdateWorkspaceBuildFlagsByID mocks base method.
+func (m *MockStore) UpdateWorkspaceBuildFlagsByID(ctx context.Context, arg database.UpdateWorkspaceBuildFlagsByIDParams) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UpdateWorkspaceBuildFlagsByID", ctx, arg)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UpdateWorkspaceBuildFlagsByID indicates an expected call of UpdateWorkspaceBuildFlagsByID.
+func (mr *MockStoreMockRecorder) UpdateWorkspaceBuildFlagsByID(ctx, arg any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateWorkspaceBuildFlagsByID", reflect.TypeOf((*MockStore)(nil).UpdateWorkspaceBuildFlagsByID), ctx, arg)
+}
+
 // UpdateWorkspaceBuildProvisionerStateByID mocks base method.
 func (m *MockStore) UpdateWorkspaceBuildProvisionerStateByID(ctx context.Context, arg database.UpdateWorkspaceBuildProvisionerStateByIDParams) error {
 	m.ctrl.T.Helper()
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
index 7bea770248310..76e6cb2a0f0ed 100644
--- a/coderd/database/dump.sql
+++ b/coderd/database/dump.sql
@@ -1688,7 +1688,8 @@ CREATE TABLE template_versions (
     message character varying(1048576) DEFAULT ''::character varying NOT NULL,
     archived boolean DEFAULT false NOT NULL,
     source_example_id text,
-    has_ai_task boolean
+    has_ai_task boolean,
+    has_external_agent boolean
 );
 
 COMMENT ON COLUMN template_versions.external_auth_providers IS 'IDs of External auth providers for a specific template version';
@@ -1719,6 +1720,7 @@ CREATE VIEW template_version_with_user AS
     template_versions.archived,
     template_versions.source_example_id,
     template_versions.has_ai_task,
+    template_versions.has_external_agent,
     COALESCE(visible_users.avatar_url, ''::text) AS created_by_avatar_url,
     COALESCE(visible_users.username, ''::text) AS created_by_username,
     COALESCE(visible_users.name, ''::text) AS created_by_name
@@ -2236,6 +2238,7 @@ CREATE TABLE workspace_builds (
     template_version_preset_id uuid,
     has_ai_task boolean,
     ai_task_sidebar_app_id uuid,
+    has_external_agent boolean,
     CONSTRAINT workspace_builds_ai_task_sidebar_app_id_required CHECK (((((has_ai_task IS NULL) OR (has_ai_task = false)) AND (ai_task_sidebar_app_id IS NULL)) OR ((has_ai_task = true) AND (ai_task_sidebar_app_id IS NOT NULL)))),
     CONSTRAINT workspace_builds_deadline_below_max_deadline CHECK ((((deadline <> '0001-01-01 00:00:00+00'::timestamp with time zone) AND (deadline <= max_deadline)) OR (max_deadline = '0001-01-01 00:00:00+00'::timestamp with time zone)))
 );
@@ -2258,6 +2261,7 @@ CREATE VIEW workspace_build_with_user AS
     workspace_builds.template_version_preset_id,
     workspace_builds.has_ai_task,
     workspace_builds.ai_task_sidebar_app_id,
+    workspace_builds.has_external_agent,
     COALESCE(visible_users.avatar_url, ''::text) AS initiator_by_avatar_url,
     COALESCE(visible_users.username, ''::text) AS initiator_by_username,
     COALESCE(visible_users.name, ''::text) AS initiator_by_name
diff --git a/coderd/database/migrations/000358_external_agents.down.sql b/coderd/database/migrations/000358_external_agents.down.sql
new file mode 100644
index 0000000000000..a17d0cc7982a6
--- /dev/null
+++ b/coderd/database/migrations/000358_external_agents.down.sql
@@ -0,0 +1,77 @@
+DROP VIEW template_version_with_user;
+DROP VIEW workspace_build_with_user;
+
+ALTER TABLE template_versions DROP COLUMN has_external_agent;
+ALTER TABLE workspace_builds DROP COLUMN has_external_agent;
+
+-- Recreate `template_version_with_user` as defined in dump.sql
+CREATE VIEW template_version_with_user AS
+SELECT
+    template_versions.id,
+    template_versions.template_id,
+    template_versions.organization_id,
+    template_versions.created_at,
+    template_versions.updated_at,
+    template_versions.name,
+    template_versions.readme,
+    template_versions.job_id,
+    template_versions.created_by,
+    template_versions.external_auth_providers,
+    template_versions.message,
+    template_versions.archived,
+    template_versions.source_example_id,
+	template_versions.has_ai_task,
+    COALESCE(visible_users.avatar_url, '' :: text) AS created_by_avatar_url,
+    COALESCE(visible_users.username, '' :: text) AS created_by_username,
+    COALESCE(visible_users.name, '' :: text) AS created_by_name
+FROM
+    (
+        template_versions
+        LEFT JOIN visible_users ON (
+            (template_versions.created_by = visible_users.id)
+        )
+    );
+
+COMMENT ON VIEW template_version_with_user IS 'Joins in the username + avatar url of the created by user.';
+
+-- Recreate `workspace_build_with_user` as defined in dump.sql
+CREATE VIEW workspace_build_with_user AS
+SELECT
+    workspace_builds.id,
+    workspace_builds.created_at,
+    workspace_builds.updated_at,
+    workspace_builds.workspace_id,
+    workspace_builds.template_version_id,
+    workspace_builds.build_number,
+    workspace_builds.transition,
+    workspace_builds.initiator_id,
+    workspace_builds.provisioner_state,
+    workspace_builds.job_id,
+    workspace_builds.deadline,
+    workspace_builds.reason,
+    workspace_builds.daily_cost,
+    workspace_builds.max_deadline,
+    workspace_builds.template_version_preset_id,
+    workspace_builds.has_ai_task,
+    workspace_builds.ai_task_sidebar_app_id,
+    COALESCE(
+        visible_users.avatar_url,
+        '' :: text
+    ) AS initiator_by_avatar_url,
+    COALESCE(
+        visible_users.username,
+        '' :: text
+    ) AS initiator_by_username,
+    COALESCE(visible_users.name, '' :: text) AS initiator_by_name
+FROM
+    (
+        workspace_builds
+        LEFT JOIN visible_users ON (
+            (
+                workspace_builds.initiator_id = visible_users.id
+            )
+        )
+    );
+
+COMMENT ON VIEW workspace_build_with_user IS 'Joins in the username + avatar url of the initiated by user.';
+
diff --git a/coderd/database/migrations/000358_external_agents.up.sql b/coderd/database/migrations/000358_external_agents.up.sql
new file mode 100644
index 0000000000000..00b7d865dfd30
--- /dev/null
+++ b/coderd/database/migrations/000358_external_agents.up.sql
@@ -0,0 +1,89 @@
+-- Determines if a coder_external_agent resource is defined in a template version.
+ALTER TABLE
+    template_versions
+ADD
+    COLUMN has_external_agent BOOLEAN;
+
+DROP VIEW template_version_with_user;
+
+-- We're adding the external_agents column.
+CREATE VIEW template_version_with_user AS
+SELECT
+    template_versions.id,
+    template_versions.template_id,
+    template_versions.organization_id,
+    template_versions.created_at,
+    template_versions.updated_at,
+    template_versions.name,
+    template_versions.readme,
+    template_versions.job_id,
+    template_versions.created_by,
+    template_versions.external_auth_providers,
+    template_versions.message,
+    template_versions.archived,
+    template_versions.source_example_id,
+    template_versions.has_ai_task,
+    template_versions.has_external_agent,
+    COALESCE(visible_users.avatar_url, '' :: text) AS created_by_avatar_url,
+    COALESCE(visible_users.username, '' :: text) AS created_by_username,
+    COALESCE(visible_users.name, '' :: text) AS created_by_name
+FROM
+    (
+        template_versions
+        LEFT JOIN visible_users ON (
+            (template_versions.created_by = visible_users.id)
+        )
+    );
+
+COMMENT ON VIEW template_version_with_user IS 'Joins in the username + avatar url of the created by user.';
+
+-- Determines if a coder_external_agent resource was included in a
+-- workspace build.
+ALTER TABLE
+    workspace_builds
+ADD
+    COLUMN has_external_agent BOOLEAN;
+
+DROP VIEW workspace_build_with_user;
+
+-- We're adding the has_external_agent column.
+CREATE VIEW workspace_build_with_user AS
+SELECT
+    workspace_builds.id,
+    workspace_builds.created_at,
+    workspace_builds.updated_at,
+    workspace_builds.workspace_id,
+    workspace_builds.template_version_id,
+    workspace_builds.build_number,
+    workspace_builds.transition,
+    workspace_builds.initiator_id,
+    workspace_builds.provisioner_state,
+    workspace_builds.job_id,
+    workspace_builds.deadline,
+    workspace_builds.reason,
+    workspace_builds.daily_cost,
+    workspace_builds.max_deadline,
+    workspace_builds.template_version_preset_id,
+    workspace_builds.has_ai_task,
+    workspace_builds.ai_task_sidebar_app_id,
+    workspace_builds.has_external_agent,
+    COALESCE(
+        visible_users.avatar_url,
+        '' :: text
+    ) AS initiator_by_avatar_url,
+    COALESCE(
+        visible_users.username,
+        '' :: text
+    ) AS initiator_by_username,
+    COALESCE(visible_users.name, '' :: text) AS initiator_by_name
+FROM
+    (
+        workspace_builds
+        LEFT JOIN visible_users ON (
+            (
+                workspace_builds.initiator_id = visible_users.id
+            )
+        )
+    );
+
+COMMENT ON VIEW workspace_build_with_user IS 'Joins in the username + avatar url of the initiated by user.';
diff --git a/coderd/database/modelqueries.go b/coderd/database/modelqueries.go
index dceddd2e8c3da..69bea8d81adab 100644
--- a/coderd/database/modelqueries.go
+++ b/coderd/database/modelqueries.go
@@ -84,6 +84,7 @@ func (q *sqlQuerier) GetAuthorizedTemplates(ctx context.Context, arg GetTemplate
 		arg.HasAITask,
 		arg.AuthorID,
 		arg.AuthorUsername,
+		arg.HasExternalAgent,
 	)
 	if err != nil {
 		return nil, err
@@ -271,6 +272,7 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 		arg.LastUsedAfter,
 		arg.UsingActive,
 		arg.HasAITask,
+		arg.HasExternalAgent,
 		arg.RequesterID,
 		arg.Offset,
 		arg.Limit,
@@ -321,6 +323,7 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 			&i.LatestBuildTransition,
 			&i.LatestBuildStatus,
 			&i.LatestBuildHasAITask,
+			&i.LatestBuildHasExternalAgent,
 			&i.Count,
 		); err != nil {
 			return nil, err
diff --git a/coderd/database/models.go b/coderd/database/models.go
index 75d2b941dab3c..7173cfcf03cda 100644
--- a/coderd/database/models.go
+++ b/coderd/database/models.go
@@ -3632,6 +3632,7 @@ type TemplateVersion struct {
 	Archived              bool            `db:"archived" json:"archived"`
 	SourceExampleID       sql.NullString  `db:"source_example_id" json:"source_example_id"`
 	HasAITask             sql.NullBool    `db:"has_ai_task" json:"has_ai_task"`
+	HasExternalAgent      sql.NullBool    `db:"has_external_agent" json:"has_external_agent"`
 	CreatedByAvatarURL    string          `db:"created_by_avatar_url" json:"created_by_avatar_url"`
 	CreatedByUsername     string          `db:"created_by_username" json:"created_by_username"`
 	CreatedByName         string          `db:"created_by_name" json:"created_by_name"`
@@ -3718,10 +3719,11 @@ type TemplateVersionTable struct {
 	// IDs of External auth providers for a specific template version
 	ExternalAuthProviders json.RawMessage `db:"external_auth_providers" json:"external_auth_providers"`
 	// Message describing the changes in this version of the template, similar to a Git commit message. Like a commit message, this should be a short, high-level description of the changes in this version of the template. This message is immutable and should not be updated after the fact.
-	Message         string         `db:"message" json:"message"`
-	Archived        bool           `db:"archived" json:"archived"`
-	SourceExampleID sql.NullString `db:"source_example_id" json:"source_example_id"`
-	HasAITask       sql.NullBool   `db:"has_ai_task" json:"has_ai_task"`
+	Message          string         `db:"message" json:"message"`
+	Archived         bool           `db:"archived" json:"archived"`
+	SourceExampleID  sql.NullString `db:"source_example_id" json:"source_example_id"`
+	HasAITask        sql.NullBool   `db:"has_ai_task" json:"has_ai_task"`
+	HasExternalAgent sql.NullBool   `db:"has_external_agent" json:"has_external_agent"`
 }
 
 type TemplateVersionTerraformValue struct {
@@ -4154,6 +4156,7 @@ type WorkspaceBuild struct {
 	TemplateVersionPresetID uuid.NullUUID       `db:"template_version_preset_id" json:"template_version_preset_id"`
 	HasAITask               sql.NullBool        `db:"has_ai_task" json:"has_ai_task"`
 	AITaskSidebarAppID      uuid.NullUUID       `db:"ai_task_sidebar_app_id" json:"ai_task_sidebar_app_id"`
+	HasExternalAgent        sql.NullBool        `db:"has_external_agent" json:"has_external_agent"`
 	InitiatorByAvatarUrl    string              `db:"initiator_by_avatar_url" json:"initiator_by_avatar_url"`
 	InitiatorByUsername     string              `db:"initiator_by_username" json:"initiator_by_username"`
 	InitiatorByName         string              `db:"initiator_by_name" json:"initiator_by_name"`
@@ -4185,6 +4188,7 @@ type WorkspaceBuildTable struct {
 	TemplateVersionPresetID uuid.NullUUID       `db:"template_version_preset_id" json:"template_version_preset_id"`
 	HasAITask               sql.NullBool        `db:"has_ai_task" json:"has_ai_task"`
 	AITaskSidebarAppID      uuid.NullUUID       `db:"ai_task_sidebar_app_id" json:"ai_task_sidebar_app_id"`
+	HasExternalAgent        sql.NullBool        `db:"has_external_agent" json:"has_external_agent"`
 }
 
 type WorkspaceLatestBuild struct {
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
index a0f265e9658ce..536e70c130d94 100644
--- a/coderd/database/querier.go
+++ b/coderd/database/querier.go
@@ -609,10 +609,10 @@ type sqlcQuerier interface {
 	UpdateTemplateDeletedByID(ctx context.Context, arg UpdateTemplateDeletedByIDParams) error
 	UpdateTemplateMetaByID(ctx context.Context, arg UpdateTemplateMetaByIDParams) error
 	UpdateTemplateScheduleByID(ctx context.Context, arg UpdateTemplateScheduleByIDParams) error
-	UpdateTemplateVersionAITaskByJobID(ctx context.Context, arg UpdateTemplateVersionAITaskByJobIDParams) error
 	UpdateTemplateVersionByID(ctx context.Context, arg UpdateTemplateVersionByIDParams) error
 	UpdateTemplateVersionDescriptionByJobID(ctx context.Context, arg UpdateTemplateVersionDescriptionByJobIDParams) error
 	UpdateTemplateVersionExternalAuthProvidersByJobID(ctx context.Context, arg UpdateTemplateVersionExternalAuthProvidersByJobIDParams) error
+	UpdateTemplateVersionFlagsByJobID(ctx context.Context, arg UpdateTemplateVersionFlagsByJobIDParams) error
 	UpdateTemplateWorkspacesLastUsedAt(ctx context.Context, arg UpdateTemplateWorkspacesLastUsedAtParams) error
 	UpdateUserDeletedByID(ctx context.Context, id uuid.UUID) error
 	UpdateUserGithubComUserID(ctx context.Context, arg UpdateUserGithubComUserIDParams) error
@@ -641,9 +641,9 @@ type sqlcQuerier interface {
 	UpdateWorkspaceAppHealthByID(ctx context.Context, arg UpdateWorkspaceAppHealthByIDParams) error
 	UpdateWorkspaceAutomaticUpdates(ctx context.Context, arg UpdateWorkspaceAutomaticUpdatesParams) error
 	UpdateWorkspaceAutostart(ctx context.Context, arg UpdateWorkspaceAutostartParams) error
-	UpdateWorkspaceBuildAITaskByID(ctx context.Context, arg UpdateWorkspaceBuildAITaskByIDParams) error
 	UpdateWorkspaceBuildCostByID(ctx context.Context, arg UpdateWorkspaceBuildCostByIDParams) error
 	UpdateWorkspaceBuildDeadlineByID(ctx context.Context, arg UpdateWorkspaceBuildDeadlineByIDParams) error
+	UpdateWorkspaceBuildFlagsByID(ctx context.Context, arg UpdateWorkspaceBuildFlagsByIDParams) error
 	UpdateWorkspaceBuildProvisionerStateByID(ctx context.Context, arg UpdateWorkspaceBuildProvisionerStateByIDParams) error
 	UpdateWorkspaceDeletedByID(ctx context.Context, arg UpdateWorkspaceDeletedByIDParams) error
 	UpdateWorkspaceDormantDeletingAt(ctx context.Context, arg UpdateWorkspaceDormantDeletingAtParams) (WorkspaceTable, error)
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
index 74cefd09359b0..a3a23ccfbfe1b 100644
--- a/coderd/database/queries.sql.go
+++ b/coderd/database/queries.sql.go
@@ -12103,21 +12103,28 @@ WHERE
 		  ELSE true
 	END
 
+	-- Filter by has_external_agent in latest version
+	AND CASE
+		WHEN $10 :: boolean IS NOT NULL THEN
+			tv.has_external_agent = $10 :: boolean
+		ELSE true
+	END
   -- Authorize Filter clause will be injected below in GetAuthorizedTemplates
   -- @authorize_filter
 ORDER BY (t.name, t.id) ASC
 `
 
 type GetTemplatesWithFilterParams struct {
-	Deleted        bool         `db:"deleted" json:"deleted"`
-	OrganizationID uuid.UUID    `db:"organization_id" json:"organization_id"`
-	ExactName      string       `db:"exact_name" json:"exact_name"`
-	FuzzyName      string       `db:"fuzzy_name" json:"fuzzy_name"`
-	IDs            []uuid.UUID  `db:"ids" json:"ids"`
-	Deprecated     sql.NullBool `db:"deprecated" json:"deprecated"`
-	HasAITask      sql.NullBool `db:"has_ai_task" json:"has_ai_task"`
-	AuthorID       uuid.UUID    `db:"author_id" json:"author_id"`
-	AuthorUsername string       `db:"author_username" json:"author_username"`
+	Deleted          bool         `db:"deleted" json:"deleted"`
+	OrganizationID   uuid.UUID    `db:"organization_id" json:"organization_id"`
+	ExactName        string       `db:"exact_name" json:"exact_name"`
+	FuzzyName        string       `db:"fuzzy_name" json:"fuzzy_name"`
+	IDs              []uuid.UUID  `db:"ids" json:"ids"`
+	Deprecated       sql.NullBool `db:"deprecated" json:"deprecated"`
+	HasAITask        sql.NullBool `db:"has_ai_task" json:"has_ai_task"`
+	AuthorID         uuid.UUID    `db:"author_id" json:"author_id"`
+	AuthorUsername   string       `db:"author_username" json:"author_username"`
+	HasExternalAgent sql.NullBool `db:"has_external_agent" json:"has_external_agent"`
 }
 
 func (q *sqlQuerier) GetTemplatesWithFilter(ctx context.Context, arg GetTemplatesWithFilterParams) ([]Template, error) {
@@ -12131,6 +12138,7 @@ func (q *sqlQuerier) GetTemplatesWithFilter(ctx context.Context, arg GetTemplate
 		arg.HasAITask,
 		arg.AuthorID,
 		arg.AuthorUsername,
+		arg.HasExternalAgent,
 	)
 	if err != nil {
 		return nil, err
@@ -12615,7 +12623,7 @@ FROM
 			-- Scope an archive to a single template and ignore already archived template versions
 			(
 				SELECT
-					id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task
+					id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, has_external_agent
 				FROM
 					template_versions
 				WHERE
@@ -12716,7 +12724,7 @@ func (q *sqlQuerier) ArchiveUnusedTemplateVersions(ctx context.Context, arg Arch
 
 const getPreviousTemplateVersion = `-- name: GetPreviousTemplateVersion :one
 SELECT
-	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, created_by_avatar_url, created_by_username, created_by_name
+	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, has_external_agent, created_by_avatar_url, created_by_username, created_by_name
 FROM
 	template_version_with_user AS template_versions
 WHERE
@@ -12755,6 +12763,7 @@ func (q *sqlQuerier) GetPreviousTemplateVersion(ctx context.Context, arg GetPrev
 		&i.Archived,
 		&i.SourceExampleID,
 		&i.HasAITask,
+		&i.HasExternalAgent,
 		&i.CreatedByAvatarURL,
 		&i.CreatedByUsername,
 		&i.CreatedByName,
@@ -12764,7 +12773,7 @@ func (q *sqlQuerier) GetPreviousTemplateVersion(ctx context.Context, arg GetPrev
 
 const getTemplateVersionByID = `-- name: GetTemplateVersionByID :one
 SELECT
-	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, created_by_avatar_url, created_by_username, created_by_name
+	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, has_external_agent, created_by_avatar_url, created_by_username, created_by_name
 FROM
 	template_version_with_user AS template_versions
 WHERE
@@ -12789,6 +12798,7 @@ func (q *sqlQuerier) GetTemplateVersionByID(ctx context.Context, id uuid.UUID) (
 		&i.Archived,
 		&i.SourceExampleID,
 		&i.HasAITask,
+		&i.HasExternalAgent,
 		&i.CreatedByAvatarURL,
 		&i.CreatedByUsername,
 		&i.CreatedByName,
@@ -12798,7 +12808,7 @@ func (q *sqlQuerier) GetTemplateVersionByID(ctx context.Context, id uuid.UUID) (
 
 const getTemplateVersionByJobID = `-- name: GetTemplateVersionByJobID :one
 SELECT
-	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, created_by_avatar_url, created_by_username, created_by_name
+	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, has_external_agent, created_by_avatar_url, created_by_username, created_by_name
 FROM
 	template_version_with_user AS template_versions
 WHERE
@@ -12823,6 +12833,7 @@ func (q *sqlQuerier) GetTemplateVersionByJobID(ctx context.Context, jobID uuid.U
 		&i.Archived,
 		&i.SourceExampleID,
 		&i.HasAITask,
+		&i.HasExternalAgent,
 		&i.CreatedByAvatarURL,
 		&i.CreatedByUsername,
 		&i.CreatedByName,
@@ -12832,7 +12843,7 @@ func (q *sqlQuerier) GetTemplateVersionByJobID(ctx context.Context, jobID uuid.U
 
 const getTemplateVersionByTemplateIDAndName = `-- name: GetTemplateVersionByTemplateIDAndName :one
 SELECT
-	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, created_by_avatar_url, created_by_username, created_by_name
+	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, has_external_agent, created_by_avatar_url, created_by_username, created_by_name
 FROM
 	template_version_with_user AS template_versions
 WHERE
@@ -12863,6 +12874,7 @@ func (q *sqlQuerier) GetTemplateVersionByTemplateIDAndName(ctx context.Context,
 		&i.Archived,
 		&i.SourceExampleID,
 		&i.HasAITask,
+		&i.HasExternalAgent,
 		&i.CreatedByAvatarURL,
 		&i.CreatedByUsername,
 		&i.CreatedByName,
@@ -12872,7 +12884,7 @@ func (q *sqlQuerier) GetTemplateVersionByTemplateIDAndName(ctx context.Context,
 
 const getTemplateVersionsByIDs = `-- name: GetTemplateVersionsByIDs :many
 SELECT
-	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, created_by_avatar_url, created_by_username, created_by_name
+	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, has_external_agent, created_by_avatar_url, created_by_username, created_by_name
 FROM
 	template_version_with_user AS template_versions
 WHERE
@@ -12903,6 +12915,7 @@ func (q *sqlQuerier) GetTemplateVersionsByIDs(ctx context.Context, ids []uuid.UU
 			&i.Archived,
 			&i.SourceExampleID,
 			&i.HasAITask,
+			&i.HasExternalAgent,
 			&i.CreatedByAvatarURL,
 			&i.CreatedByUsername,
 			&i.CreatedByName,
@@ -12922,7 +12935,7 @@ func (q *sqlQuerier) GetTemplateVersionsByIDs(ctx context.Context, ids []uuid.UU
 
 const getTemplateVersionsByTemplateID = `-- name: GetTemplateVersionsByTemplateID :many
 SELECT
-	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, created_by_avatar_url, created_by_username, created_by_name
+	id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, has_external_agent, created_by_avatar_url, created_by_username, created_by_name
 FROM
 	template_version_with_user AS template_versions
 WHERE
@@ -13000,6 +13013,7 @@ func (q *sqlQuerier) GetTemplateVersionsByTemplateID(ctx context.Context, arg Ge
 			&i.Archived,
 			&i.SourceExampleID,
 			&i.HasAITask,
+			&i.HasExternalAgent,
 			&i.CreatedByAvatarURL,
 			&i.CreatedByUsername,
 			&i.CreatedByName,
@@ -13018,7 +13032,7 @@ func (q *sqlQuerier) GetTemplateVersionsByTemplateID(ctx context.Context, arg Ge
 }
 
 const getTemplateVersionsCreatedAfter = `-- name: GetTemplateVersionsCreatedAfter :many
-SELECT id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, created_by_avatar_url, created_by_username, created_by_name FROM template_version_with_user AS template_versions WHERE created_at > $1
+SELECT id, template_id, organization_id, created_at, updated_at, name, readme, job_id, created_by, external_auth_providers, message, archived, source_example_id, has_ai_task, has_external_agent, created_by_avatar_url, created_by_username, created_by_name FROM template_version_with_user AS template_versions WHERE created_at > $1
 `
 
 func (q *sqlQuerier) GetTemplateVersionsCreatedAfter(ctx context.Context, createdAt time.Time) ([]TemplateVersion, error) {
@@ -13045,6 +13059,7 @@ func (q *sqlQuerier) GetTemplateVersionsCreatedAfter(ctx context.Context, create
 			&i.Archived,
 			&i.SourceExampleID,
 			&i.HasAITask,
+			&i.HasExternalAgent,
 			&i.CreatedByAvatarURL,
 			&i.CreatedByUsername,
 			&i.CreatedByName,
@@ -13133,27 +13148,6 @@ func (q *sqlQuerier) UnarchiveTemplateVersion(ctx context.Context, arg Unarchive
 	return err
 }
 
-const updateTemplateVersionAITaskByJobID = `-- name: UpdateTemplateVersionAITaskByJobID :exec
-UPDATE
-	template_versions
-SET
-	has_ai_task = $2,
-	updated_at = $3
-WHERE
-	job_id = $1
-`
-
-type UpdateTemplateVersionAITaskByJobIDParams struct {
-	JobID     uuid.UUID    `db:"job_id" json:"job_id"`
-	HasAITask sql.NullBool `db:"has_ai_task" json:"has_ai_task"`
-	UpdatedAt time.Time    `db:"updated_at" json:"updated_at"`
-}
-
-func (q *sqlQuerier) UpdateTemplateVersionAITaskByJobID(ctx context.Context, arg UpdateTemplateVersionAITaskByJobIDParams) error {
-	_, err := q.db.ExecContext(ctx, updateTemplateVersionAITaskByJobID, arg.JobID, arg.HasAITask, arg.UpdatedAt)
-	return err
-}
-
 const updateTemplateVersionByID = `-- name: UpdateTemplateVersionByID :exec
 UPDATE
 	template_versions
@@ -13227,6 +13221,34 @@ func (q *sqlQuerier) UpdateTemplateVersionExternalAuthProvidersByJobID(ctx conte
 	return err
 }
 
+const updateTemplateVersionFlagsByJobID = `-- name: UpdateTemplateVersionFlagsByJobID :exec
+UPDATE
+	template_versions
+SET
+	has_ai_task = $2,
+	has_external_agent = $3,
+	updated_at = $4
+WHERE
+	job_id = $1
+`
+
+type UpdateTemplateVersionFlagsByJobIDParams struct {
+	JobID            uuid.UUID    `db:"job_id" json:"job_id"`
+	HasAITask        sql.NullBool `db:"has_ai_task" json:"has_ai_task"`
+	HasExternalAgent sql.NullBool `db:"has_external_agent" json:"has_external_agent"`
+	UpdatedAt        time.Time    `db:"updated_at" json:"updated_at"`
+}
+
+func (q *sqlQuerier) UpdateTemplateVersionFlagsByJobID(ctx context.Context, arg UpdateTemplateVersionFlagsByJobIDParams) error {
+	_, err := q.db.ExecContext(ctx, updateTemplateVersionFlagsByJobID,
+		arg.JobID,
+		arg.HasAITask,
+		arg.HasExternalAgent,
+		arg.UpdatedAt,
+	)
+	return err
+}
+
 const getTemplateVersionTerraformValues = `-- name: GetTemplateVersionTerraformValues :one
 SELECT
 	template_version_terraform_values.template_version_id, template_version_terraform_values.updated_at, template_version_terraform_values.cached_plan, template_version_terraform_values.cached_module_files, template_version_terraform_values.provisionerd_version
@@ -15702,7 +15724,7 @@ const getWorkspaceAgentAndLatestBuildByAuthToken = `-- name: GetWorkspaceAgentAn
 SELECT
 	workspaces.id, workspaces.created_at, workspaces.updated_at, workspaces.owner_id, workspaces.organization_id, workspaces.template_id, workspaces.deleted, workspaces.name, workspaces.autostart_schedule, workspaces.ttl, workspaces.last_used_at, workspaces.dormant_at, workspaces.deleting_at, workspaces.automatic_updates, workspaces.favorite, workspaces.next_start_at, workspaces.group_acl, workspaces.user_acl,
 	workspace_agents.id, workspace_agents.created_at, workspace_agents.updated_at, workspace_agents.name, workspace_agents.first_connected_at, workspace_agents.last_connected_at, workspace_agents.disconnected_at, workspace_agents.resource_id, workspace_agents.auth_token, workspace_agents.auth_instance_id, workspace_agents.architecture, workspace_agents.environment_variables, workspace_agents.operating_system, workspace_agents.instance_metadata, workspace_agents.resource_metadata, workspace_agents.directory, workspace_agents.version, workspace_agents.last_connected_replica_id, workspace_agents.connection_timeout_seconds, workspace_agents.troubleshooting_url, workspace_agents.motd_file, workspace_agents.lifecycle_state, workspace_agents.expanded_directory, workspace_agents.logs_length, workspace_agents.logs_overflowed, workspace_agents.started_at, workspace_agents.ready_at, workspace_agents.subsystems, workspace_agents.display_apps, workspace_agents.api_version, workspace_agents.display_order, workspace_agents.parent_id, workspace_agents.api_key_scope, workspace_agents.deleted,
-	workspace_build_with_user.id, workspace_build_with_user.created_at, workspace_build_with_user.updated_at, workspace_build_with_user.workspace_id, workspace_build_with_user.template_version_id, workspace_build_with_user.build_number, workspace_build_with_user.transition, workspace_build_with_user.initiator_id, workspace_build_with_user.provisioner_state, workspace_build_with_user.job_id, workspace_build_with_user.deadline, workspace_build_with_user.reason, workspace_build_with_user.daily_cost, workspace_build_with_user.max_deadline, workspace_build_with_user.template_version_preset_id, workspace_build_with_user.has_ai_task, workspace_build_with_user.ai_task_sidebar_app_id, workspace_build_with_user.initiator_by_avatar_url, workspace_build_with_user.initiator_by_username, workspace_build_with_user.initiator_by_name
+	workspace_build_with_user.id, workspace_build_with_user.created_at, workspace_build_with_user.updated_at, workspace_build_with_user.workspace_id, workspace_build_with_user.template_version_id, workspace_build_with_user.build_number, workspace_build_with_user.transition, workspace_build_with_user.initiator_id, workspace_build_with_user.provisioner_state, workspace_build_with_user.job_id, workspace_build_with_user.deadline, workspace_build_with_user.reason, workspace_build_with_user.daily_cost, workspace_build_with_user.max_deadline, workspace_build_with_user.template_version_preset_id, workspace_build_with_user.has_ai_task, workspace_build_with_user.ai_task_sidebar_app_id, workspace_build_with_user.has_external_agent, workspace_build_with_user.initiator_by_avatar_url, workspace_build_with_user.initiator_by_username, workspace_build_with_user.initiator_by_name
 FROM
 	workspace_agents
 JOIN
@@ -15815,6 +15837,7 @@ func (q *sqlQuerier) GetWorkspaceAgentAndLatestBuildByAuthToken(ctx context.Cont
 		&i.WorkspaceBuild.TemplateVersionPresetID,
 		&i.WorkspaceBuild.HasAITask,
 		&i.WorkspaceBuild.AITaskSidebarAppID,
+		&i.WorkspaceBuild.HasExternalAgent,
 		&i.WorkspaceBuild.InitiatorByAvatarUrl,
 		&i.WorkspaceBuild.InitiatorByUsername,
 		&i.WorkspaceBuild.InitiatorByName,
@@ -18469,7 +18492,7 @@ func (q *sqlQuerier) InsertWorkspaceBuildParameters(ctx context.Context, arg Ins
 }
 
 const getActiveWorkspaceBuildsByTemplateID = `-- name: GetActiveWorkspaceBuildsByTemplateID :many
-SELECT wb.id, wb.created_at, wb.updated_at, wb.workspace_id, wb.template_version_id, wb.build_number, wb.transition, wb.initiator_id, wb.provisioner_state, wb.job_id, wb.deadline, wb.reason, wb.daily_cost, wb.max_deadline, wb.template_version_preset_id, wb.has_ai_task, wb.ai_task_sidebar_app_id, wb.initiator_by_avatar_url, wb.initiator_by_username, wb.initiator_by_name
+SELECT wb.id, wb.created_at, wb.updated_at, wb.workspace_id, wb.template_version_id, wb.build_number, wb.transition, wb.initiator_id, wb.provisioner_state, wb.job_id, wb.deadline, wb.reason, wb.daily_cost, wb.max_deadline, wb.template_version_preset_id, wb.has_ai_task, wb.ai_task_sidebar_app_id, wb.has_external_agent, wb.initiator_by_avatar_url, wb.initiator_by_username, wb.initiator_by_name
 FROM (
     SELECT
         workspace_id, MAX(build_number) as max_build_number
@@ -18526,6 +18549,7 @@ func (q *sqlQuerier) GetActiveWorkspaceBuildsByTemplateID(ctx context.Context, t
 			&i.TemplateVersionPresetID,
 			&i.HasAITask,
 			&i.AITaskSidebarAppID,
+			&i.HasExternalAgent,
 			&i.InitiatorByAvatarUrl,
 			&i.InitiatorByUsername,
 			&i.InitiatorByName,
@@ -18625,7 +18649,7 @@ func (q *sqlQuerier) GetFailedWorkspaceBuildsByTemplateID(ctx context.Context, a
 
 const getLatestWorkspaceBuildByWorkspaceID = `-- name: GetLatestWorkspaceBuildByWorkspaceID :one
 SELECT
-	id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, initiator_by_avatar_url, initiator_by_username, initiator_by_name
+	id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, has_external_agent, initiator_by_avatar_url, initiator_by_username, initiator_by_name
 FROM
 	workspace_build_with_user AS workspace_builds
 WHERE
@@ -18657,6 +18681,7 @@ func (q *sqlQuerier) GetLatestWorkspaceBuildByWorkspaceID(ctx context.Context, w
 		&i.TemplateVersionPresetID,
 		&i.HasAITask,
 		&i.AITaskSidebarAppID,
+		&i.HasExternalAgent,
 		&i.InitiatorByAvatarUrl,
 		&i.InitiatorByUsername,
 		&i.InitiatorByName,
@@ -18665,7 +18690,7 @@ func (q *sqlQuerier) GetLatestWorkspaceBuildByWorkspaceID(ctx context.Context, w
 }
 
 const getLatestWorkspaceBuilds = `-- name: GetLatestWorkspaceBuilds :many
-SELECT wb.id, wb.created_at, wb.updated_at, wb.workspace_id, wb.template_version_id, wb.build_number, wb.transition, wb.initiator_id, wb.provisioner_state, wb.job_id, wb.deadline, wb.reason, wb.daily_cost, wb.max_deadline, wb.template_version_preset_id, wb.has_ai_task, wb.ai_task_sidebar_app_id, wb.initiator_by_avatar_url, wb.initiator_by_username, wb.initiator_by_name
+SELECT wb.id, wb.created_at, wb.updated_at, wb.workspace_id, wb.template_version_id, wb.build_number, wb.transition, wb.initiator_id, wb.provisioner_state, wb.job_id, wb.deadline, wb.reason, wb.daily_cost, wb.max_deadline, wb.template_version_preset_id, wb.has_ai_task, wb.ai_task_sidebar_app_id, wb.has_external_agent, wb.initiator_by_avatar_url, wb.initiator_by_username, wb.initiator_by_name
 FROM (
     SELECT
         workspace_id, MAX(build_number) as max_build_number
@@ -18706,6 +18731,7 @@ func (q *sqlQuerier) GetLatestWorkspaceBuilds(ctx context.Context) ([]WorkspaceB
 			&i.TemplateVersionPresetID,
 			&i.HasAITask,
 			&i.AITaskSidebarAppID,
+			&i.HasExternalAgent,
 			&i.InitiatorByAvatarUrl,
 			&i.InitiatorByUsername,
 			&i.InitiatorByName,
@@ -18724,7 +18750,7 @@ func (q *sqlQuerier) GetLatestWorkspaceBuilds(ctx context.Context) ([]WorkspaceB
 }
 
 const getLatestWorkspaceBuildsByWorkspaceIDs = `-- name: GetLatestWorkspaceBuildsByWorkspaceIDs :many
-SELECT wb.id, wb.created_at, wb.updated_at, wb.workspace_id, wb.template_version_id, wb.build_number, wb.transition, wb.initiator_id, wb.provisioner_state, wb.job_id, wb.deadline, wb.reason, wb.daily_cost, wb.max_deadline, wb.template_version_preset_id, wb.has_ai_task, wb.ai_task_sidebar_app_id, wb.initiator_by_avatar_url, wb.initiator_by_username, wb.initiator_by_name
+SELECT wb.id, wb.created_at, wb.updated_at, wb.workspace_id, wb.template_version_id, wb.build_number, wb.transition, wb.initiator_id, wb.provisioner_state, wb.job_id, wb.deadline, wb.reason, wb.daily_cost, wb.max_deadline, wb.template_version_preset_id, wb.has_ai_task, wb.ai_task_sidebar_app_id, wb.has_external_agent, wb.initiator_by_avatar_url, wb.initiator_by_username, wb.initiator_by_name
 FROM (
     SELECT
         workspace_id, MAX(build_number) as max_build_number
@@ -18767,6 +18793,7 @@ func (q *sqlQuerier) GetLatestWorkspaceBuildsByWorkspaceIDs(ctx context.Context,
 			&i.TemplateVersionPresetID,
 			&i.HasAITask,
 			&i.AITaskSidebarAppID,
+			&i.HasExternalAgent,
 			&i.InitiatorByAvatarUrl,
 			&i.InitiatorByUsername,
 			&i.InitiatorByName,
@@ -18786,7 +18813,7 @@ func (q *sqlQuerier) GetLatestWorkspaceBuildsByWorkspaceIDs(ctx context.Context,
 
 const getWorkspaceBuildByID = `-- name: GetWorkspaceBuildByID :one
 SELECT
-	id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, initiator_by_avatar_url, initiator_by_username, initiator_by_name
+	id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, has_external_agent, initiator_by_avatar_url, initiator_by_username, initiator_by_name
 FROM
 	workspace_build_with_user AS workspace_builds
 WHERE
@@ -18816,6 +18843,7 @@ func (q *sqlQuerier) GetWorkspaceBuildByID(ctx context.Context, id uuid.UUID) (W
 		&i.TemplateVersionPresetID,
 		&i.HasAITask,
 		&i.AITaskSidebarAppID,
+		&i.HasExternalAgent,
 		&i.InitiatorByAvatarUrl,
 		&i.InitiatorByUsername,
 		&i.InitiatorByName,
@@ -18825,7 +18853,7 @@ func (q *sqlQuerier) GetWorkspaceBuildByID(ctx context.Context, id uuid.UUID) (W
 
 const getWorkspaceBuildByJobID = `-- name: GetWorkspaceBuildByJobID :one
 SELECT
-	id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, initiator_by_avatar_url, initiator_by_username, initiator_by_name
+	id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, has_external_agent, initiator_by_avatar_url, initiator_by_username, initiator_by_name
 FROM
 	workspace_build_with_user AS workspace_builds
 WHERE
@@ -18855,6 +18883,7 @@ func (q *sqlQuerier) GetWorkspaceBuildByJobID(ctx context.Context, jobID uuid.UU
 		&i.TemplateVersionPresetID,
 		&i.HasAITask,
 		&i.AITaskSidebarAppID,
+		&i.HasExternalAgent,
 		&i.InitiatorByAvatarUrl,
 		&i.InitiatorByUsername,
 		&i.InitiatorByName,
@@ -18864,7 +18893,7 @@ func (q *sqlQuerier) GetWorkspaceBuildByJobID(ctx context.Context, jobID uuid.UU
 
 const getWorkspaceBuildByWorkspaceIDAndBuildNumber = `-- name: GetWorkspaceBuildByWorkspaceIDAndBuildNumber :one
 SELECT
-	id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, initiator_by_avatar_url, initiator_by_username, initiator_by_name
+	id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, has_external_agent, initiator_by_avatar_url, initiator_by_username, initiator_by_name
 FROM
 	workspace_build_with_user AS workspace_builds
 WHERE
@@ -18898,6 +18927,7 @@ func (q *sqlQuerier) GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ctx context.Co
 		&i.TemplateVersionPresetID,
 		&i.HasAITask,
 		&i.AITaskSidebarAppID,
+		&i.HasExternalAgent,
 		&i.InitiatorByAvatarUrl,
 		&i.InitiatorByUsername,
 		&i.InitiatorByName,
@@ -18974,7 +19004,7 @@ func (q *sqlQuerier) GetWorkspaceBuildStatsByTemplates(ctx context.Context, sinc
 
 const getWorkspaceBuildsByWorkspaceID = `-- name: GetWorkspaceBuildsByWorkspaceID :many
 SELECT
-	id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, initiator_by_avatar_url, initiator_by_username, initiator_by_name
+	id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, has_external_agent, initiator_by_avatar_url, initiator_by_username, initiator_by_name
 FROM
 	workspace_build_with_user AS workspace_builds
 WHERE
@@ -19047,6 +19077,7 @@ func (q *sqlQuerier) GetWorkspaceBuildsByWorkspaceID(ctx context.Context, arg Ge
 			&i.TemplateVersionPresetID,
 			&i.HasAITask,
 			&i.AITaskSidebarAppID,
+			&i.HasExternalAgent,
 			&i.InitiatorByAvatarUrl,
 			&i.InitiatorByUsername,
 			&i.InitiatorByName,
@@ -19065,7 +19096,7 @@ func (q *sqlQuerier) GetWorkspaceBuildsByWorkspaceID(ctx context.Context, arg Ge
 }
 
 const getWorkspaceBuildsCreatedAfter = `-- name: GetWorkspaceBuildsCreatedAfter :many
-SELECT id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, initiator_by_avatar_url, initiator_by_username, initiator_by_name FROM workspace_build_with_user WHERE created_at > $1
+SELECT id, created_at, updated_at, workspace_id, template_version_id, build_number, transition, initiator_id, provisioner_state, job_id, deadline, reason, daily_cost, max_deadline, template_version_preset_id, has_ai_task, ai_task_sidebar_app_id, has_external_agent, initiator_by_avatar_url, initiator_by_username, initiator_by_name FROM workspace_build_with_user WHERE created_at > $1
 `
 
 func (q *sqlQuerier) GetWorkspaceBuildsCreatedAfter(ctx context.Context, createdAt time.Time) ([]WorkspaceBuild, error) {
@@ -19095,6 +19126,7 @@ func (q *sqlQuerier) GetWorkspaceBuildsCreatedAfter(ctx context.Context, created
 			&i.TemplateVersionPresetID,
 			&i.HasAITask,
 			&i.AITaskSidebarAppID,
+			&i.HasExternalAgent,
 			&i.InitiatorByAvatarUrl,
 			&i.InitiatorByUsername,
 			&i.InitiatorByName,
@@ -19171,33 +19203,6 @@ func (q *sqlQuerier) InsertWorkspaceBuild(ctx context.Context, arg InsertWorkspa
 	return err
 }
 
-const updateWorkspaceBuildAITaskByID = `-- name: UpdateWorkspaceBuildAITaskByID :exec
-UPDATE
-	workspace_builds
-SET
-	has_ai_task = $1,
-	ai_task_sidebar_app_id = $2,
-	updated_at = $3::timestamptz
-WHERE id = $4::uuid
-`
-
-type UpdateWorkspaceBuildAITaskByIDParams struct {
-	HasAITask    sql.NullBool  `db:"has_ai_task" json:"has_ai_task"`
-	SidebarAppID uuid.NullUUID `db:"sidebar_app_id" json:"sidebar_app_id"`
-	UpdatedAt    time.Time     `db:"updated_at" json:"updated_at"`
-	ID           uuid.UUID     `db:"id" json:"id"`
-}
-
-func (q *sqlQuerier) UpdateWorkspaceBuildAITaskByID(ctx context.Context, arg UpdateWorkspaceBuildAITaskByIDParams) error {
-	_, err := q.db.ExecContext(ctx, updateWorkspaceBuildAITaskByID,
-		arg.HasAITask,
-		arg.SidebarAppID,
-		arg.UpdatedAt,
-		arg.ID,
-	)
-	return err
-}
-
 const updateWorkspaceBuildCostByID = `-- name: UpdateWorkspaceBuildCostByID :exec
 UPDATE
 	workspace_builds
@@ -19244,6 +19249,36 @@ func (q *sqlQuerier) UpdateWorkspaceBuildDeadlineByID(ctx context.Context, arg U
 	return err
 }
 
+const updateWorkspaceBuildFlagsByID = `-- name: UpdateWorkspaceBuildFlagsByID :exec
+UPDATE
+	workspace_builds
+SET
+	has_ai_task = $1,
+	ai_task_sidebar_app_id = $2,
+	has_external_agent = $3,
+	updated_at = $4::timestamptz
+WHERE id = $5::uuid
+`
+
+type UpdateWorkspaceBuildFlagsByIDParams struct {
+	HasAITask        sql.NullBool  `db:"has_ai_task" json:"has_ai_task"`
+	SidebarAppID     uuid.NullUUID `db:"sidebar_app_id" json:"sidebar_app_id"`
+	HasExternalAgent sql.NullBool  `db:"has_external_agent" json:"has_external_agent"`
+	UpdatedAt        time.Time     `db:"updated_at" json:"updated_at"`
+	ID               uuid.UUID     `db:"id" json:"id"`
+}
+
+func (q *sqlQuerier) UpdateWorkspaceBuildFlagsByID(ctx context.Context, arg UpdateWorkspaceBuildFlagsByIDParams) error {
+	_, err := q.db.ExecContext(ctx, updateWorkspaceBuildFlagsByID,
+		arg.HasAITask,
+		arg.SidebarAppID,
+		arg.HasExternalAgent,
+		arg.UpdatedAt,
+		arg.ID,
+	)
+	return err
+}
+
 const updateWorkspaceBuildProvisionerStateByID = `-- name: UpdateWorkspaceBuildProvisionerStateByID :exec
 UPDATE
 	workspace_builds
@@ -20211,7 +20246,8 @@ SELECT
 	latest_build.error as latest_build_error,
 	latest_build.transition as latest_build_transition,
 	latest_build.job_status as latest_build_status,
-	latest_build.has_ai_task as latest_build_has_ai_task
+	latest_build.has_ai_task as latest_build_has_ai_task,
+	latest_build.has_external_agent as latest_build_has_external_agent
 FROM
 	workspaces_expanded as workspaces
 JOIN
@@ -20224,6 +20260,7 @@ LEFT JOIN LATERAL (
 		workspace_builds.transition,
 		workspace_builds.template_version_id,
 		workspace_builds.has_ai_task,
+		workspace_builds.has_external_agent,
 		template_versions.name AS template_version_name,
 		provisioner_jobs.id AS provisioner_job_id,
 		provisioner_jobs.started_at,
@@ -20464,16 +20501,22 @@ WHERE
 			)) = ($19 :: boolean)
 		ELSE true
 	END
+	-- Filter by has_external_agent in latest build
+	AND CASE
+		WHEN $20 :: boolean IS NOT NULL THEN
+			latest_build.has_external_agent = $20 :: boolean
+		ELSE true
+	END
 	-- Authorize Filter clause will be injected below in GetAuthorizedWorkspaces
 	-- @authorize_filter
 ), filtered_workspaces_order AS (
 	SELECT
-		fw.id, fw.created_at, fw.updated_at, fw.owner_id, fw.organization_id, fw.template_id, fw.deleted, fw.name, fw.autostart_schedule, fw.ttl, fw.last_used_at, fw.dormant_at, fw.deleting_at, fw.automatic_updates, fw.favorite, fw.next_start_at, fw.group_acl, fw.user_acl, fw.owner_avatar_url, fw.owner_username, fw.owner_name, fw.organization_name, fw.organization_display_name, fw.organization_icon, fw.organization_description, fw.template_name, fw.template_display_name, fw.template_icon, fw.template_description, fw.template_version_id, fw.template_version_name, fw.latest_build_completed_at, fw.latest_build_canceled_at, fw.latest_build_error, fw.latest_build_transition, fw.latest_build_status, fw.latest_build_has_ai_task
+		fw.id, fw.created_at, fw.updated_at, fw.owner_id, fw.organization_id, fw.template_id, fw.deleted, fw.name, fw.autostart_schedule, fw.ttl, fw.last_used_at, fw.dormant_at, fw.deleting_at, fw.automatic_updates, fw.favorite, fw.next_start_at, fw.group_acl, fw.user_acl, fw.owner_avatar_url, fw.owner_username, fw.owner_name, fw.organization_name, fw.organization_display_name, fw.organization_icon, fw.organization_description, fw.template_name, fw.template_display_name, fw.template_icon, fw.template_description, fw.template_version_id, fw.template_version_name, fw.latest_build_completed_at, fw.latest_build_canceled_at, fw.latest_build_error, fw.latest_build_transition, fw.latest_build_status, fw.latest_build_has_ai_task, fw.latest_build_has_external_agent
 	FROM
 		filtered_workspaces fw
 	ORDER BY
 		-- To ensure that 'favorite' workspaces show up first in the list only for their owner.
-		CASE WHEN owner_id = $20 AND favorite THEN 0 ELSE 1 END ASC,
+		CASE WHEN owner_id = $21 AND favorite THEN 0 ELSE 1 END ASC,
 		(latest_build_completed_at IS NOT NULL AND
 			latest_build_canceled_at IS NULL AND
 			latest_build_error IS NULL AND
@@ -20482,14 +20525,14 @@ WHERE
 		LOWER(name) ASC
 	LIMIT
 		CASE
-			WHEN $22 :: integer > 0 THEN
-				$22
+			WHEN $23 :: integer > 0 THEN
+				$23
 		END
 	OFFSET
-		$21
+		$22
 ), filtered_workspaces_order_with_summary AS (
 	SELECT
-		fwo.id, fwo.created_at, fwo.updated_at, fwo.owner_id, fwo.organization_id, fwo.template_id, fwo.deleted, fwo.name, fwo.autostart_schedule, fwo.ttl, fwo.last_used_at, fwo.dormant_at, fwo.deleting_at, fwo.automatic_updates, fwo.favorite, fwo.next_start_at, fwo.group_acl, fwo.user_acl, fwo.owner_avatar_url, fwo.owner_username, fwo.owner_name, fwo.organization_name, fwo.organization_display_name, fwo.organization_icon, fwo.organization_description, fwo.template_name, fwo.template_display_name, fwo.template_icon, fwo.template_description, fwo.template_version_id, fwo.template_version_name, fwo.latest_build_completed_at, fwo.latest_build_canceled_at, fwo.latest_build_error, fwo.latest_build_transition, fwo.latest_build_status, fwo.latest_build_has_ai_task
+		fwo.id, fwo.created_at, fwo.updated_at, fwo.owner_id, fwo.organization_id, fwo.template_id, fwo.deleted, fwo.name, fwo.autostart_schedule, fwo.ttl, fwo.last_used_at, fwo.dormant_at, fwo.deleting_at, fwo.automatic_updates, fwo.favorite, fwo.next_start_at, fwo.group_acl, fwo.user_acl, fwo.owner_avatar_url, fwo.owner_username, fwo.owner_name, fwo.organization_name, fwo.organization_display_name, fwo.organization_icon, fwo.organization_description, fwo.template_name, fwo.template_display_name, fwo.template_icon, fwo.template_description, fwo.template_version_id, fwo.template_version_name, fwo.latest_build_completed_at, fwo.latest_build_canceled_at, fwo.latest_build_error, fwo.latest_build_transition, fwo.latest_build_status, fwo.latest_build_has_ai_task, fwo.latest_build_has_external_agent
 	FROM
 		filtered_workspaces_order fwo
 	-- Return a technical summary row with total count of workspaces.
@@ -20533,9 +20576,10 @@ WHERE
 		'', -- latest_build_error
 		'start'::workspace_transition, -- latest_build_transition
 		'unknown'::provisioner_job_status, -- latest_build_status
-		false -- latest_build_has_ai_task
+		false, -- latest_build_has_ai_task
+		false -- latest_build_has_external_agent
 	WHERE
-		$23 :: boolean = true
+		$24 :: boolean = true
 ), total_count AS (
 	SELECT
 		count(*) AS count
@@ -20543,7 +20587,7 @@ WHERE
 		filtered_workspaces
 )
 SELECT
-	fwos.id, fwos.created_at, fwos.updated_at, fwos.owner_id, fwos.organization_id, fwos.template_id, fwos.deleted, fwos.name, fwos.autostart_schedule, fwos.ttl, fwos.last_used_at, fwos.dormant_at, fwos.deleting_at, fwos.automatic_updates, fwos.favorite, fwos.next_start_at, fwos.group_acl, fwos.user_acl, fwos.owner_avatar_url, fwos.owner_username, fwos.owner_name, fwos.organization_name, fwos.organization_display_name, fwos.organization_icon, fwos.organization_description, fwos.template_name, fwos.template_display_name, fwos.template_icon, fwos.template_description, fwos.template_version_id, fwos.template_version_name, fwos.latest_build_completed_at, fwos.latest_build_canceled_at, fwos.latest_build_error, fwos.latest_build_transition, fwos.latest_build_status, fwos.latest_build_has_ai_task,
+	fwos.id, fwos.created_at, fwos.updated_at, fwos.owner_id, fwos.organization_id, fwos.template_id, fwos.deleted, fwos.name, fwos.autostart_schedule, fwos.ttl, fwos.last_used_at, fwos.dormant_at, fwos.deleting_at, fwos.automatic_updates, fwos.favorite, fwos.next_start_at, fwos.group_acl, fwos.user_acl, fwos.owner_avatar_url, fwos.owner_username, fwos.owner_name, fwos.organization_name, fwos.organization_display_name, fwos.organization_icon, fwos.organization_description, fwos.template_name, fwos.template_display_name, fwos.template_icon, fwos.template_description, fwos.template_version_id, fwos.template_version_name, fwos.latest_build_completed_at, fwos.latest_build_canceled_at, fwos.latest_build_error, fwos.latest_build_transition, fwos.latest_build_status, fwos.latest_build_has_ai_task, fwos.latest_build_has_external_agent,
 	tc.count
 FROM
 	filtered_workspaces_order_with_summary fwos
@@ -20571,6 +20615,7 @@ type GetWorkspacesParams struct {
 	LastUsedAfter                         time.Time    `db:"last_used_after" json:"last_used_after"`
 	UsingActive                           sql.NullBool `db:"using_active" json:"using_active"`
 	HasAITask                             sql.NullBool `db:"has_ai_task" json:"has_ai_task"`
+	HasExternalAgent                      sql.NullBool `db:"has_external_agent" json:"has_external_agent"`
 	RequesterID                           uuid.UUID    `db:"requester_id" json:"requester_id"`
 	Offset                                int32        `db:"offset_" json:"offset_"`
 	Limit                                 int32        `db:"limit_" json:"limit_"`
@@ -20578,44 +20623,45 @@ type GetWorkspacesParams struct {
 }
 
 type GetWorkspacesRow struct {
-	ID                      uuid.UUID            `db:"id" json:"id"`
-	CreatedAt               time.Time            `db:"created_at" json:"created_at"`
-	UpdatedAt               time.Time            `db:"updated_at" json:"updated_at"`
-	OwnerID                 uuid.UUID            `db:"owner_id" json:"owner_id"`
-	OrganizationID          uuid.UUID            `db:"organization_id" json:"organization_id"`
-	TemplateID              uuid.UUID            `db:"template_id" json:"template_id"`
-	Deleted                 bool                 `db:"deleted" json:"deleted"`
-	Name                    string               `db:"name" json:"name"`
-	AutostartSchedule       sql.NullString       `db:"autostart_schedule" json:"autostart_schedule"`
-	Ttl                     sql.NullInt64        `db:"ttl" json:"ttl"`
-	LastUsedAt              time.Time            `db:"last_used_at" json:"last_used_at"`
-	DormantAt               sql.NullTime         `db:"dormant_at" json:"dormant_at"`
-	DeletingAt              sql.NullTime         `db:"deleting_at" json:"deleting_at"`
-	AutomaticUpdates        AutomaticUpdates     `db:"automatic_updates" json:"automatic_updates"`
-	Favorite                bool                 `db:"favorite" json:"favorite"`
-	NextStartAt             sql.NullTime         `db:"next_start_at" json:"next_start_at"`
-	GroupACL                json.RawMessage      `db:"group_acl" json:"group_acl"`
-	UserACL                 json.RawMessage      `db:"user_acl" json:"user_acl"`
-	OwnerAvatarUrl          string               `db:"owner_avatar_url" json:"owner_avatar_url"`
-	OwnerUsername           string               `db:"owner_username" json:"owner_username"`
-	OwnerName               string               `db:"owner_name" json:"owner_name"`
-	OrganizationName        string               `db:"organization_name" json:"organization_name"`
-	OrganizationDisplayName string               `db:"organization_display_name" json:"organization_display_name"`
-	OrganizationIcon        string               `db:"organization_icon" json:"organization_icon"`
-	OrganizationDescription string               `db:"organization_description" json:"organization_description"`
-	TemplateName            string               `db:"template_name" json:"template_name"`
-	TemplateDisplayName     string               `db:"template_display_name" json:"template_display_name"`
-	TemplateIcon            string               `db:"template_icon" json:"template_icon"`
-	TemplateDescription     string               `db:"template_description" json:"template_description"`
-	TemplateVersionID       uuid.UUID            `db:"template_version_id" json:"template_version_id"`
-	TemplateVersionName     sql.NullString       `db:"template_version_name" json:"template_version_name"`
-	LatestBuildCompletedAt  sql.NullTime         `db:"latest_build_completed_at" json:"latest_build_completed_at"`
-	LatestBuildCanceledAt   sql.NullTime         `db:"latest_build_canceled_at" json:"latest_build_canceled_at"`
-	LatestBuildError        sql.NullString       `db:"latest_build_error" json:"latest_build_error"`
-	LatestBuildTransition   WorkspaceTransition  `db:"latest_build_transition" json:"latest_build_transition"`
-	LatestBuildStatus       ProvisionerJobStatus `db:"latest_build_status" json:"latest_build_status"`
-	LatestBuildHasAITask    sql.NullBool         `db:"latest_build_has_ai_task" json:"latest_build_has_ai_task"`
-	Count                   int64                `db:"count" json:"count"`
+	ID                          uuid.UUID            `db:"id" json:"id"`
+	CreatedAt                   time.Time            `db:"created_at" json:"created_at"`
+	UpdatedAt                   time.Time            `db:"updated_at" json:"updated_at"`
+	OwnerID                     uuid.UUID            `db:"owner_id" json:"owner_id"`
+	OrganizationID              uuid.UUID            `db:"organization_id" json:"organization_id"`
+	TemplateID                  uuid.UUID            `db:"template_id" json:"template_id"`
+	Deleted                     bool                 `db:"deleted" json:"deleted"`
+	Name                        string               `db:"name" json:"name"`
+	AutostartSchedule           sql.NullString       `db:"autostart_schedule" json:"autostart_schedule"`
+	Ttl                         sql.NullInt64        `db:"ttl" json:"ttl"`
+	LastUsedAt                  time.Time            `db:"last_used_at" json:"last_used_at"`
+	DormantAt                   sql.NullTime         `db:"dormant_at" json:"dormant_at"`
+	DeletingAt                  sql.NullTime         `db:"deleting_at" json:"deleting_at"`
+	AutomaticUpdates            AutomaticUpdates     `db:"automatic_updates" json:"automatic_updates"`
+	Favorite                    bool                 `db:"favorite" json:"favorite"`
+	NextStartAt                 sql.NullTime         `db:"next_start_at" json:"next_start_at"`
+	GroupACL                    json.RawMessage      `db:"group_acl" json:"group_acl"`
+	UserACL                     json.RawMessage      `db:"user_acl" json:"user_acl"`
+	OwnerAvatarUrl              string               `db:"owner_avatar_url" json:"owner_avatar_url"`
+	OwnerUsername               string               `db:"owner_username" json:"owner_username"`
+	OwnerName                   string               `db:"owner_name" json:"owner_name"`
+	OrganizationName            string               `db:"organization_name" json:"organization_name"`
+	OrganizationDisplayName     string               `db:"organization_display_name" json:"organization_display_name"`
+	OrganizationIcon            string               `db:"organization_icon" json:"organization_icon"`
+	OrganizationDescription     string               `db:"organization_description" json:"organization_description"`
+	TemplateName                string               `db:"template_name" json:"template_name"`
+	TemplateDisplayName         string               `db:"template_display_name" json:"template_display_name"`
+	TemplateIcon                string               `db:"template_icon" json:"template_icon"`
+	TemplateDescription         string               `db:"template_description" json:"template_description"`
+	TemplateVersionID           uuid.UUID            `db:"template_version_id" json:"template_version_id"`
+	TemplateVersionName         sql.NullString       `db:"template_version_name" json:"template_version_name"`
+	LatestBuildCompletedAt      sql.NullTime         `db:"latest_build_completed_at" json:"latest_build_completed_at"`
+	LatestBuildCanceledAt       sql.NullTime         `db:"latest_build_canceled_at" json:"latest_build_canceled_at"`
+	LatestBuildError            sql.NullString       `db:"latest_build_error" json:"latest_build_error"`
+	LatestBuildTransition       WorkspaceTransition  `db:"latest_build_transition" json:"latest_build_transition"`
+	LatestBuildStatus           ProvisionerJobStatus `db:"latest_build_status" json:"latest_build_status"`
+	LatestBuildHasAITask        sql.NullBool         `db:"latest_build_has_ai_task" json:"latest_build_has_ai_task"`
+	LatestBuildHasExternalAgent sql.NullBool         `db:"latest_build_has_external_agent" json:"latest_build_has_external_agent"`
+	Count                       int64                `db:"count" json:"count"`
 }
 
 // build_params is used to filter by build parameters if present.
@@ -20642,6 +20688,7 @@ func (q *sqlQuerier) GetWorkspaces(ctx context.Context, arg GetWorkspacesParams)
 		arg.LastUsedAfter,
 		arg.UsingActive,
 		arg.HasAITask,
+		arg.HasExternalAgent,
 		arg.RequesterID,
 		arg.Offset,
 		arg.Limit,
@@ -20692,6 +20739,7 @@ func (q *sqlQuerier) GetWorkspaces(ctx context.Context, arg GetWorkspacesParams)
 			&i.LatestBuildTransition,
 			&i.LatestBuildStatus,
 			&i.LatestBuildHasAITask,
+			&i.LatestBuildHasExternalAgent,
 			&i.Count,
 		); err != nil {
 			return nil, err
diff --git a/coderd/database/queries/templates.sql b/coderd/database/queries/templates.sql
index a922a9bef1918..4bb70c6580503 100644
--- a/coderd/database/queries/templates.sql
+++ b/coderd/database/queries/templates.sql
@@ -72,6 +72,12 @@ WHERE
 		  ELSE true
 	END
 
+	-- Filter by has_external_agent in latest version
+	AND CASE
+		WHEN sqlc.narg('has_external_agent') :: boolean IS NOT NULL THEN
+			tv.has_external_agent = sqlc.narg('has_external_agent') :: boolean
+		ELSE true
+	END
   -- Authorize Filter clause will be injected below in GetAuthorizedTemplates
   -- @authorize_filter
 ORDER BY (t.name, t.id) ASC
diff --git a/coderd/database/queries/templateversions.sql b/coderd/database/queries/templateversions.sql
index 5cf59fab30272..e68383aa0632e 100644
--- a/coderd/database/queries/templateversions.sql
+++ b/coderd/database/queries/templateversions.sql
@@ -122,15 +122,6 @@ SET
 WHERE
 	job_id = $1;
 
--- name: UpdateTemplateVersionAITaskByJobID :exec
-UPDATE
-	template_versions
-SET
-	has_ai_task = $2,
-	updated_at = $3
-WHERE
-	job_id = $1;
-
 -- name: GetPreviousTemplateVersion :one
 SELECT
 	*
@@ -234,3 +225,13 @@ FROM
 WHERE
 	template_versions.id IN (archived_versions.id)
 RETURNING template_versions.id;
+
+-- name: UpdateTemplateVersionFlagsByJobID :exec
+UPDATE
+	template_versions
+SET
+	has_ai_task = $2,
+	has_external_agent = $3,
+	updated_at = $4
+WHERE
+	job_id = $1;
diff --git a/coderd/database/queries/workspacebuilds.sql b/coderd/database/queries/workspacebuilds.sql
index be76b6642df1f..0cd414936b9f7 100644
--- a/coderd/database/queries/workspacebuilds.sql
+++ b/coderd/database/queries/workspacebuilds.sql
@@ -151,15 +151,6 @@ SET
 	updated_at = @updated_at::timestamptz
 WHERE id = @id::uuid;
 
--- name: UpdateWorkspaceBuildAITaskByID :exec
-UPDATE
-	workspace_builds
-SET
-	has_ai_task = @has_ai_task,
-	ai_task_sidebar_app_id = @sidebar_app_id,
-	updated_at = @updated_at::timestamptz
-WHERE id = @id::uuid;
-
 -- name: GetActiveWorkspaceBuildsByTemplateID :many
 SELECT wb.*
 FROM (
@@ -253,3 +244,13 @@ WHERE
 	AND pj.job_status = 'failed'
 ORDER BY
 	tv.name ASC, wb.build_number DESC;
+
+-- name: UpdateWorkspaceBuildFlagsByID :exec
+UPDATE
+	workspace_builds
+SET
+	has_ai_task = @has_ai_task,
+	ai_task_sidebar_app_id = @sidebar_app_id,
+	has_external_agent = @has_external_agent,
+	updated_at = @updated_at::timestamptz
+WHERE id = @id::uuid;
diff --git a/coderd/database/queries/workspaces.sql b/coderd/database/queries/workspaces.sql
index b6b4f2de0888f..936b9e57f2226 100644
--- a/coderd/database/queries/workspaces.sql
+++ b/coderd/database/queries/workspaces.sql
@@ -117,7 +117,8 @@ SELECT
 	latest_build.error as latest_build_error,
 	latest_build.transition as latest_build_transition,
 	latest_build.job_status as latest_build_status,
-	latest_build.has_ai_task as latest_build_has_ai_task
+	latest_build.has_ai_task as latest_build_has_ai_task,
+	latest_build.has_external_agent as latest_build_has_external_agent
 FROM
 	workspaces_expanded as workspaces
 JOIN
@@ -130,6 +131,7 @@ LEFT JOIN LATERAL (
 		workspace_builds.transition,
 		workspace_builds.template_version_id,
 		workspace_builds.has_ai_task,
+		workspace_builds.has_external_agent,
 		template_versions.name AS template_version_name,
 		provisioner_jobs.id AS provisioner_job_id,
 		provisioner_jobs.started_at,
@@ -370,6 +372,12 @@ WHERE
 			)) = (sqlc.narg('has_ai_task') :: boolean)
 		ELSE true
 	END
+	-- Filter by has_external_agent in latest build
+	AND CASE
+		WHEN sqlc.narg('has_external_agent') :: boolean IS NOT NULL THEN
+			latest_build.has_external_agent = sqlc.narg('has_external_agent') :: boolean
+		ELSE true
+	END
 	-- Authorize Filter clause will be injected below in GetAuthorizedWorkspaces
 	-- @authorize_filter
 ), filtered_workspaces_order AS (
@@ -439,7 +447,8 @@ WHERE
 		'', -- latest_build_error
 		'start'::workspace_transition, -- latest_build_transition
 		'unknown'::provisioner_job_status, -- latest_build_status
-		false -- latest_build_has_ai_task
+		false, -- latest_build_has_ai_task
+		false -- latest_build_has_external_agent
 	WHERE
 		@with_summary :: boolean = true
 ), total_count AS (
diff --git a/coderd/initscript.go b/coderd/initscript.go
new file mode 100644
index 0000000000000..14769ce74179e
--- /dev/null
+++ b/coderd/initscript.go
@@ -0,0 +1,40 @@
+package coderd
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/go-chi/chi/v5"
+
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/provisionersdk"
+)
+
+// @Summary Get agent init script
+// @ID get-agent-init-script
+// @Produce text/plain
+// @Tags InitScript
+// @Param os path string true "Operating system"
+// @Param arch path string true "Architecture"
+// @Success 200 "Success"
+// @Router /init-script/{os}/{arch} [get]
+func (api *API) initScript(rw http.ResponseWriter, r *http.Request) {
+	os := strings.ToLower(chi.URLParam(r, "os"))
+	arch := strings.ToLower(chi.URLParam(r, "arch"))
+
+	script, exists := provisionersdk.AgentScriptEnv()[fmt.Sprintf("CODER_AGENT_SCRIPT_%s_%s", os, arch)]
+	if !exists {
+		httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
+			Message: fmt.Sprintf("Unknown os/arch: %s/%s", os, arch),
+		})
+		return
+	}
+	script = strings.ReplaceAll(script, "${ACCESS_URL}", api.AccessURL.String()+"/")
+	script = strings.ReplaceAll(script, "${AUTH_TYPE}", "token")
+
+	rw.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	rw.WriteHeader(http.StatusOK)
+	_, _ = rw.Write([]byte(script))
+}
diff --git a/coderd/initscript_test.go b/coderd/initscript_test.go
new file mode 100644
index 0000000000000..c47162ff3b6e9
--- /dev/null
+++ b/coderd/initscript_test.go
@@ -0,0 +1,45 @@
+package coderd_test
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/codersdk"
+)
+
+func TestInitScript(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK Windows", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		script, err := client.InitScript(context.Background(), "windows", "amd64")
+		require.NoError(t, err)
+		require.NotEmpty(t, script)
+		require.Contains(t, script, "$env:CODER_AGENT_AUTH = \"token\"")
+	})
+
+	t.Run("OK Linux", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		script, err := client.InitScript(context.Background(), "linux", "amd64")
+		require.NoError(t, err)
+		require.NotEmpty(t, script)
+		require.Contains(t, script, "export CODER_AGENT_AUTH=\"token\"")
+	})
+
+	t.Run("BadRequest", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		_, err := client.InitScript(context.Background(), "darwin", "armv7")
+		require.Error(t, err)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
+		require.Equal(t, "Unknown os/arch: darwin/armv7", apiErr.Message)
+	})
+}
diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
index d1b03cbd68a27..c81c4de9866a0 100644
--- a/coderd/provisionerdserver/provisionerdserver.go
+++ b/coderd/provisionerdserver/provisionerdserver.go
@@ -1720,16 +1720,20 @@ func (s *server) completeTemplateImportJob(ctx context.Context, job database.Pro
 		if err != nil {
 			return xerrors.Errorf("update template version external auth providers: %w", err)
 		}
-		err = db.UpdateTemplateVersionAITaskByJobID(ctx, database.UpdateTemplateVersionAITaskByJobIDParams{
+		err = db.UpdateTemplateVersionFlagsByJobID(ctx, database.UpdateTemplateVersionFlagsByJobIDParams{
 			JobID: jobID,
 			HasAITask: sql.NullBool{
 				Bool:  jobType.TemplateImport.HasAiTasks,
 				Valid: true,
 			},
+			HasExternalAgent: sql.NullBool{
+				Bool:  jobType.TemplateImport.HasExternalAgents,
+				Valid: true,
+			},
 			UpdatedAt: now,
 		})
 		if err != nil {
-			return xerrors.Errorf("update template version external auth providers: %w", err)
+			return xerrors.Errorf("update template version ai task and external agent: %w", err)
 		}
 
 		// Process terraform values
@@ -1960,19 +1964,31 @@ func (s *server) completeWorkspaceBuildJob(ctx context.Context, job database.Pro
 			sidebarAppID = uuid.NullUUID{UUID: id, Valid: true}
 		}
 
+		hasExternalAgent := false
+		for _, resource := range jobType.WorkspaceBuild.Resources {
+			if resource.Type == "coder_external_agent" {
+				hasExternalAgent = true
+				break
+			}
+		}
+
 		// Regardless of whether there is an AI task or not, update the field to indicate one way or the other since it
 		// always defaults to nil. ONLY if has_ai_task=true MUST ai_task_sidebar_app_id be set.
-		err = db.UpdateWorkspaceBuildAITaskByID(ctx, database.UpdateWorkspaceBuildAITaskByIDParams{
+		err = db.UpdateWorkspaceBuildFlagsByID(ctx, database.UpdateWorkspaceBuildFlagsByIDParams{
 			ID: workspaceBuild.ID,
 			HasAITask: sql.NullBool{
 				Bool:  hasAITask,
 				Valid: true,
 			},
+			HasExternalAgent: sql.NullBool{
+				Bool:  hasExternalAgent,
+				Valid: true,
+			},
 			SidebarAppID: sidebarAppID,
 			UpdatedAt:    now,
 		})
 		if err != nil {
-			return xerrors.Errorf("update workspace build ai tasks flag: %w", err)
+			return xerrors.Errorf("update workspace build ai tasks and external agent flag: %w", err)
 		}
 
 		// Insert timings inside the transaction now
diff --git a/coderd/searchquery/search.go b/coderd/searchquery/search.go
index cbaaa74a848eb..e70d402d17c1e 100644
--- a/coderd/searchquery/search.go
+++ b/coderd/searchquery/search.go
@@ -223,6 +223,7 @@ func Workspaces(ctx context.Context, db database.Store, query string, page coder
 		Valid: values.Has("outdated"),
 	}
 	filter.HasAITask = parser.NullableBoolean(values, sql.NullBool{}, "has-ai-task")
+	filter.HasExternalAgent = parser.NullableBoolean(values, sql.NullBool{}, "has-external-agent")
 	filter.OrganizationID = parseOrganization(ctx, db, parser, values, "organization")
 
 	type paramMatch struct {
@@ -277,15 +278,16 @@ func Templates(ctx context.Context, db database.Store, actorID uuid.UUID, query
 
 	parser := httpapi.NewQueryParamParser()
 	filter := database.GetTemplatesWithFilterParams{
-		Deleted:        parser.Boolean(values, false, "deleted"),
-		OrganizationID: parseOrganization(ctx, db, parser, values, "organization"),
-		ExactName:      parser.String(values, "", "exact_name"),
-		FuzzyName:      parser.String(values, "", "name"),
-		IDs:            parser.UUIDs(values, []uuid.UUID{}, "ids"),
-		Deprecated:     parser.NullableBoolean(values, sql.NullBool{}, "deprecated"),
-		HasAITask:      parser.NullableBoolean(values, sql.NullBool{}, "has-ai-task"),
-		AuthorID:       parser.UUID(values, uuid.Nil, "author_id"),
-		AuthorUsername: parser.String(values, "", "author"),
+		Deleted:          parser.Boolean(values, false, "deleted"),
+		OrganizationID:   parseOrganization(ctx, db, parser, values, "organization"),
+		ExactName:        parser.String(values, "", "exact_name"),
+		FuzzyName:        parser.String(values, "", "name"),
+		IDs:              parser.UUIDs(values, []uuid.UUID{}, "ids"),
+		Deprecated:       parser.NullableBoolean(values, sql.NullBool{}, "deprecated"),
+		HasAITask:        parser.NullableBoolean(values, sql.NullBool{}, "has-ai-task"),
+		AuthorID:         parser.UUID(values, uuid.Nil, "author_id"),
+		AuthorUsername:   parser.String(values, "", "author"),
+		HasExternalAgent: parser.NullableBoolean(values, sql.NullBool{}, "has-external-agent"),
 	}
 
 	if filter.AuthorUsername == codersdk.Me {
diff --git a/coderd/searchquery/search_test.go b/coderd/searchquery/search_test.go
index 5c45274668b25..36fc06e2d1479 100644
--- a/coderd/searchquery/search_test.go
+++ b/coderd/searchquery/search_test.go
@@ -252,6 +252,36 @@ func TestSearchWorkspace(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:  "HasExternalAgentTrue",
+			Query: "has-external-agent:true",
+			Expected: database.GetWorkspacesParams{
+				HasExternalAgent: sql.NullBool{
+					Bool:  true,
+					Valid: true,
+				},
+			},
+		},
+		{
+			Name:  "HasExternalAgentFalse",
+			Query: "has-external-agent:false",
+			Expected: database.GetWorkspacesParams{
+				HasExternalAgent: sql.NullBool{
+					Bool:  false,
+					Valid: true,
+				},
+			},
+		},
+		{
+			Name:  "HasExternalAgentMissing",
+			Query: "",
+			Expected: database.GetWorkspacesParams{
+				HasExternalAgent: sql.NullBool{
+					Bool:  false,
+					Valid: false,
+				},
+			},
+		},
 
 		// Failures
 		{
@@ -689,6 +719,36 @@ func TestSearchTemplates(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:  "HasExternalAgent",
+			Query: "has-external-agent:true",
+			Expected: database.GetTemplatesWithFilterParams{
+				HasExternalAgent: sql.NullBool{
+					Bool:  true,
+					Valid: true,
+				},
+			},
+		},
+		{
+			Name:  "HasExternalAgentFalse",
+			Query: "has-external-agent:false",
+			Expected: database.GetTemplatesWithFilterParams{
+				HasExternalAgent: sql.NullBool{
+					Bool:  false,
+					Valid: true,
+				},
+			},
+		},
+		{
+			Name:  "HasExternalAgentMissing",
+			Query: "",
+			Expected: database.GetTemplatesWithFilterParams{
+				HasExternalAgent: sql.NullBool{
+					Bool:  false,
+					Valid: false,
+				},
+			},
+		},
 		{
 			Name:  "MyTemplates",
 			Query: "author:me",
diff --git a/coderd/templates_test.go b/coderd/templates_test.go
index 050ae77f8ca49..3e1e4b1dd3223 100644
--- a/coderd/templates_test.go
+++ b/coderd/templates_test.go
@@ -1915,3 +1915,59 @@ func TestTemplateFilterHasAITask(t *testing.T) {
 	require.Contains(t, templates, templateWithAITask)
 	require.Contains(t, templates, templateWithoutAITask)
 }
+
+func TestTemplateFilterHasExternalAgent(t *testing.T) {
+	t.Parallel()
+
+	db, pubsub := dbtestutil.NewDB(t)
+	client := coderdtest.New(t, &coderdtest.Options{
+		Database:                 db,
+		Pubsub:                   pubsub,
+		IncludeProvisionerDaemon: true,
+	})
+	user := coderdtest.CreateFirstUser(t, client)
+
+	jobWithExternalAgent := dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
+		OrganizationID: user.OrganizationID,
+		InitiatorID:    user.UserID,
+		Tags:           database.StringMap{},
+		Type:           database.ProvisionerJobTypeTemplateVersionImport,
+	})
+	jobWithoutExternalAgent := dbgen.ProvisionerJob(t, db, pubsub, database.ProvisionerJob{
+		OrganizationID: user.OrganizationID,
+		InitiatorID:    user.UserID,
+		Tags:           database.StringMap{},
+		Type:           database.ProvisionerJobTypeTemplateVersionImport,
+	})
+	versionWithExternalAgent := dbgen.TemplateVersion(t, db, database.TemplateVersion{
+		OrganizationID:   user.OrganizationID,
+		CreatedBy:        user.UserID,
+		HasExternalAgent: sql.NullBool{Bool: true, Valid: true},
+		JobID:            jobWithExternalAgent.ID,
+	})
+	versionWithoutExternalAgent := dbgen.TemplateVersion(t, db, database.TemplateVersion{
+		OrganizationID:   user.OrganizationID,
+		CreatedBy:        user.UserID,
+		HasExternalAgent: sql.NullBool{Bool: false, Valid: true},
+		JobID:            jobWithoutExternalAgent.ID,
+	})
+	templateWithExternalAgent := coderdtest.CreateTemplate(t, client, user.OrganizationID, versionWithExternalAgent.ID)
+	templateWithoutExternalAgent := coderdtest.CreateTemplate(t, client, user.OrganizationID, versionWithoutExternalAgent.ID)
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+
+	templates, err := client.Templates(ctx, codersdk.TemplateFilter{
+		SearchQuery: "has-external-agent:true",
+	})
+	require.NoError(t, err)
+	require.Len(t, templates, 1)
+	require.Equal(t, templateWithExternalAgent.ID, templates[0].ID)
+
+	templates, err = client.Templates(ctx, codersdk.TemplateFilter{
+		SearchQuery: "has-external-agent:false",
+	})
+	require.NoError(t, err)
+	require.Len(t, templates, 1)
+	require.Equal(t, templateWithoutExternalAgent.ID, templates[0].ID)
+}
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
index d600eff6ecfec..09c4f95520093 100644
--- a/coderd/workspaceagents.go
+++ b/coderd/workspaceagents.go
@@ -2185,3 +2185,71 @@ func convertWorkspaceAgentLog(logEntry database.WorkspaceAgentLog) codersdk.Work
 		SourceID:  logEntry.LogSourceID,
 	}
 }
+
+// @Summary Get workspace external agent credentials
+// @ID get-workspace-external-agent-credentials
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Agents
+// @Param workspace path string true "Workspace ID" format(uuid)
+// @Param agent path string true "Agent name"
+// @Success 200 {object} codersdk.ExternalAgentCredentials
+// @Router /workspaces/{workspace}/external-agent/{agent}/credentials [get]
+func (api *API) workspaceExternalAgentCredentials(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	workspace := httpmw.WorkspaceParam(r)
+	agentName := chi.URLParam(r, "agent")
+
+	build, err := api.Database.GetLatestWorkspaceBuildByWorkspaceID(ctx, workspace.ID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Failed to get latest workspace build.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	agents, err := api.Database.GetWorkspaceAgentsByWorkspaceAndBuildNumber(ctx, database.GetWorkspaceAgentsByWorkspaceAndBuildNumberParams{
+		WorkspaceID: workspace.ID,
+		BuildNumber: build.BuildNumber,
+	})
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Failed to get workspace agents.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	var agent *database.WorkspaceAgent
+	for i := range agents {
+		if agents[i].Name == agentName {
+			agent = &agents[i]
+			break
+		}
+	}
+	if agent == nil {
+		httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
+			Message: fmt.Sprintf("External agent '%s' not found in workspace.", agentName),
+		})
+		return
+	}
+
+	if agent.AuthInstanceID.Valid {
+		httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
+			Message: "External agent is authenticated with an instance ID.",
+		})
+		return
+	}
+
+	initScriptURL := fmt.Sprintf("%s/api/v2/init-script/%s/%s", api.AccessURL.String(), agent.OperatingSystem, agent.Architecture)
+	command := fmt.Sprintf("CODER_AGENT_TOKEN=%q curl -fsSL %q | sh", agent.AuthToken.String(), initScriptURL)
+	if agent.OperatingSystem == "windows" {
+		command = fmt.Sprintf("$env:CODER_AGENT_TOKEN=%q; iwr -useb %q | iex", agent.AuthToken.String(), initScriptURL)
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.ExternalAgentCredentials{
+		AgentToken: agent.AuthToken.String(),
+		Command:    command,
+	})
+}
diff --git a/coderd/workspaceagents_test.go b/coderd/workspaceagents_test.go
index 30859cb6391e6..2e7c83bfd541e 100644
--- a/coderd/workspaceagents_test.go
+++ b/coderd/workspaceagents_test.go
@@ -3056,3 +3056,77 @@ func (p *pubsubReinitSpy) Subscribe(event string, listener pubsub.Listener) (can
 	p.Unlock()
 	return cancel, err
 }
+
+func TestWorkspaceExternalAgentCredentials(t *testing.T) {
+	t.Parallel()
+	client, db := coderdtest.NewWithDatabase(t, nil)
+	user := coderdtest.CreateFirstUser(t, client)
+
+	t.Run("Success - linux", func(t *testing.T) {
+		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		r := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: user.OrganizationID,
+			OwnerID:        user.UserID,
+		}).WithAgent(func(a []*proto.Agent) []*proto.Agent {
+			a[0].Name = "test-agent"
+			a[0].OperatingSystem = "linux"
+			a[0].Architecture = "amd64"
+			return a
+		}).Do()
+
+		credentials, err := client.WorkspaceExternalAgentCredentials(
+			ctx, r.Workspace.ID, "test-agent")
+		require.NoError(t, err)
+
+		require.Equal(t, r.AgentToken, credentials.AgentToken)
+		expectedCommand := fmt.Sprintf("CODER_AGENT_TOKEN=%q curl -fsSL \"%s/api/v2/init-script/linux/amd64\" | sh", r.AgentToken, client.URL)
+		require.Equal(t, expectedCommand, credentials.Command)
+	})
+
+	t.Run("Success - windows", func(t *testing.T) {
+		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		r := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: user.OrganizationID,
+			OwnerID:        user.UserID,
+		}).WithAgent(func(a []*proto.Agent) []*proto.Agent {
+			a[0].Name = "test-agent"
+			a[0].OperatingSystem = "windows"
+			a[0].Architecture = "amd64"
+			return a
+		}).Do()
+
+		credentials, err := client.WorkspaceExternalAgentCredentials(
+			ctx, r.Workspace.ID, "test-agent")
+		require.NoError(t, err)
+
+		require.Equal(t, r.AgentToken, credentials.AgentToken)
+		expectedCommand := fmt.Sprintf("$env:CODER_AGENT_TOKEN=%q; iwr -useb \"%s/api/v2/init-script/windows/amd64\" | iex", r.AgentToken, client.URL)
+		require.Equal(t, expectedCommand, credentials.Command)
+	})
+
+	t.Run("WithInstanceID - should return 404", func(t *testing.T) {
+		t.Parallel()
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		r := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OrganizationID: user.OrganizationID,
+			OwnerID:        user.UserID,
+		}).WithAgent(func(a []*proto.Agent) []*proto.Agent {
+			a[0].Name = "test-agent"
+			a[0].Auth = &proto.Agent_InstanceId{
+				InstanceId: uuid.New().String(),
+			}
+			return a
+		}).Do()
+
+		_, err := client.WorkspaceExternalAgentCredentials(ctx, r.Workspace.ID, "test-agent")
+		require.Error(t, err)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, "External agent is authenticated with an instance ID.", apiErr.Message)
+	})
+}
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
index 583b9c4edaf21..e54f75ef5cba6 100644
--- a/coderd/workspacebuilds.go
+++ b/coderd/workspacebuilds.go
@@ -1157,6 +1157,11 @@ func (api *API) convertWorkspaceBuild(
 		aiTasksSidebarAppID = &build.AITaskSidebarAppID.UUID
 	}
 
+	var hasExternalAgent *bool
+	if build.HasExternalAgent.Valid {
+		hasExternalAgent = &build.HasExternalAgent.Bool
+	}
+
 	apiJob := convertProvisionerJob(job)
 	transition := codersdk.WorkspaceTransition(build.Transition)
 	return codersdk.WorkspaceBuild{
@@ -1185,6 +1190,7 @@ func (api *API) convertWorkspaceBuild(
 		TemplateVersionPresetID: presetID,
 		HasAITask:               hasAITask,
 		AITaskSidebarAppID:      aiTasksSidebarAppID,
+		HasExternalAgent:        hasExternalAgent,
 	}, nil
 }
 
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
index 6da85c7608ca4..268d787fbb2b2 100644
--- a/coderd/workspaces.go
+++ b/coderd/workspaces.go
@@ -138,7 +138,7 @@ func (api *API) workspace(rw http.ResponseWriter, r *http.Request) {
 // @Security CoderSessionToken
 // @Produce json
 // @Tags Workspaces
-// @Param q query string false "Search query in the format `key:value`. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task."
+// @Param q query string false "Search query in the format `key:value`. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task, has-external-agent."
 // @Param limit query int false "Page limit"
 // @Param offset query int false "Page offset"
 // @Success 200 {object} codersdk.WorkspacesResponse
diff --git a/codersdk/initscript.go b/codersdk/initscript.go
new file mode 100644
index 0000000000000..d1adbf79460f0
--- /dev/null
+++ b/codersdk/initscript.go
@@ -0,0 +1,28 @@
+package codersdk
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+)
+
+func (c *Client) InitScript(ctx context.Context, os, arch string) (string, error) {
+	url := fmt.Sprintf("/api/v2/init-script/%s/%s", os, arch)
+	res, err := c.Request(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return "", err
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		return "", ReadBodyAsError(res)
+	}
+
+	script, err := io.ReadAll(res.Body)
+	if err != nil {
+		return "", err
+	}
+
+	return string(script), nil
+}
diff --git a/codersdk/workspacebuilds.go b/codersdk/workspacebuilds.go
index 53d2a89290bca..bb9511178c7f4 100644
--- a/codersdk/workspacebuilds.go
+++ b/codersdk/workspacebuilds.go
@@ -90,6 +90,7 @@ type WorkspaceBuild struct {
 	TemplateVersionPresetID *uuid.UUID           `json:"template_version_preset_id" format:"uuid"`
 	HasAITask               *bool                `json:"has_ai_task,omitempty"`
 	AITaskSidebarAppID      *uuid.UUID           `json:"ai_task_sidebar_app_id,omitempty" format:"uuid"`
+	HasExternalAgent        *bool                `json:"has_external_agent,omitempty"`
 }
 
 // WorkspaceResource describes resources used to create a workspace, for instance:
diff --git a/codersdk/workspaces.go b/codersdk/workspaces.go
index 13cb778ab0ae0..39d52325df448 100644
--- a/codersdk/workspaces.go
+++ b/codersdk/workspaces.go
@@ -689,3 +689,23 @@ func (c *Client) UpdateWorkspaceACL(ctx context.Context, workspaceID uuid.UUID,
 	}
 	return nil
 }
+
+// ExternalAgentCredentials contains the credentials needed for an external agent to connect to Coder.
+type ExternalAgentCredentials struct {
+	Command    string `json:"command"`
+	AgentToken string `json:"agent_token"`
+}
+
+func (c *Client) WorkspaceExternalAgentCredentials(ctx context.Context, workspaceID uuid.UUID, agentName string) (ExternalAgentCredentials, error) {
+	path := fmt.Sprintf("/api/v2/workspaces/%s/external-agent/%s/credentials", workspaceID.String(), agentName)
+	res, err := c.Request(ctx, http.MethodGet, path, nil)
+	if err != nil {
+		return ExternalAgentCredentials{}, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return ExternalAgentCredentials{}, ReadBodyAsError(res)
+	}
+	var credentials ExternalAgentCredentials
+	return credentials, json.NewDecoder(res.Body).Decode(&credentials)
+}
diff --git a/docs/admin/security/audit-logs.md b/docs/admin/security/audit-logs.md
index 0232c3d45a0c2..69d85b0d67f72 100644
--- a/docs/admin/security/audit-logs.md
+++ b/docs/admin/security/audit-logs.md
@@ -33,9 +33,9 @@ We track the following resources:
 | PrebuildsSettings<br><i></i>                             | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>id</td><td>false</td></tr><tr><td>reconciliation_paused</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 | RoleSyncSettings<br><i></i>                              | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>field</td><td>true</td></tr><tr><td>mapping</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
 | Template<br><i>write, delete</i>                         | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>active_version_id</td><td>true</td></tr><tr><td>activity_bump</td><td>true</td></tr><tr><td>allow_user_autostart</td><td>true</td></tr><tr><td>allow_user_autostop</td><td>true</td></tr><tr><td>allow_user_cancel_workspace_jobs</td><td>true</td></tr><tr><td>autostart_block_days_of_week</td><td>true</td></tr><tr><td>autostop_requirement_days_of_week</td><td>true</td></tr><tr><td>autostop_requirement_weeks</td><td>true</td></tr><tr><td>cors_behavior</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>created_by_avatar_url</td><td>false</td></tr><tr><td>created_by_name</td><td>false</td></tr><tr><td>created_by_username</td><td>false</td></tr><tr><td>default_ttl</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>deprecated</td><td>true</td></tr><tr><td>description</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>failure_ttl</td><td>true</td></tr><tr><td>group_acl</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>max_port_sharing_level</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_display_name</td><td>false</td></tr><tr><td>organization_icon</td><td>false</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>organization_name</td><td>false</td></tr><tr><td>provisioner</td><td>true</td></tr><tr><td>require_active_version</td><td>true</td></tr><tr><td>time_til_dormant</td><td>true</td></tr><tr><td>time_til_dormant_autodelete</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>use_classic_parameter_flow</td><td>true</td></tr><tr><td>user_acl</td><td>true</td></tr></tbody></table> |
-| TemplateVersion<br><i>create, write</i>                  | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>archived</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>created_by_avatar_url</td><td>false</td></tr><tr><td>created_by_name</td><td>false</td></tr><tr><td>created_by_username</td><td>false</td></tr><tr><td>external_auth_providers</td><td>false</td></tr><tr><td>has_ai_task</td><td>false</td></tr><tr><td>id</td><td>true</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>message</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>readme</td><td>true</td></tr><tr><td>source_example_id</td><td>false</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| TemplateVersion<br><i>create, write</i>                  | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>archived</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>created_by_avatar_url</td><td>false</td></tr><tr><td>created_by_name</td><td>false</td></tr><tr><td>created_by_username</td><td>false</td></tr><tr><td>external_auth_providers</td><td>false</td></tr><tr><td>has_ai_task</td><td>false</td></tr><tr><td>has_external_agent</td><td>false</td></tr><tr><td>id</td><td>true</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>message</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>readme</td><td>true</td></tr><tr><td>source_example_id</td><td>false</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | User<br><i>create, write, delete</i>                     | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>avatar_url</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>true</td></tr><tr><td>email</td><td>true</td></tr><tr><td>github_com_user_id</td><td>false</td></tr><tr><td>hashed_one_time_passcode</td><td>false</td></tr><tr><td>hashed_password</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>is_system</td><td>true</td></tr><tr><td>last_seen_at</td><td>false</td></tr><tr><td>login_type</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>one_time_passcode_expires_at</td><td>true</td></tr><tr><td>quiet_hours_schedule</td><td>true</td></tr><tr><td>rbac_roles</td><td>true</td></tr><tr><td>status</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>username</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-| WorkspaceBuild<br><i>start, stop</i>                     | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>ai_task_sidebar_app_id</td><td>false</td></tr><tr><td>build_number</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>daily_cost</td><td>false</td></tr><tr><td>deadline</td><td>false</td></tr><tr><td>has_ai_task</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>initiator_by_avatar_url</td><td>false</td></tr><tr><td>initiator_by_name</td><td>false</td></tr><tr><td>initiator_by_username</td><td>false</td></tr><tr><td>initiator_id</td><td>false</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>max_deadline</td><td>false</td></tr><tr><td>provisioner_state</td><td>false</td></tr><tr><td>reason</td><td>false</td></tr><tr><td>template_version_id</td><td>true</td></tr><tr><td>template_version_preset_id</td><td>false</td></tr><tr><td>transition</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>workspace_id</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| WorkspaceBuild<br><i>start, stop</i>                     | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>ai_task_sidebar_app_id</td><td>false</td></tr><tr><td>build_number</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>daily_cost</td><td>false</td></tr><tr><td>deadline</td><td>false</td></tr><tr><td>has_ai_task</td><td>false</td></tr><tr><td>has_external_agent</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>initiator_by_avatar_url</td><td>false</td></tr><tr><td>initiator_by_name</td><td>false</td></tr><tr><td>initiator_by_username</td><td>false</td></tr><tr><td>initiator_id</td><td>false</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>max_deadline</td><td>false</td></tr><tr><td>provisioner_state</td><td>false</td></tr><tr><td>reason</td><td>false</td></tr><tr><td>template_version_id</td><td>true</td></tr><tr><td>template_version_preset_id</td><td>false</td></tr><tr><td>transition</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>workspace_id</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 | WorkspaceProxy<br><i></i>                                | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>created_at</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>derp_enabled</td><td>true</td></tr><tr><td>derp_only</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>region_id</td><td>true</td></tr><tr><td>token_hashed_secret</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>url</td><td>true</td></tr><tr><td>version</td><td>true</td></tr><tr><td>wildcard_hostname</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | WorkspaceTable<br><i></i>                                | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody> | <tr><td>automatic_updates</td><td>true</td></tr><tr><td>autostart_schedule</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>deleting_at</td><td>true</td></tr><tr><td>dormant_at</td><td>true</td></tr><tr><td>favorite</td><td>true</td></tr><tr><td>group_acl</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_used_at</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>next_start_at</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>owner_id</td><td>true</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>ttl</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_acl</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 
diff --git a/docs/manifest.json b/docs/manifest.json
index ce03ef0ff2de1..b51eca70cd103 100644
--- a/docs/manifest.json
+++ b/docs/manifest.json
@@ -47,18 +47,6 @@
 							"path": "./about/contributing/documentation.md",
 							"icon_path": "./images/icons/document.svg"
 						},
-						{
-							"title": "Modules",
-							"description": "Learn how to contribute modules to Coder",
-							"path": "./about/contributing/modules.md",
-							"icon_path": "./images/icons/gear.svg"
-						},
-						{
-							"title": "Templates",
-							"description": "Learn how to contribute templates to Coder",
-							"path": "./about/contributing/templates.md",
-							"icon_path": "./images/icons/picture.svg"
-						},
 						{
 							"title": "Backend",
 							"description": "Our guide for backend development",
@@ -709,8 +697,8 @@
 							"path": "./admin/integrations/platformx.md"
 						},
 						{
-							"title": "DX",
-							"description": "Tag Coder Users with DX",
+							"title": "DX Data Cloud",
+							"description": "Tag Coder Users with DX Data Cloud",
 							"path": "./admin/integrations/dx-data-cloud.md"
 						},
 						{
@@ -1166,6 +1154,26 @@
 							"description": "Print auth for an external provider",
 							"path": "reference/cli/external-auth_access-token.md"
 						},
+						{
+							"title": "external-workspaces",
+							"description": "Create or manage external workspaces",
+							"path": "reference/cli/external-workspaces.md"
+						},
+						{
+							"title": "external-workspaces agent-instructions",
+							"description": "Get the instructions for an external agent",
+							"path": "reference/cli/external-workspaces_agent-instructions.md"
+						},
+						{
+							"title": "external-workspaces create",
+							"description": "Create a new external workspace",
+							"path": "reference/cli/external-workspaces_create.md"
+						},
+						{
+							"title": "external-workspaces list",
+							"description": "List external workspaces",
+							"path": "reference/cli/external-workspaces_list.md"
+						},
 						{
 							"title": "favorite",
 							"description": "Add a workspace to your favorites",
diff --git a/docs/reference/api/agents.md b/docs/reference/api/agents.md
index 54e9b0e6ad628..e72117e96e350 100644
--- a/docs/reference/api/agents.md
+++ b/docs/reference/api/agents.md
@@ -1238,3 +1238,42 @@ Status Code **200**
 | `level`  | `error` |
 
 To perform this operation, you must be authenticated. [Learn more](authentication.md).
+
+## Get workspace external agent credentials
+
+### Code samples
+
+```shell
+# Example request using curl
+curl -X GET http://coder-server:8080/api/v2/workspaces/{workspace}/external-agent/{agent}/credentials \
+  -H 'Accept: application/json' \
+  -H 'Coder-Session-Token: API_KEY'
+```
+
+`GET /workspaces/{workspace}/external-agent/{agent}/credentials`
+
+### Parameters
+
+| Name        | In   | Type         | Required | Description  |
+|-------------|------|--------------|----------|--------------|
+| `workspace` | path | string(uuid) | true     | Workspace ID |
+| `agent`     | path | string       | true     | Agent name   |
+
+### Example responses
+
+> 200 Response
+
+```json
+{
+  "agent_token": "string",
+  "command": "string"
+}
+```
+
+### Responses
+
+| Status | Meaning                                                 | Description | Schema                                                                           |
+|--------|---------------------------------------------------------|-------------|----------------------------------------------------------------------------------|
+| 200    | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK          | [codersdk.ExternalAgentCredentials](schemas.md#codersdkexternalagentcredentials) |
+
+To perform this operation, you must be authenticated. [Learn more](authentication.md).
diff --git a/docs/reference/api/builds.md b/docs/reference/api/builds.md
index a465575baeaa3..526f5bfd25ff1 100644
--- a/docs/reference/api/builds.md
+++ b/docs/reference/api/builds.md
@@ -33,6 +33,7 @@ curl -X GET http://coder-server:8080/api/v2/users/{user}/workspace/{workspacenam
   "daily_cost": 0,
   "deadline": "2019-08-24T14:15:22Z",
   "has_ai_task": true,
+  "has_external_agent": true,
   "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
   "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
   "initiator_name": "string",
@@ -271,6 +272,7 @@ curl -X GET http://coder-server:8080/api/v2/workspacebuilds/{workspacebuild} \
   "daily_cost": 0,
   "deadline": "2019-08-24T14:15:22Z",
   "has_ai_task": true,
+  "has_external_agent": true,
   "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
   "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
   "initiator_name": "string",
@@ -998,6 +1000,7 @@ curl -X GET http://coder-server:8080/api/v2/workspacebuilds/{workspacebuild}/sta
   "daily_cost": 0,
   "deadline": "2019-08-24T14:15:22Z",
   "has_ai_task": true,
+  "has_external_agent": true,
   "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
   "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
   "initiator_name": "string",
@@ -1309,6 +1312,7 @@ curl -X GET http://coder-server:8080/api/v2/workspaces/{workspace}/builds \
     "daily_cost": 0,
     "deadline": "2019-08-24T14:15:22Z",
     "has_ai_task": true,
+    "has_external_agent": true,
     "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
     "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
     "initiator_name": "string",
@@ -1528,6 +1532,7 @@ Status Code **200**
 | `» daily_cost`                   | integer                                                                                                | false    |              |                                                                                                                                                                                                                                                |
 | `» deadline`                     | string(date-time)                                                                                      | false    |              |                                                                                                                                                                                                                                                |
 | `» has_ai_task`                  | boolean                                                                                                | false    |              |                                                                                                                                                                                                                                                |
+| `» has_external_agent`           | boolean                                                                                                | false    |              |                                                                                                                                                                                                                                                |
 | `» id`                           | string(uuid)                                                                                           | false    |              |                                                                                                                                                                                                                                                |
 | `» initiator_id`                 | string(uuid)                                                                                           | false    |              |                                                                                                                                                                                                                                                |
 | `» initiator_name`               | string                                                                                                 | false    |              |                                                                                                                                                                                                                                                |
@@ -1802,6 +1807,7 @@ curl -X POST http://coder-server:8080/api/v2/workspaces/{workspace}/builds \
   "daily_cost": 0,
   "deadline": "2019-08-24T14:15:22Z",
   "has_ai_task": true,
+  "has_external_agent": true,
   "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
   "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
   "initiator_name": "string",
diff --git a/docs/reference/api/initscript.md b/docs/reference/api/initscript.md
new file mode 100644
index 0000000000000..ecd8c8008a6a4
--- /dev/null
+++ b/docs/reference/api/initscript.md
@@ -0,0 +1,26 @@
+# InitScript
+
+## Get agent init script
+
+### Code samples
+
+```shell
+# Example request using curl
+curl -X GET http://coder-server:8080/api/v2/init-script/{os}/{arch}
+
+```
+
+`GET /init-script/{os}/{arch}`
+
+### Parameters
+
+| Name   | In   | Type   | Required | Description      |
+|--------|------|--------|----------|------------------|
+| `os`   | path | string | true     | Operating system |
+| `arch` | path | string | true     | Architecture     |
+
+### Responses
+
+| Status | Meaning                                                 | Description | Schema |
+|--------|---------------------------------------------------------|-------------|--------|
+| 200    | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | Success     |        |
diff --git a/docs/reference/api/schemas.md b/docs/reference/api/schemas.md
index b3824d0c9b9b8..f3dc56e0eb4e8 100644
--- a/docs/reference/api/schemas.md
+++ b/docs/reference/api/schemas.md
@@ -3322,6 +3322,22 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
 | `mcp-server-http`      |
 | `workspace-sharing`    |
 
+## codersdk.ExternalAgentCredentials
+
+```json
+{
+  "agent_token": "string",
+  "command": "string"
+}
+```
+
+### Properties
+
+| Name          | Type   | Required | Restrictions | Description |
+|---------------|--------|----------|--------------|-------------|
+| `agent_token` | string | false    |              |             |
+| `command`     | string | false    |              |             |
+
 ## codersdk.ExternalAuth
 
 ```json
@@ -8812,6 +8828,7 @@ If the schedule is empty, the user will be updated to use the default schedule.|
     "daily_cost": 0,
     "deadline": "2019-08-24T14:15:22Z",
     "has_ai_task": true,
+    "has_external_agent": true,
     "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
     "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
     "initiator_name": "string",
@@ -9922,6 +9939,7 @@ If the schedule is empty, the user will be updated to use the default schedule.|
   "daily_cost": 0,
   "deadline": "2019-08-24T14:15:22Z",
   "has_ai_task": true,
+  "has_external_agent": true,
   "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
   "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
   "initiator_name": "string",
@@ -10131,6 +10149,7 @@ If the schedule is empty, the user will be updated to use the default schedule.|
 | `daily_cost`                 | integer                                                           | false    |              |                                                                     |
 | `deadline`                   | string                                                            | false    |              |                                                                     |
 | `has_ai_task`                | boolean                                                           | false    |              |                                                                     |
+| `has_external_agent`         | boolean                                                           | false    |              |                                                                     |
 | `id`                         | string                                                            | false    |              |                                                                     |
 | `initiator_id`               | string                                                            | false    |              |                                                                     |
 | `initiator_name`             | string                                                            | false    |              |                                                                     |
@@ -10670,6 +10689,7 @@ If the schedule is empty, the user will be updated to use the default schedule.|
         "daily_cost": 0,
         "deadline": "2019-08-24T14:15:22Z",
         "has_ai_task": true,
+        "has_external_agent": true,
         "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
         "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
         "initiator_name": "string",
diff --git a/docs/reference/api/workspaces.md b/docs/reference/api/workspaces.md
index 70338fdeb1814..4f201bd139d21 100644
--- a/docs/reference/api/workspaces.md
+++ b/docs/reference/api/workspaces.md
@@ -88,6 +88,7 @@ of the template will be used.
     "daily_cost": 0,
     "deadline": "2019-08-24T14:15:22Z",
     "has_ai_task": true,
+    "has_external_agent": true,
     "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
     "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
     "initiator_name": "string",
@@ -376,6 +377,7 @@ curl -X GET http://coder-server:8080/api/v2/users/{user}/workspace/{workspacenam
     "daily_cost": 0,
     "deadline": "2019-08-24T14:15:22Z",
     "has_ai_task": true,
+    "has_external_agent": true,
     "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
     "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
     "initiator_name": "string",
@@ -689,6 +691,7 @@ of the template will be used.
     "daily_cost": 0,
     "deadline": "2019-08-24T14:15:22Z",
     "has_ai_task": true,
+    "has_external_agent": true,
     "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
     "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
     "initiator_name": "string",
@@ -930,11 +933,11 @@ curl -X GET http://coder-server:8080/api/v2/workspaces \
 
 ### Parameters
 
-| Name     | In    | Type    | Required | Description                                                                                                                                                    |
-|----------|-------|---------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `q`      | query | string  | false    | Search query in the format `key:value`. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task. |
-| `limit`  | query | integer | false    | Page limit                                                                                                                                                     |
-| `offset` | query | integer | false    | Page offset                                                                                                                                                    |
+| Name     | In    | Type    | Required | Description                                                                                                                                                                        |
+|----------|-------|---------|----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `q`      | query | string  | false    | Search query in the format `key:value`. Available keys are: owner, template, name, status, has-agent, dormant, last_used_after, last_used_before, has-ai-task, has-external-agent. |
+| `limit`  | query | integer | false    | Page limit                                                                                                                                                                         |
+| `offset` | query | integer | false    | Page offset                                                                                                                                                                        |
 
 ### Example responses
 
@@ -980,6 +983,7 @@ curl -X GET http://coder-server:8080/api/v2/workspaces \
         "daily_cost": 0,
         "deadline": "2019-08-24T14:15:22Z",
         "has_ai_task": true,
+        "has_external_agent": true,
         "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
         "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
         "initiator_name": "string",
@@ -1252,6 +1256,7 @@ curl -X GET http://coder-server:8080/api/v2/workspaces/{workspace} \
     "daily_cost": 0,
     "deadline": "2019-08-24T14:15:22Z",
     "has_ai_task": true,
+    "has_external_agent": true,
     "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
     "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
     "initiator_name": "string",
@@ -1699,6 +1704,7 @@ curl -X PUT http://coder-server:8080/api/v2/workspaces/{workspace}/dormant \
     "daily_cost": 0,
     "deadline": "2019-08-24T14:15:22Z",
     "has_ai_task": true,
+    "has_external_agent": true,
     "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
     "initiator_id": "06588898-9a84-4b35-ba8f-f9cbd64946f3",
     "initiator_name": "string",
diff --git a/docs/reference/cli/external-workspaces.md b/docs/reference/cli/external-workspaces.md
new file mode 100644
index 0000000000000..5e1f27a7794ad
--- /dev/null
+++ b/docs/reference/cli/external-workspaces.md
@@ -0,0 +1,29 @@
+<!-- DO NOT EDIT | GENERATED CONTENT -->
+# external-workspaces
+
+Create or manage external workspaces
+
+## Usage
+
+```console
+coder external-workspaces [flags] [subcommand]
+```
+
+## Subcommands
+
+| Name                                                                           | Purpose                                    |
+|--------------------------------------------------------------------------------|--------------------------------------------|
+| [<code>create</code>](./external-workspaces_create.md)                         | Create a new external workspace            |
+| [<code>agent-instructions</code>](./external-workspaces_agent-instructions.md) | Get the instructions for an external agent |
+| [<code>list</code>](./external-workspaces_list.md)                             | List external workspaces                   |
+
+## Options
+
+### -O, --org
+
+|             |                                  |
+|-------------|----------------------------------|
+| Type        | <code>string</code>              |
+| Environment | <code>$CODER_ORGANIZATION</code> |
+
+Select which organization (uuid or name) to use.
diff --git a/docs/reference/cli/external-workspaces_agent-instructions.md b/docs/reference/cli/external-workspaces_agent-instructions.md
new file mode 100644
index 0000000000000..d284a48de7173
--- /dev/null
+++ b/docs/reference/cli/external-workspaces_agent-instructions.md
@@ -0,0 +1,21 @@
+<!-- DO NOT EDIT | GENERATED CONTENT -->
+# external-workspaces agent-instructions
+
+Get the instructions for an external agent
+
+## Usage
+
+```console
+coder external-workspaces agent-instructions [flags] [user/]workspace[.agent]
+```
+
+## Options
+
+### -o, --output
+
+|         |                         |
+|---------|-------------------------|
+| Type    | <code>text\|json</code> |
+| Default | <code>text</code>       |
+
+Output format.
diff --git a/docs/reference/cli/external-workspaces_create.md b/docs/reference/cli/external-workspaces_create.md
new file mode 100644
index 0000000000000..b0744387a1d70
--- /dev/null
+++ b/docs/reference/cli/external-workspaces_create.md
@@ -0,0 +1,128 @@
+<!-- DO NOT EDIT | GENERATED CONTENT -->
+# external-workspaces create
+
+Create a new external workspace
+
+## Usage
+
+```console
+coder external-workspaces create [flags] [workspace]
+```
+
+## Description
+
+```console
+  - Create a workspace for another user (if you have permission):
+
+     $ coder create <username>/<workspace_name>
+```
+
+## Options
+
+### -t, --template
+
+|             |                                   |
+|-------------|-----------------------------------|
+| Type        | <code>string</code>               |
+| Environment | <code>$CODER_TEMPLATE_NAME</code> |
+
+Specify a template name.
+
+### --template-version
+
+|             |                                      |
+|-------------|--------------------------------------|
+| Type        | <code>string</code>                  |
+| Environment | <code>$CODER_TEMPLATE_VERSION</code> |
+
+Specify a template version name.
+
+### --preset
+
+|             |                                 |
+|-------------|---------------------------------|
+| Type        | <code>string</code>             |
+| Environment | <code>$CODER_PRESET_NAME</code> |
+
+Specify the name of a template version preset. Use 'none' to explicitly indicate that no preset should be used.
+
+### --start-at
+
+|             |                                        |
+|-------------|----------------------------------------|
+| Type        | <code>string</code>                    |
+| Environment | <code>$CODER_WORKSPACE_START_AT</code> |
+
+Specify the workspace autostart schedule. Check coder schedule start --help for the syntax.
+
+### --stop-after
+
+|             |                                          |
+|-------------|------------------------------------------|
+| Type        | <code>duration</code>                    |
+| Environment | <code>$CODER_WORKSPACE_STOP_AFTER</code> |
+
+Specify a duration after which the workspace should shut down (e.g. 8h).
+
+### --automatic-updates
+
+|             |                                                 |
+|-------------|-------------------------------------------------|
+| Type        | <code>string</code>                             |
+| Environment | <code>$CODER_WORKSPACE_AUTOMATIC_UPDATES</code> |
+| Default     | <code>never</code>                              |
+
+Specify automatic updates setting for the workspace (accepts 'always' or 'never').
+
+### --copy-parameters-from
+
+|             |                                                    |
+|-------------|----------------------------------------------------|
+| Type        | <code>string</code>                                |
+| Environment | <code>$CODER_WORKSPACE_COPY_PARAMETERS_FROM</code> |
+
+Specify the source workspace name to copy parameters from.
+
+### -y, --yes
+
+|      |                   |
+|------|-------------------|
+| Type | <code>bool</code> |
+
+Bypass prompts.
+
+### --parameter
+
+|             |                                    |
+|-------------|------------------------------------|
+| Type        | <code>string-array</code>          |
+| Environment | <code>$CODER_RICH_PARAMETER</code> |
+
+Rich parameter value in the format "name=value".
+
+### --rich-parameter-file
+
+|             |                                         |
+|-------------|-----------------------------------------|
+| Type        | <code>string</code>                     |
+| Environment | <code>$CODER_RICH_PARAMETER_FILE</code> |
+
+Specify a file path with values for rich parameters defined in the template. The file should be in YAML format, containing key-value pairs for the parameters.
+
+### --parameter-default
+
+|             |                                            |
+|-------------|--------------------------------------------|
+| Type        | <code>string-array</code>                  |
+| Environment | <code>$CODER_RICH_PARAMETER_DEFAULT</code> |
+
+Rich parameter default values in the format "name=value".
+
+### -O, --org
+
+|             |                                  |
+|-------------|----------------------------------|
+| Type        | <code>string</code>              |
+| Environment | <code>$CODER_ORGANIZATION</code> |
+
+Select which organization (uuid or name) to use.
diff --git a/docs/reference/cli/external-workspaces_list.md b/docs/reference/cli/external-workspaces_list.md
new file mode 100644
index 0000000000000..061aaa29d7a0b
--- /dev/null
+++ b/docs/reference/cli/external-workspaces_list.md
@@ -0,0 +1,51 @@
+<!-- DO NOT EDIT | GENERATED CONTENT -->
+# external-workspaces list
+
+List external workspaces
+
+Aliases:
+
+* ls
+
+## Usage
+
+```console
+coder external-workspaces list [flags]
+```
+
+## Options
+
+### -a, --all
+
+|      |                   |
+|------|-------------------|
+| Type | <code>bool</code> |
+
+Specifies whether all workspaces will be listed or not.
+
+### --search
+
+|         |                       |
+|---------|-----------------------|
+| Type    | <code>string</code>   |
+| Default | <code>owner:me</code> |
+
+Search for a workspace with a query.
+
+### -c, --column
+
+|         |                                                                                                                                                                                                       |
+|---------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Type    | <code>[favorite\|workspace\|organization id\|organization name\|template\|status\|healthy\|last built\|current version\|outdated\|starts at\|starts next\|stops after\|stops next\|daily cost]</code> |
+| Default | <code>workspace,template,status,healthy,last built,current version,outdated</code>                                                                                                                    |
+
+Columns to display in table output.
+
+### -o, --output
+
+|         |                          |
+|---------|--------------------------|
+| Type    | <code>table\|json</code> |
+| Default | <code>table</code>       |
+
+Output format.
diff --git a/docs/reference/cli/index.md b/docs/reference/cli/index.md
index 1992e5d6e9ac3..8a558030aeb9a 100644
--- a/docs/reference/cli/index.md
+++ b/docs/reference/cli/index.md
@@ -22,51 +22,52 @@ Coder — A tool for provisioning self-hosted development environments with Terr
 
 ## Subcommands
 
-| Name                                               | Purpose                                                                                                                      |
-|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
-| [<code>completion</code>](./completion.md)         | Install or update shell completion scripts for the detected or chosen shell.                                                 |
-| [<code>dotfiles</code>](./dotfiles.md)             | Personalize your workspace by applying a canonical dotfiles repository                                                       |
-| [<code>external-auth</code>](./external-auth.md)   | Manage external authentication                                                                                               |
-| [<code>login</code>](./login.md)                   | Authenticate with Coder deployment                                                                                           |
-| [<code>logout</code>](./logout.md)                 | Unauthenticate your local session                                                                                            |
-| [<code>netcheck</code>](./netcheck.md)             | Print network debug information for DERP and STUN                                                                            |
-| [<code>notifications</code>](./notifications.md)   | Manage Coder notifications                                                                                                   |
-| [<code>organizations</code>](./organizations.md)   | Organization related commands                                                                                                |
-| [<code>port-forward</code>](./port-forward.md)     | Forward ports from a workspace to the local machine. For reverse port forwarding, use "coder ssh -R".                        |
-| [<code>publickey</code>](./publickey.md)           | Output your Coder public key used for Git operations                                                                         |
-| [<code>reset-password</code>](./reset-password.md) | Directly connect to the database to reset a user's password                                                                  |
-| [<code>state</code>](./state.md)                   | Manually manage Terraform state to fix broken workspaces                                                                     |
-| [<code>templates</code>](./templates.md)           | Manage templates                                                                                                             |
-| [<code>tokens</code>](./tokens.md)                 | Manage personal access tokens                                                                                                |
-| [<code>users</code>](./users.md)                   | Manage users                                                                                                                 |
-| [<code>version</code>](./version.md)               | Show coder version                                                                                                           |
-| [<code>autoupdate</code>](./autoupdate.md)         | Toggle auto-update policy for a workspace                                                                                    |
-| [<code>config-ssh</code>](./config-ssh.md)         | Add an SSH Host entry for your workspaces "ssh workspace.coder"                                                              |
-| [<code>create</code>](./create.md)                 | Create a workspace                                                                                                           |
-| [<code>delete</code>](./delete.md)                 | Delete a workspace                                                                                                           |
-| [<code>favorite</code>](./favorite.md)             | Add a workspace to your favorites                                                                                            |
-| [<code>list</code>](./list.md)                     | List workspaces                                                                                                              |
-| [<code>open</code>](./open.md)                     | Open a workspace                                                                                                             |
-| [<code>ping</code>](./ping.md)                     | Ping a workspace                                                                                                             |
-| [<code>rename</code>](./rename.md)                 | Rename a workspace                                                                                                           |
-| [<code>restart</code>](./restart.md)               | Restart a workspace                                                                                                          |
-| [<code>schedule</code>](./schedule.md)             | Schedule automated start and stop times for workspaces                                                                       |
-| [<code>show</code>](./show.md)                     | Display details of a workspace's resources and agents                                                                        |
-| [<code>speedtest</code>](./speedtest.md)           | Run upload and download tests from your machine to a workspace                                                               |
-| [<code>ssh</code>](./ssh.md)                       | Start a shell into a workspace or run a command                                                                              |
-| [<code>start</code>](./start.md)                   | Start a workspace                                                                                                            |
-| [<code>stat</code>](./stat.md)                     | Show resource usage for the current workspace.                                                                               |
-| [<code>stop</code>](./stop.md)                     | Stop a workspace                                                                                                             |
-| [<code>unfavorite</code>](./unfavorite.md)         | Remove a workspace from your favorites                                                                                       |
-| [<code>update</code>](./update.md)                 | Will update and start a given workspace if it is out of date. If the workspace is already running, it will be stopped first. |
-| [<code>whoami</code>](./whoami.md)                 | Fetch authenticated user info for Coder deployment                                                                           |
-| [<code>support</code>](./support.md)               | Commands for troubleshooting issues with a Coder deployment.                                                                 |
-| [<code>server</code>](./server.md)                 | Start a Coder server                                                                                                         |
-| [<code>features</code>](./features.md)             | List Enterprise features                                                                                                     |
-| [<code>licenses</code>](./licenses.md)             | Add, delete, and list licenses                                                                                               |
-| [<code>groups</code>](./groups.md)                 | Manage groups                                                                                                                |
-| [<code>prebuilds</code>](./prebuilds.md)           | Manage Coder prebuilds                                                                                                       |
-| [<code>provisioner</code>](./provisioner.md)       | View and manage provisioner daemons and jobs                                                                                 |
+| Name                                                         | Purpose                                                                                                                      |
+|--------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
+| [<code>completion</code>](./completion.md)                   | Install or update shell completion scripts for the detected or chosen shell.                                                 |
+| [<code>dotfiles</code>](./dotfiles.md)                       | Personalize your workspace by applying a canonical dotfiles repository                                                       |
+| [<code>external-auth</code>](./external-auth.md)             | Manage external authentication                                                                                               |
+| [<code>login</code>](./login.md)                             | Authenticate with Coder deployment                                                                                           |
+| [<code>logout</code>](./logout.md)                           | Unauthenticate your local session                                                                                            |
+| [<code>netcheck</code>](./netcheck.md)                       | Print network debug information for DERP and STUN                                                                            |
+| [<code>notifications</code>](./notifications.md)             | Manage Coder notifications                                                                                                   |
+| [<code>organizations</code>](./organizations.md)             | Organization related commands                                                                                                |
+| [<code>port-forward</code>](./port-forward.md)               | Forward ports from a workspace to the local machine. For reverse port forwarding, use "coder ssh -R".                        |
+| [<code>publickey</code>](./publickey.md)                     | Output your Coder public key used for Git operations                                                                         |
+| [<code>reset-password</code>](./reset-password.md)           | Directly connect to the database to reset a user's password                                                                  |
+| [<code>state</code>](./state.md)                             | Manually manage Terraform state to fix broken workspaces                                                                     |
+| [<code>templates</code>](./templates.md)                     | Manage templates                                                                                                             |
+| [<code>tokens</code>](./tokens.md)                           | Manage personal access tokens                                                                                                |
+| [<code>users</code>](./users.md)                             | Manage users                                                                                                                 |
+| [<code>version</code>](./version.md)                         | Show coder version                                                                                                           |
+| [<code>autoupdate</code>](./autoupdate.md)                   | Toggle auto-update policy for a workspace                                                                                    |
+| [<code>config-ssh</code>](./config-ssh.md)                   | Add an SSH Host entry for your workspaces "ssh workspace.coder"                                                              |
+| [<code>create</code>](./create.md)                           | Create a workspace                                                                                                           |
+| [<code>delete</code>](./delete.md)                           | Delete a workspace                                                                                                           |
+| [<code>favorite</code>](./favorite.md)                       | Add a workspace to your favorites                                                                                            |
+| [<code>list</code>](./list.md)                               | List workspaces                                                                                                              |
+| [<code>open</code>](./open.md)                               | Open a workspace                                                                                                             |
+| [<code>ping</code>](./ping.md)                               | Ping a workspace                                                                                                             |
+| [<code>rename</code>](./rename.md)                           | Rename a workspace                                                                                                           |
+| [<code>restart</code>](./restart.md)                         | Restart a workspace                                                                                                          |
+| [<code>schedule</code>](./schedule.md)                       | Schedule automated start and stop times for workspaces                                                                       |
+| [<code>show</code>](./show.md)                               | Display details of a workspace's resources and agents                                                                        |
+| [<code>speedtest</code>](./speedtest.md)                     | Run upload and download tests from your machine to a workspace                                                               |
+| [<code>ssh</code>](./ssh.md)                                 | Start a shell into a workspace or run a command                                                                              |
+| [<code>start</code>](./start.md)                             | Start a workspace                                                                                                            |
+| [<code>stat</code>](./stat.md)                               | Show resource usage for the current workspace.                                                                               |
+| [<code>stop</code>](./stop.md)                               | Stop a workspace                                                                                                             |
+| [<code>unfavorite</code>](./unfavorite.md)                   | Remove a workspace from your favorites                                                                                       |
+| [<code>update</code>](./update.md)                           | Will update and start a given workspace if it is out of date. If the workspace is already running, it will be stopped first. |
+| [<code>whoami</code>](./whoami.md)                           | Fetch authenticated user info for Coder deployment                                                                           |
+| [<code>external-workspaces</code>](./external-workspaces.md) | Create or manage external workspaces                                                                                         |
+| [<code>support</code>](./support.md)                         | Commands for troubleshooting issues with a Coder deployment.                                                                 |
+| [<code>server</code>](./server.md)                           | Start a Coder server                                                                                                         |
+| [<code>features</code>](./features.md)                       | List Enterprise features                                                                                                     |
+| [<code>licenses</code>](./licenses.md)                       | Add, delete, and list licenses                                                                                               |
+| [<code>groups</code>](./groups.md)                           | Manage groups                                                                                                                |
+| [<code>prebuilds</code>](./prebuilds.md)                     | Manage Coder prebuilds                                                                                                       |
+| [<code>provisioner</code>](./provisioner.md)                 | View and manage provisioner daemons and jobs                                                                                 |
 
 ## Options
 
diff --git a/enterprise/audit/table.go b/enterprise/audit/table.go
index 1ad76a1e44ca9..0519efd72f31b 100644
--- a/enterprise/audit/table.go
+++ b/enterprise/audit/table.go
@@ -135,6 +135,7 @@ var auditableResourcesTypes = map[any]map[string]Action{
 		"archived":                ActionTrack,
 		"source_example_id":       ActionIgnore, // Never changes.
 		"has_ai_task":             ActionIgnore, // Never changes.
+		"has_external_agent":      ActionIgnore, // Never changes.
 	},
 	&database.User{}: {
 		"id":                           ActionTrack,
@@ -197,6 +198,7 @@ var auditableResourcesTypes = map[any]map[string]Action{
 		"template_version_preset_id": ActionIgnore, // Never changes.
 		"has_ai_task":                ActionIgnore, // Never changes.
 		"ai_task_sidebar_app_id":     ActionIgnore, // Never changes.
+		"has_external_agent":         ActionIgnore, // Never changes.
 	},
 	&database.AuditableGroup{}: {
 		"id":              ActionTrack,
diff --git a/go.mod b/go.mod
index 19fbcff8f9a1c..d209c2f5a4e30 100644
--- a/go.mod
+++ b/go.mod
@@ -101,7 +101,7 @@ require (
 	github.com/coder/quartz v0.2.1
 	github.com/coder/retry v1.5.1
 	github.com/coder/serpent v0.10.0
-	github.com/coder/terraform-provider-coder/v2 v2.9.0
+	github.com/coder/terraform-provider-coder/v2 v2.10.0
 	github.com/coder/websocket v1.8.13
 	github.com/coder/wgtunnel v0.1.13-0.20240522110300-ade90dfb2da0
 	github.com/coreos/go-oidc/v3 v3.15.0
diff --git a/go.sum b/go.sum
index d86aeff72cac0..de6af41beb132 100644
--- a/go.sum
+++ b/go.sum
@@ -934,8 +934,8 @@ github.com/coder/tailscale v1.1.1-0.20250729141742-067f1e5d9716 h1:hi7o0sA+RPBq8
 github.com/coder/tailscale v1.1.1-0.20250729141742-067f1e5d9716/go.mod h1:l7ml5uu7lFh5hY28lGYM4b/oFSmuPHYX6uk4RAu23Lc=
 github.com/coder/terraform-config-inspect v0.0.0-20250107175719-6d06d90c630e h1:JNLPDi2P73laR1oAclY6jWzAbucf70ASAvf5mh2cME0=
 github.com/coder/terraform-config-inspect v0.0.0-20250107175719-6d06d90c630e/go.mod h1:Gz/z9Hbn+4KSp8A2FBtNszfLSdT2Tn/uAKGuVqqWmDI=
-github.com/coder/terraform-provider-coder/v2 v2.9.0 h1:nd9d1/qHTdx5foBLZoy0SWCc0W13GQUbPTzeGsuLlU0=
-github.com/coder/terraform-provider-coder/v2 v2.9.0/go.mod h1:f8xPh0riDTRwqoPWkjas5VgIBaiRiWH+STb0TZw2fgY=
+github.com/coder/terraform-provider-coder/v2 v2.10.0 h1:cGPMfARGHKb80kZsbDX/t/YKwMOwI5zkIyVCQziHR2M=
+github.com/coder/terraform-provider-coder/v2 v2.10.0/go.mod h1:f8xPh0riDTRwqoPWkjas5VgIBaiRiWH+STb0TZw2fgY=
 github.com/coder/trivy v0.0.0-20250527170238-9416a59d7019 h1:MHkv/W7l9eRAN9gOG0qZ1TLRGWIIfNi92273vPAQ8Fs=
 github.com/coder/trivy v0.0.0-20250527170238-9416a59d7019/go.mod h1:eqk+w9RLBmbd/cB5XfPZFuVn77cf/A6fB7qmEVeSmXk=
 github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
diff --git a/provisioner/terraform/executor.go b/provisioner/terraform/executor.go
index ea63f8c59877e..8940a1708bf19 100644
--- a/provisioner/terraform/executor.go
+++ b/provisioner/terraform/executor.go
@@ -363,6 +363,7 @@ func (e *executor) plan(ctx, killCtx context.Context, env, vars []string, logr l
 		ModuleFiles:           moduleFiles,
 		HasAiTasks:            state.HasAITasks,
 		AiTasks:               state.AITasks,
+		HasExternalAgents:     state.HasExternalAgents,
 	}
 
 	return msg, nil
diff --git a/provisioner/terraform/provision_test.go b/provisioner/terraform/provision_test.go
index d067965997308..90a34e6d03a8c 100644
--- a/provisioner/terraform/provision_test.go
+++ b/provisioner/terraform/provision_test.go
@@ -1135,6 +1135,31 @@ func TestProvision(t *testing.T) {
 				HasAiTasks: true,
 			},
 		},
+		{
+			Name: "external-agent",
+			Files: map[string]string{
+				"main.tf": `terraform {
+					required_providers {
+					  coder = {
+						source  = "coder/coder"
+						version = ">= 2.7.0"
+					  }
+					}
+				}
+				resource "coder_external_agent" "example" {
+					agent_id = "123"
+				}
+				`,
+			},
+			Response: &proto.PlanComplete{
+				Resources: []*proto.Resource{{
+					Name: "example",
+					Type: "coder_external_agent",
+				}},
+				HasExternalAgents: true,
+			},
+			SkipCacheProviders: true,
+		},
 	}
 
 	// Remove unused cache dirs before running tests.
@@ -1237,6 +1262,7 @@ func TestProvision(t *testing.T) {
 				require.Equal(t, string(modulesWant), string(modulesGot))
 
 				require.Equal(t, planComplete.HasAiTasks, testCase.Response.HasAiTasks)
+				require.Equal(t, planComplete.HasExternalAgents, testCase.Response.HasExternalAgents)
 			}
 
 			if testCase.Apply {
diff --git a/provisioner/terraform/resources.go b/provisioner/terraform/resources.go
index 9642751e7466a..3dcead074c22a 100644
--- a/provisioner/terraform/resources.go
+++ b/provisioner/terraform/resources.go
@@ -165,6 +165,7 @@ type State struct {
 	ExternalAuthProviders []*proto.ExternalAuthProviderResource
 	AITasks               []*proto.AITask
 	HasAITasks            bool
+	HasExternalAgents     bool
 }
 
 var ErrInvalidTerraformAddr = xerrors.New("invalid terraform address")
@@ -188,6 +189,20 @@ func hasAITaskResources(graph *gographviz.Graph) bool {
 	return false
 }
 
+func hasExternalAgentResources(graph *gographviz.Graph) bool {
+	for _, node := range graph.Nodes.Lookup {
+		if label, exists := node.Attrs["label"]; exists {
+			labelValue := strings.Trim(label, `"`)
+			// The first condition is for the case where the resource is in the root module.
+			// The second condition is for the case where the resource is in a child module.
+			if strings.HasPrefix(labelValue, "coder_external_agent.") || strings.Contains(labelValue, ".coder_external_agent.") {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // ConvertState consumes Terraform state and a GraphViz representation
 // produced by `terraform graph` to produce resources consumable by Coder.
 // nolint:gocognit // This function makes more sense being large for now, until refactored.
@@ -1065,6 +1080,7 @@ func ConvertState(ctx context.Context, modules []*tfjson.StateModule, rawGraph s
 		ExternalAuthProviders: externalAuthProviders,
 		HasAITasks:            hasAITasks,
 		AITasks:               aiTasks,
+		HasExternalAgents:     hasExternalAgentResources(graph),
 	}, nil
 }
 
@@ -1252,7 +1268,8 @@ func findResourcesInGraph(graph *gographviz.Graph, tfResourcesByLabel map[string
 				continue
 			}
 			// Don't associate Coder resources with other Coder resources!
-			if strings.HasPrefix(resource.Type, "coder_") {
+			// Except for coder_external_agent, which is a special case.
+			if strings.HasPrefix(resource.Type, "coder_") && resource.Type != "coder_external_agent" {
 				continue
 			}
 			graphResources = append(graphResources, &graphResource{
diff --git a/provisioner/terraform/resources_test.go b/provisioner/terraform/resources_test.go
index 1575c6c9c159e..715055c00cad9 100644
--- a/provisioner/terraform/resources_test.go
+++ b/provisioner/terraform/resources_test.go
@@ -1573,6 +1573,35 @@ func TestAITasks(t *testing.T) {
 	})
 }
 
+func TestExternalAgents(t *testing.T) {
+	t.Parallel()
+	ctx, logger := ctxAndLogger(t)
+
+	t.Run("External agents can be defined", func(t *testing.T) {
+		t.Parallel()
+
+		// nolint:dogsled
+		_, filename, _, _ := runtime.Caller(0)
+
+		dir := filepath.Join(filepath.Dir(filename), "testdata", "resources", "external-agents")
+		tfPlanRaw, err := os.ReadFile(filepath.Join(dir, "external-agents.tfplan.json"))
+		require.NoError(t, err)
+		var tfPlan tfjson.Plan
+		err = json.Unmarshal(tfPlanRaw, &tfPlan)
+		require.NoError(t, err)
+		tfPlanGraph, err := os.ReadFile(filepath.Join(dir, "external-agents.tfplan.dot"))
+		require.NoError(t, err)
+
+		state, err := terraform.ConvertState(ctx, []*tfjson.StateModule{tfPlan.PlannedValues.RootModule, tfPlan.PriorState.Values.RootModule}, string(tfPlanGraph), logger)
+		require.NotNil(t, state)
+		require.NoError(t, err)
+		require.True(t, state.HasExternalAgents)
+		require.Len(t, state.Resources, 1)
+		require.Len(t, state.Resources[0].Agents, 1)
+		require.Equal(t, "dev1", state.Resources[0].Agents[0].Name)
+	})
+}
+
 // sortResource ensures resources appear in a consistent ordering
 // to prevent tests from flaking.
 func sortResources(resources []*proto.Resource) {
diff --git a/provisioner/terraform/testdata/resources/external-agents/external-agents.tfplan.dot b/provisioner/terraform/testdata/resources/external-agents/external-agents.tfplan.dot
new file mode 100644
index 0000000000000..d2db86a89e488
--- /dev/null
+++ b/provisioner/terraform/testdata/resources/external-agents/external-agents.tfplan.dot
@@ -0,0 +1,22 @@
+digraph {
+	compound = "true"
+	newrank = "true"
+	subgraph "root" {
+		"[root] coder_agent.dev1 (expand)" [label = "coder_agent.dev1", shape = "box"]
+		"[root] coder_external_agent.dev1 (expand)" [label = "coder_external_agent.dev1", shape = "box"]
+		"[root] data.coder_provisioner.me (expand)" [label = "data.coder_provisioner.me", shape = "box"]
+		"[root] data.coder_workspace.me (expand)" [label = "data.coder_workspace.me", shape = "box"]
+		"[root] data.coder_workspace_owner.me (expand)" [label = "data.coder_workspace_owner.me", shape = "box"]
+		"[root] provider[\"registry.terraform.io/coder/coder\"]" [label = "provider[\"registry.terraform.io/coder/coder\"]", shape = "diamond"]
+		"[root] coder_agent.dev1 (expand)" -> "[root] provider[\"registry.terraform.io/coder/coder\"]"
+		"[root] coder_external_agent.dev1 (expand)" -> "[root] coder_agent.dev1 (expand)"
+		"[root] data.coder_provisioner.me (expand)" -> "[root] provider[\"registry.terraform.io/coder/coder\"]"
+		"[root] data.coder_workspace.me (expand)" -> "[root] provider[\"registry.terraform.io/coder/coder\"]"
+		"[root] data.coder_workspace_owner.me (expand)" -> "[root] provider[\"registry.terraform.io/coder/coder\"]"
+		"[root] provider[\"registry.terraform.io/coder/coder\"] (close)" -> "[root] coder_external_agent.dev1 (expand)"
+		"[root] provider[\"registry.terraform.io/coder/coder\"] (close)" -> "[root] data.coder_provisioner.me (expand)"
+		"[root] provider[\"registry.terraform.io/coder/coder\"] (close)" -> "[root] data.coder_workspace.me (expand)"
+		"[root] provider[\"registry.terraform.io/coder/coder\"] (close)" -> "[root] data.coder_workspace_owner.me (expand)"
+		"[root] root" -> "[root] provider[\"registry.terraform.io/coder/coder\"] (close)"
+	}
+}
diff --git a/provisioner/terraform/testdata/resources/external-agents/external-agents.tfplan.json b/provisioner/terraform/testdata/resources/external-agents/external-agents.tfplan.json
new file mode 100644
index 0000000000000..317ef993211cb
--- /dev/null
+++ b/provisioner/terraform/testdata/resources/external-agents/external-agents.tfplan.json
@@ -0,0 +1,277 @@
+{
+  "format_version": "1.2",
+  "terraform_version": "1.12.2",
+  "planned_values": {
+    "root_module": {
+      "resources": [
+        {
+          "address": "coder_agent.dev1",
+          "mode": "managed",
+          "type": "coder_agent",
+          "name": "dev1",
+          "provider_name": "registry.terraform.io/coder/coder",
+          "schema_version": 1,
+          "values": {
+            "api_key_scope": "all",
+            "arch": "amd64",
+            "auth": "token",
+            "connection_timeout": 120,
+            "dir": null,
+            "env": null,
+            "metadata": [],
+            "motd_file": null,
+            "order": null,
+            "os": "linux",
+            "resources_monitoring": [],
+            "shutdown_script": null,
+            "startup_script": null,
+            "startup_script_behavior": "non-blocking",
+            "troubleshooting_url": null
+          },
+          "sensitive_values": {
+            "display_apps": [],
+            "metadata": [],
+            "resources_monitoring": [],
+            "token": true
+          }
+        },
+        {
+          "address": "coder_external_agent.dev1",
+          "mode": "managed",
+          "type": "coder_external_agent",
+          "name": "dev1",
+          "provider_name": "registry.terraform.io/coder/coder",
+          "schema_version": 1,
+          "sensitive_values": {
+            "token": true
+          }
+        }
+      ]
+    }
+  },
+  "resource_changes": [
+    {
+      "address": "coder_agent.dev1",
+      "mode": "managed",
+      "type": "coder_agent",
+      "name": "dev1",
+      "provider_name": "registry.terraform.io/coder/coder",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {
+          "api_key_scope": "all",
+          "arch": "amd64",
+          "auth": "token",
+          "connection_timeout": 120,
+          "dir": null,
+          "env": null,
+          "metadata": [],
+          "motd_file": null,
+          "order": null,
+          "os": "linux",
+          "resources_monitoring": [],
+          "shutdown_script": null,
+          "startup_script": null,
+          "startup_script_behavior": "non-blocking",
+          "troubleshooting_url": null
+        },
+        "after_unknown": {
+          "display_apps": true,
+          "id": true,
+          "init_script": true,
+          "metadata": [],
+          "resources_monitoring": [],
+          "token": true
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "display_apps": [],
+          "metadata": [],
+          "resources_monitoring": [],
+          "token": true
+        }
+      }
+    },
+    {
+      "address": "coder_external_agent.dev1",
+      "mode": "managed",
+      "type": "coder_external_agent",
+      "name": "dev1",
+      "provider_name": "registry.terraform.io/coder/coder",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {},
+        "after_unknown": {
+          "id": true,
+          "token": true
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "token": true
+        }
+      }
+    }
+  ],
+  "prior_state": {
+    "format_version": "1.0",
+    "terraform_version": "1.12.2",
+    "values": {
+      "root_module": {
+        "resources": [
+          {
+            "address": "data.coder_provisioner.me",
+            "mode": "data",
+            "type": "coder_provisioner",
+            "name": "me",
+            "provider_name": "registry.terraform.io/coder/coder",
+            "schema_version": 1,
+            "values": {
+              "arch": "amd64",
+              "id": "d607be41-7697-475f-8257-2f6e24adbede",
+              "os": "linux"
+            },
+            "sensitive_values": {}
+          },
+          {
+            "address": "data.coder_workspace.me",
+            "mode": "data",
+            "type": "coder_workspace",
+            "name": "me",
+            "provider_name": "registry.terraform.io/coder/coder",
+            "schema_version": 1,
+            "values": {
+              "access_port": 443,
+              "access_url": "https://dev.coder.com/",
+              "id": "0b7fc772-5e27-4096-b8a3-9e6a8b914ebe",
+              "is_prebuild": false,
+              "is_prebuild_claim": false,
+              "name": "kacper",
+              "prebuild_count": 0,
+              "start_count": 1,
+              "template_id": "",
+              "template_name": "",
+              "template_version": "",
+              "transition": "start"
+            },
+            "sensitive_values": {}
+          },
+          {
+            "address": "data.coder_workspace_owner.me",
+            "mode": "data",
+            "type": "coder_workspace_owner",
+            "name": "me",
+            "provider_name": "registry.terraform.io/coder/coder",
+            "schema_version": 0,
+            "values": {
+              "email": "default@example.com",
+              "full_name": "kacpersaw",
+              "groups": [],
+              "id": "1ebd1795-7cf2-47c5-8024-5d56e68f1681",
+              "login_type": null,
+              "name": "default",
+              "oidc_access_token": "",
+              "rbac_roles": [],
+              "session_token": "",
+              "ssh_private_key": "",
+              "ssh_public_key": ""
+            },
+            "sensitive_values": {
+              "groups": [],
+              "oidc_access_token": true,
+              "rbac_roles": [],
+              "session_token": true,
+              "ssh_private_key": true
+            }
+          }
+        ]
+      }
+    }
+  },
+  "configuration": {
+    "provider_config": {
+      "coder": {
+        "name": "coder",
+        "full_name": "registry.terraform.io/coder/coder",
+        "version_constraint": ">= 2.0.0"
+      }
+    },
+    "root_module": {
+      "resources": [
+        {
+          "address": "coder_agent.dev1",
+          "mode": "managed",
+          "type": "coder_agent",
+          "name": "dev1",
+          "provider_config_key": "coder",
+          "expressions": {
+            "arch": {
+              "constant_value": "amd64"
+            },
+            "os": {
+              "constant_value": "linux"
+            }
+          },
+          "schema_version": 1
+        },
+        {
+          "address": "coder_external_agent.dev1",
+          "mode": "managed",
+          "type": "coder_external_agent",
+          "name": "dev1",
+          "provider_config_key": "coder",
+          "expressions": {
+            "token": {
+              "references": [
+                "coder_agent.dev1.token",
+                "coder_agent.dev1"
+              ]
+            }
+          },
+          "schema_version": 1
+        },
+        {
+          "address": "data.coder_provisioner.me",
+          "mode": "data",
+          "type": "coder_provisioner",
+          "name": "me",
+          "provider_config_key": "coder",
+          "schema_version": 1
+        },
+        {
+          "address": "data.coder_workspace.me",
+          "mode": "data",
+          "type": "coder_workspace",
+          "name": "me",
+          "provider_config_key": "coder",
+          "schema_version": 1
+        },
+        {
+          "address": "data.coder_workspace_owner.me",
+          "mode": "data",
+          "type": "coder_workspace_owner",
+          "name": "me",
+          "provider_config_key": "coder",
+          "schema_version": 0
+        }
+      ]
+    }
+  },
+  "relevant_attributes": [
+    {
+      "resource": "coder_agent.dev1",
+      "attribute": [
+        "token"
+      ]
+    }
+  ],
+  "timestamp": "2025-07-31T11:08:54Z",
+  "applyable": true,
+  "complete": true,
+  "errored": false
+}
diff --git a/provisioner/terraform/testdata/resources/external-agents/external-agents.tfstate.dot b/provisioner/terraform/testdata/resources/external-agents/external-agents.tfstate.dot
new file mode 100644
index 0000000000000..d2db86a89e488
--- /dev/null
+++ b/provisioner/terraform/testdata/resources/external-agents/external-agents.tfstate.dot
@@ -0,0 +1,22 @@
+digraph {
+	compound = "true"
+	newrank = "true"
+	subgraph "root" {
+		"[root] coder_agent.dev1 (expand)" [label = "coder_agent.dev1", shape = "box"]
+		"[root] coder_external_agent.dev1 (expand)" [label = "coder_external_agent.dev1", shape = "box"]
+		"[root] data.coder_provisioner.me (expand)" [label = "data.coder_provisioner.me", shape = "box"]
+		"[root] data.coder_workspace.me (expand)" [label = "data.coder_workspace.me", shape = "box"]
+		"[root] data.coder_workspace_owner.me (expand)" [label = "data.coder_workspace_owner.me", shape = "box"]
+		"[root] provider[\"registry.terraform.io/coder/coder\"]" [label = "provider[\"registry.terraform.io/coder/coder\"]", shape = "diamond"]
+		"[root] coder_agent.dev1 (expand)" -> "[root] provider[\"registry.terraform.io/coder/coder\"]"
+		"[root] coder_external_agent.dev1 (expand)" -> "[root] coder_agent.dev1 (expand)"
+		"[root] data.coder_provisioner.me (expand)" -> "[root] provider[\"registry.terraform.io/coder/coder\"]"
+		"[root] data.coder_workspace.me (expand)" -> "[root] provider[\"registry.terraform.io/coder/coder\"]"
+		"[root] data.coder_workspace_owner.me (expand)" -> "[root] provider[\"registry.terraform.io/coder/coder\"]"
+		"[root] provider[\"registry.terraform.io/coder/coder\"] (close)" -> "[root] coder_external_agent.dev1 (expand)"
+		"[root] provider[\"registry.terraform.io/coder/coder\"] (close)" -> "[root] data.coder_provisioner.me (expand)"
+		"[root] provider[\"registry.terraform.io/coder/coder\"] (close)" -> "[root] data.coder_workspace.me (expand)"
+		"[root] provider[\"registry.terraform.io/coder/coder\"] (close)" -> "[root] data.coder_workspace_owner.me (expand)"
+		"[root] root" -> "[root] provider[\"registry.terraform.io/coder/coder\"] (close)"
+	}
+}
diff --git a/provisioner/terraform/testdata/resources/external-agents/external-agents.tfstate.json b/provisioner/terraform/testdata/resources/external-agents/external-agents.tfstate.json
new file mode 100644
index 0000000000000..807508201ce15
--- /dev/null
+++ b/provisioner/terraform/testdata/resources/external-agents/external-agents.tfstate.json
@@ -0,0 +1,138 @@
+{
+  "format_version": "1.0",
+  "terraform_version": "1.12.2",
+  "values": {
+    "root_module": {
+      "resources": [
+        {
+          "address": "data.coder_provisioner.me",
+          "mode": "data",
+          "type": "coder_provisioner",
+          "name": "me",
+          "provider_name": "registry.terraform.io/coder/coder",
+          "schema_version": 1,
+          "values": {
+            "arch": "amd64",
+            "id": "0ce4713c-28d6-4999-9381-52b8a603b672",
+            "os": "linux"
+          },
+          "sensitive_values": {}
+        },
+        {
+          "address": "data.coder_workspace.me",
+          "mode": "data",
+          "type": "coder_workspace",
+          "name": "me",
+          "provider_name": "registry.terraform.io/coder/coder",
+          "schema_version": 1,
+          "values": {
+            "access_port": 443,
+            "access_url": "https://dev.coder.com/",
+            "id": "dfa1dbe8-ad31-410b-b201-a4ed4d884938",
+            "is_prebuild": false,
+            "is_prebuild_claim": false,
+            "name": "kacper",
+            "prebuild_count": 0,
+            "start_count": 1,
+            "template_id": "",
+            "template_name": "",
+            "template_version": "",
+            "transition": "start"
+          },
+          "sensitive_values": {}
+        },
+        {
+          "address": "data.coder_workspace_owner.me",
+          "mode": "data",
+          "type": "coder_workspace_owner",
+          "name": "me",
+          "provider_name": "registry.terraform.io/coder/coder",
+          "schema_version": 0,
+          "values": {
+            "email": "default@example.com",
+            "full_name": "kacpersaw",
+            "groups": [],
+            "id": "f5e82b90-ea22-4288-8286-9cf7af651143",
+            "login_type": null,
+            "name": "default",
+            "oidc_access_token": "",
+            "rbac_roles": [],
+            "session_token": "",
+            "ssh_private_key": "",
+            "ssh_public_key": ""
+          },
+          "sensitive_values": {
+            "groups": [],
+            "oidc_access_token": true,
+            "rbac_roles": [],
+            "session_token": true,
+            "ssh_private_key": true
+          }
+        },
+        {
+          "address": "coder_agent.dev1",
+          "mode": "managed",
+          "type": "coder_agent",
+          "name": "dev1",
+          "provider_name": "registry.terraform.io/coder/coder",
+          "schema_version": 1,
+          "values": {
+            "api_key_scope": "all",
+            "arch": "amd64",
+            "auth": "token",
+            "connection_timeout": 120,
+            "dir": null,
+            "display_apps": [
+              {
+                "port_forwarding_helper": true,
+                "ssh_helper": true,
+                "vscode": true,
+                "vscode_insiders": false,
+                "web_terminal": true
+              }
+            ],
+            "env": null,
+            "id": "15a35370-3b2e-4ee7-8b28-81cef0152d8b",
+            "init_script": "",
+            "metadata": [],
+            "motd_file": null,
+            "order": null,
+            "os": "linux",
+            "resources_monitoring": [],
+            "shutdown_script": null,
+            "startup_script": null,
+            "startup_script_behavior": "non-blocking",
+            "token": "d054c66b-cc5c-41ae-aa0c-2098a1075272",
+            "troubleshooting_url": null
+          },
+          "sensitive_values": {
+            "display_apps": [
+              {}
+            ],
+            "metadata": [],
+            "resources_monitoring": [],
+            "token": true
+          }
+        },
+        {
+          "address": "coder_external_agent.dev1",
+          "mode": "managed",
+          "type": "coder_external_agent",
+          "name": "dev1",
+          "provider_name": "registry.terraform.io/coder/coder",
+          "schema_version": 1,
+          "values": {
+            "id": "4d87dd70-879c-4347-b0c1-b8f3587d1021",
+            "token": "d054c66b-cc5c-41ae-aa0c-2098a1075272"
+          },
+          "sensitive_values": {
+            "token": true
+          },
+          "depends_on": [
+            "coder_agent.dev1"
+          ]
+        }
+      ]
+    }
+  }
+}
diff --git a/provisioner/terraform/testdata/resources/external-agents/main.tf b/provisioner/terraform/testdata/resources/external-agents/main.tf
new file mode 100644
index 0000000000000..6e00b81a80dfc
--- /dev/null
+++ b/provisioner/terraform/testdata/resources/external-agents/main.tf
@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = ">=2.0.0"
+    }
+  }
+}
+
+data "coder_provisioner" "me" {}
+data "coder_workspace" "me" {}
+data "coder_workspace_owner" "me" {}
+
+resource "coder_agent" "dev1" {
+  os   = "linux"
+  arch = "amd64"
+}
+
+resource "coder_external_agent" "dev1" {
+  token = coder_agent.dev1.token
+}
diff --git a/provisioner/terraform/testdata/resources/version.txt b/provisioner/terraform/testdata/resources/version.txt
index 3d0e62313ced1..6b89d58f861a7 100644
--- a/provisioner/terraform/testdata/resources/version.txt
+++ b/provisioner/terraform/testdata/resources/version.txt
@@ -1 +1 @@
-1.11.4
+1.12.2
diff --git a/provisionerd/proto/provisionerd.pb.go b/provisionerd/proto/provisionerd.pb.go
index 9960105c78962..818719f1b3995 100644
--- a/provisionerd/proto/provisionerd.pb.go
+++ b/provisionerd/proto/provisionerd.pb.go
@@ -1403,6 +1403,7 @@ type CompletedJob_TemplateImport struct {
 	ModuleFiles                []byte                                `protobuf:"bytes,10,opt,name=module_files,json=moduleFiles,proto3" json:"module_files,omitempty"`
 	ModuleFilesHash            []byte                                `protobuf:"bytes,11,opt,name=module_files_hash,json=moduleFilesHash,proto3" json:"module_files_hash,omitempty"`
 	HasAiTasks                 bool                                  `protobuf:"varint,12,opt,name=has_ai_tasks,json=hasAiTasks,proto3" json:"has_ai_tasks,omitempty"`
+	HasExternalAgents          bool                                  `protobuf:"varint,13,opt,name=has_external_agents,json=hasExternalAgents,proto3" json:"has_external_agents,omitempty"`
 }
 
 func (x *CompletedJob_TemplateImport) Reset() {
@@ -1521,6 +1522,13 @@ func (x *CompletedJob_TemplateImport) GetHasAiTasks() bool {
 	return false
 }
 
+func (x *CompletedJob_TemplateImport) GetHasExternalAgents() bool {
+	if x != nil {
+		return x.HasExternalAgents
+	}
+	return false
+}
+
 type CompletedJob_TemplateDryRun struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -1710,7 +1718,7 @@ var file_provisionerd_proto_provisionerd_proto_rawDesc = []byte{
 	0x6d, 0x69, 0x6e, 0x67, 0x52, 0x07, 0x74, 0x69, 0x6d, 0x69, 0x6e, 0x67, 0x73, 0x1a, 0x10, 0x0a,
 	0x0e, 0x54, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x74, 0x65, 0x49, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x1a,
 	0x10, 0x0a, 0x0e, 0x54, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x74, 0x65, 0x44, 0x72, 0x79, 0x52, 0x75,
-	0x6e, 0x42, 0x06, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x22, 0x8b, 0x0b, 0x0a, 0x0c, 0x43, 0x6f,
+	0x6e, 0x42, 0x06, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x22, 0xbb, 0x0b, 0x0a, 0x0c, 0x43, 0x6f,
 	0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x64, 0x4a, 0x6f, 0x62, 0x12, 0x15, 0x0a, 0x06, 0x6a, 0x6f,
 	0x62, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6a, 0x6f, 0x62, 0x49,
 	0x64, 0x12, 0x54, 0x0a, 0x0f, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x70, 0x61, 0x63, 0x65, 0x5f, 0x62,
@@ -1749,7 +1757,7 @@ var file_provisionerd_proto_provisionerd_proto_rawDesc = []byte{
 	0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x2e, 0x0a, 0x08, 0x61, 0x69, 0x5f, 0x74, 0x61,
 	0x73, 0x6b, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x70, 0x72, 0x6f, 0x76,
 	0x69, 0x73, 0x69, 0x6f, 0x6e, 0x65, 0x72, 0x2e, 0x41, 0x49, 0x54, 0x61, 0x73, 0x6b, 0x52, 0x07,
-	0x61, 0x69, 0x54, 0x61, 0x73, 0x6b, 0x73, 0x1a, 0x9f, 0x05, 0x0a, 0x0e, 0x54, 0x65, 0x6d, 0x70,
+	0x61, 0x69, 0x54, 0x61, 0x73, 0x6b, 0x73, 0x1a, 0xcf, 0x05, 0x0a, 0x0e, 0x54, 0x65, 0x6d, 0x70,
 	0x6c, 0x61, 0x74, 0x65, 0x49, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x3e, 0x0a, 0x0f, 0x73, 0x74,
 	0x61, 0x72, 0x74, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x01, 0x20,
 	0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x65,
@@ -1791,7 +1799,10 @@ var file_provisionerd_proto_provisionerd_proto_rawDesc = []byte{
 	0x18, 0x0b, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x46, 0x69,
 	0x6c, 0x65, 0x73, 0x48, 0x61, 0x73, 0x68, 0x12, 0x20, 0x0a, 0x0c, 0x68, 0x61, 0x73, 0x5f, 0x61,
 	0x69, 0x5f, 0x74, 0x61, 0x73, 0x6b, 0x73, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x68,
-	0x61, 0x73, 0x41, 0x69, 0x54, 0x61, 0x73, 0x6b, 0x73, 0x1a, 0x74, 0x0a, 0x0e, 0x54, 0x65, 0x6d,
+	0x61, 0x73, 0x41, 0x69, 0x54, 0x61, 0x73, 0x6b, 0x73, 0x12, 0x2e, 0x0a, 0x13, 0x68, 0x61, 0x73,
+	0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x61, 0x67, 0x65, 0x6e, 0x74, 0x73,
+	0x18, 0x0d, 0x20, 0x01, 0x28, 0x08, 0x52, 0x11, 0x68, 0x61, 0x73, 0x45, 0x78, 0x74, 0x65, 0x72,
+	0x6e, 0x61, 0x6c, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x1a, 0x74, 0x0a, 0x0e, 0x54, 0x65, 0x6d,
 	0x70, 0x6c, 0x61, 0x74, 0x65, 0x44, 0x72, 0x79, 0x52, 0x75, 0x6e, 0x12, 0x33, 0x0a, 0x09, 0x72,
 	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15,
 	0x2e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x65, 0x72, 0x2e, 0x52, 0x65, 0x73,
diff --git a/provisionerd/proto/provisionerd.proto b/provisionerd/proto/provisionerd.proto
index eeeb5f02da0fb..b008da33ea87e 100644
--- a/provisionerd/proto/provisionerd.proto
+++ b/provisionerd/proto/provisionerd.proto
@@ -95,6 +95,7 @@ message CompletedJob {
     bytes module_files = 10;
     bytes module_files_hash = 11;
     bool has_ai_tasks = 12;
+    bool has_external_agents = 13;
   }
   message TemplateDryRun {
     repeated provisioner.Resource resources = 1;
diff --git a/provisionerd/proto/version.go b/provisionerd/proto/version.go
index 10e73a3be176c..3ae1bbae04454 100644
--- a/provisionerd/proto/version.go
+++ b/provisionerd/proto/version.go
@@ -47,9 +47,12 @@ import "github.com/coder/coder/v2/apiversion"
 //
 // API v1.8:
 //   - Add new fields `description` and `icon` to `Preset`.
+//
+// API v1.9:
+//   - Added new field named 'has_external_agent' in 'CompleteJob.TemplateImport'
 const (
 	CurrentMajor = 1
-	CurrentMinor = 8
+	CurrentMinor = 9
 )
 
 // CurrentVersion is the current provisionerd API version.
diff --git a/provisionerd/runner/runner.go b/provisionerd/runner/runner.go
index b80cf9060b358..924f0628820ce 100644
--- a/provisionerd/runner/runner.go
+++ b/provisionerd/runner/runner.go
@@ -600,8 +600,9 @@ func (r *Runner) runTemplateImport(ctx context.Context) (*proto.CompletedJob, *p
 				// ModuleFiles are not on the stopProvision. So grab from the startProvision.
 				ModuleFiles: startProvision.ModuleFiles,
 				// ModuleFileHash will be populated if the file is uploaded async
-				ModuleFilesHash: []byte{},
-				HasAiTasks:      startProvision.HasAITasks,
+				ModuleFilesHash:   []byte{},
+				HasAiTasks:        startProvision.HasAITasks,
+				HasExternalAgents: startProvision.HasExternalAgents,
 			},
 		},
 	}, nil
@@ -666,6 +667,7 @@ type templateImportProvision struct {
 	Plan                  json.RawMessage
 	ModuleFiles           []byte
 	HasAITasks            bool
+	HasExternalAgents     bool
 }
 
 // Performs a dry-run provision when importing a template.
@@ -807,6 +809,7 @@ func (r *Runner) runTemplateImportProvisionWithRichParameters(
 				Plan:                  c.Plan,
 				ModuleFiles:           moduleFilesData,
 				HasAITasks:            c.HasAiTasks,
+				HasExternalAgents:     c.HasExternalAgents,
 			}, nil
 		default:
 			return nil, xerrors.Errorf("invalid message type %q received from provisioner",
diff --git a/provisionersdk/proto/provisioner.pb.go b/provisionersdk/proto/provisioner.pb.go
index 52d40ef87dd4d..c96878fba5fea 100644
--- a/provisionersdk/proto/provisioner.pb.go
+++ b/provisionersdk/proto/provisioner.pb.go
@@ -3401,8 +3401,9 @@ type PlanComplete struct {
 	// still need to know that such resources are defined.
 	//
 	// See `hasAITaskResources` in provisioner/terraform/resources.go for more details.
-	HasAiTasks bool      `protobuf:"varint,13,opt,name=has_ai_tasks,json=hasAiTasks,proto3" json:"has_ai_tasks,omitempty"`
-	AiTasks    []*AITask `protobuf:"bytes,14,rep,name=ai_tasks,json=aiTasks,proto3" json:"ai_tasks,omitempty"`
+	HasAiTasks        bool      `protobuf:"varint,13,opt,name=has_ai_tasks,json=hasAiTasks,proto3" json:"has_ai_tasks,omitempty"`
+	AiTasks           []*AITask `protobuf:"bytes,14,rep,name=ai_tasks,json=aiTasks,proto3" json:"ai_tasks,omitempty"`
+	HasExternalAgents bool      `protobuf:"varint,15,opt,name=has_external_agents,json=hasExternalAgents,proto3" json:"has_external_agents,omitempty"`
 }
 
 func (x *PlanComplete) Reset() {
@@ -3528,6 +3529,13 @@ func (x *PlanComplete) GetAiTasks() []*AITask {
 	return nil
 }
 
+func (x *PlanComplete) GetHasExternalAgents() bool {
+	if x != nil {
+		return x.HasExternalAgents
+	}
+	return false
+}
+
 // ApplyRequest asks the provisioner to apply the changes.  Apply MUST be preceded by a successful plan request/response
 // in the same Session.  The plan data is not transmitted over the wire and is cached by the provisioner in the Session.
 type ApplyRequest struct {
@@ -4855,7 +4863,7 @@ var file_provisionersdk_proto_provisioner_proto_rawDesc = []byte{
 	0x61, 0x6d, 0x65, 0x74, 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x73, 0x12, 0x2a, 0x0a, 0x11,
 	0x6f, 0x6d, 0x69, 0x74, 0x5f, 0x6d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x5f, 0x66, 0x69, 0x6c, 0x65,
 	0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x6f, 0x6d, 0x69, 0x74, 0x4d, 0x6f, 0x64,
-	0x75, 0x6c, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0x91, 0x05, 0x0a, 0x0c, 0x50, 0x6c, 0x61,
+	0x75, 0x6c, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x73, 0x22, 0xc1, 0x05, 0x0a, 0x0c, 0x50, 0x6c, 0x61,
 	0x6e, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72,
 	0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x12,
 	0x33, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03,
@@ -4896,7 +4904,10 @@ var file_provisionersdk_proto_provisioner_proto_rawDesc = []byte{
 	0x52, 0x0a, 0x68, 0x61, 0x73, 0x41, 0x69, 0x54, 0x61, 0x73, 0x6b, 0x73, 0x12, 0x2e, 0x0a, 0x08,
 	0x61, 0x69, 0x5f, 0x74, 0x61, 0x73, 0x6b, 0x73, 0x18, 0x0e, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13,
 	0x2e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x65, 0x72, 0x2e, 0x41, 0x49, 0x54,
-	0x61, 0x73, 0x6b, 0x52, 0x07, 0x61, 0x69, 0x54, 0x61, 0x73, 0x6b, 0x73, 0x22, 0x41, 0x0a, 0x0c,
+	0x61, 0x73, 0x6b, 0x52, 0x07, 0x61, 0x69, 0x54, 0x61, 0x73, 0x6b, 0x73, 0x12, 0x2e, 0x0a, 0x13,
+	0x68, 0x61, 0x73, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x61, 0x67, 0x65,
+	0x6e, 0x74, 0x73, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x08, 0x52, 0x11, 0x68, 0x61, 0x73, 0x45, 0x78,
+	0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x41, 0x0a, 0x0c,
 	0x41, 0x70, 0x70, 0x6c, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x31, 0x0a, 0x08,
 	0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15,
 	0x2e, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x65, 0x72, 0x2e, 0x4d, 0x65, 0x74,
diff --git a/provisionersdk/proto/provisioner.proto b/provisionersdk/proto/provisioner.proto
index 2d53d8598e7a6..b120ba1c0e607 100644
--- a/provisionersdk/proto/provisioner.proto
+++ b/provisionersdk/proto/provisioner.proto
@@ -419,6 +419,7 @@ message PlanComplete {
   // See `hasAITaskResources` in provisioner/terraform/resources.go for more details.
   bool has_ai_tasks = 13;
   repeated provisioner.AITask ai_tasks = 14;
+  bool has_external_agents = 15;
 }
 
 // ApplyRequest asks the provisioner to apply the changes.  Apply MUST be preceded by a successful plan request/response
diff --git a/site/e2e/provisionerGenerated.ts b/site/e2e/provisionerGenerated.ts
index 78a010f6c736f..00b2050d94d98 100644
--- a/site/e2e/provisionerGenerated.ts
+++ b/site/e2e/provisionerGenerated.ts
@@ -462,6 +462,7 @@ export interface PlanComplete {
    */
   hasAiTasks: boolean;
   aiTasks: AITask[];
+  hasExternalAgents: boolean;
 }
 
 /**
@@ -1395,6 +1396,9 @@ export const PlanComplete = {
     for (const v of message.aiTasks) {
       AITask.encode(v!, writer.uint32(114).fork()).ldelim();
     }
+    if (message.hasExternalAgents === true) {
+      writer.uint32(120).bool(message.hasExternalAgents);
+    }
     return writer;
   },
 };
diff --git a/site/src/api/api.ts b/site/src/api/api.ts
index 2b21ddf1e8a08..21e6034c9116d 100644
--- a/site/src/api/api.ts
+++ b/site/src/api/api.ts
@@ -2022,6 +2022,16 @@ class ApiMethods {
 		return response.data;
 	};
 
+	getWorkspaceAgentCredentials = async (
+		workspaceID: string,
+		agentName: string,
+	): Promise<TypesGen.ExternalAgentCredentials> => {
+		const response = await this.axios.get(
+			`/api/v2/workspaces/${workspaceID}/external-agent/${agentName}/credentials`,
+		);
+		return response.data;
+	};
+
 	upsertWorkspaceAgentSharedPort = async (
 		workspaceID: string,
 		req: TypesGen.UpsertWorkspaceAgentPortShareRequest,
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
index 52fdb1d6effc4..81c578f84de04 100644
--- a/site/src/api/typesGenerated.ts
+++ b/site/src/api/typesGenerated.ts
@@ -931,6 +931,12 @@ export const Experiments: Experiment[] = [
 	"workspace-usage",
 ];
 
+// From codersdk/workspaces.go
+export interface ExternalAgentCredentials {
+	readonly command: string;
+	readonly agent_token: string;
+}
+
 // From codersdk/externalauth.go
 export interface ExternalAuth {
 	readonly authenticated: boolean;
@@ -3866,6 +3872,7 @@ export interface WorkspaceBuild {
 	readonly template_version_preset_id: string | null;
 	readonly has_ai_task?: boolean;
 	readonly ai_task_sidebar_app_id?: string;
+	readonly has_external_agent?: boolean;
 }
 
 // From codersdk/workspacebuilds.go
diff --git a/site/src/components/CodeExample/CodeExample.stories.tsx b/site/src/components/CodeExample/CodeExample.stories.tsx
index 93283e4df74a3..2a134998aa97d 100644
--- a/site/src/components/CodeExample/CodeExample.stories.tsx
+++ b/site/src/components/CodeExample/CodeExample.stories.tsx
@@ -31,3 +31,12 @@ export const LongCode: Story = {
 		code: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICnKzATuWwmmt5+CKTPuRGN0R1PBemA+6/SStpLiyX+L",
 	},
 };
+
+export const Redact: Story = {
+	args: {
+		secret: false,
+		redactPattern: /CODER_AGENT_TOKEN="([^"]+)"/g,
+		redactReplacement: `CODER_AGENT_TOKEN="********"`,
+		showRevealButton: true,
+	},
+};
diff --git a/site/src/components/CodeExample/CodeExample.tsx b/site/src/components/CodeExample/CodeExample.tsx
index 474dcb1fac225..b69a220550958 100644
--- a/site/src/components/CodeExample/CodeExample.tsx
+++ b/site/src/components/CodeExample/CodeExample.tsx
@@ -1,11 +1,26 @@
 import type { Interpolation, Theme } from "@emotion/react";
-import type { FC } from "react";
+import { Button } from "components/Button/Button";
+import {
+	Tooltip,
+	TooltipContent,
+	TooltipProvider,
+	TooltipTrigger,
+} from "components/Tooltip/Tooltip";
+import { EyeIcon, EyeOffIcon } from "lucide-react";
+import { type FC, useState } from "react";
 import { MONOSPACE_FONT_FAMILY } from "theme/constants";
 import { CopyButton } from "../CopyButton/CopyButton";
 
 interface CodeExampleProps {
 	code: string;
+	/** Defaulting to true to be on the safe side; you should have to opt out of the secure option, not remember to opt in */
 	secret?: boolean;
+	/** Redact parts of the code if the user doesn't want to obfuscate the whole code */
+	redactPattern?: RegExp;
+	/** Replacement text for redacted content */
+	redactReplacement?: string;
+	/** Show a button to reveal the redacted parts of the code */
+	showRevealButton?: boolean;
 	className?: string;
 }
 
@@ -15,11 +30,28 @@ interface CodeExampleProps {
 export const CodeExample: FC<CodeExampleProps> = ({
 	code,
 	className,
-
-	// Defaulting to true to be on the safe side; you should have to opt out of
-	// the secure option, not remember to opt in
 	secret = true,
+	redactPattern,
+	redactReplacement = "********",
+	showRevealButton,
 }) => {
+	const [showFullValue, setShowFullValue] = useState(false);
+
+	const displayValue = secret
+		? obfuscateText(code)
+		: redactPattern && !showFullValue
+			? code.replace(redactPattern, redactReplacement)
+			: code;
+
+	const showButtonLabel = showFullValue
+		? "Hide sensitive data"
+		: "Show sensitive data";
+	const icon = showFullValue ? (
+		<EyeOffIcon className="h-4 w-4" />
+	) : (
+		<EyeIcon className="h-4 w-4" />
+	);
+
 	return (
 		<div css={styles.container} className={className}>
 			<code css={[styles.code, secret && styles.secret]}>
@@ -33,17 +65,36 @@ export const CodeExample: FC<CodeExampleProps> = ({
 						 * 2. Even with it turned on and supported, the plaintext is still
 						 *    readily available in the HTML itself
 						 */}
-						<span aria-hidden>{obfuscateText(code)}</span>
+						<span aria-hidden>{displayValue}</span>
 						<span className="sr-only">
 							Encrypted text. Please access via the copy button.
 						</span>
 					</>
 				) : (
-					code
+					displayValue
 				)}
 			</code>
 
-			<CopyButton text={code} label="Copy code" />
+			<div className="flex items-center gap-1">
+				{showRevealButton && redactPattern && !secret && (
+					<TooltipProvider>
+						<Tooltip>
+							<TooltipTrigger asChild>
+								<Button
+									size="icon"
+									variant="subtle"
+									onClick={() => setShowFullValue(!showFullValue)}
+								>
+									{icon}
+									<span className="sr-only">{showButtonLabel}</span>
+								</Button>
+							</TooltipTrigger>
+							<TooltipContent>{showButtonLabel}</TooltipContent>
+						</Tooltip>
+					</TooltipProvider>
+				)}
+				<CopyButton text={code} label="Copy code" />
+			</div>
 		</div>
 	);
 };
diff --git a/site/src/modules/resources/AgentExternal.stories.tsx b/site/src/modules/resources/AgentExternal.stories.tsx
new file mode 100644
index 0000000000000..ed49a10efeee6
--- /dev/null
+++ b/site/src/modules/resources/AgentExternal.stories.tsx
@@ -0,0 +1,72 @@
+import type { Meta, StoryObj } from "@storybook/react";
+import { chromatic } from "testHelpers/chromatic";
+import { MockWorkspace, MockWorkspaceAgent } from "testHelpers/entities";
+import { withDashboardProvider } from "testHelpers/storybook";
+import { AgentExternal } from "./AgentExternal";
+
+const meta: Meta<typeof AgentExternal> = {
+	title: "modules/resources/AgentExternal",
+	component: AgentExternal,
+	args: {
+		isExternalAgent: true,
+		agent: {
+			...MockWorkspaceAgent,
+			status: "connecting",
+			operating_system: "linux",
+			architecture: "amd64",
+		},
+		workspace: MockWorkspace,
+	},
+	decorators: [withDashboardProvider],
+	parameters: {
+		chromatic,
+	},
+};
+
+export default meta;
+type Story = StoryObj<typeof AgentExternal>;
+
+export const Connecting: Story = {
+	args: {
+		agent: {
+			...MockWorkspaceAgent,
+			status: "connecting",
+			operating_system: "linux",
+			architecture: "amd64",
+		},
+	},
+};
+
+export const Timeout: Story = {
+	args: {
+		agent: {
+			...MockWorkspaceAgent,
+			status: "timeout",
+			operating_system: "linux",
+			architecture: "amd64",
+		},
+	},
+};
+
+export const DifferentOS: Story = {
+	args: {
+		agent: {
+			...MockWorkspaceAgent,
+			status: "connecting",
+			operating_system: "darwin",
+			architecture: "arm64",
+		},
+	},
+};
+
+export const NotExternalAgent: Story = {
+	args: {
+		isExternalAgent: false,
+		agent: {
+			...MockWorkspaceAgent,
+			status: "connecting",
+			operating_system: "linux",
+			architecture: "amd64",
+		},
+	},
+};
diff --git a/site/src/modules/resources/AgentExternal.tsx b/site/src/modules/resources/AgentExternal.tsx
new file mode 100644
index 0000000000000..64fea9e23ed12
--- /dev/null
+++ b/site/src/modules/resources/AgentExternal.tsx
@@ -0,0 +1,51 @@
+import { API } from "api/api";
+import type { Workspace, WorkspaceAgent } from "api/typesGenerated";
+import isChromatic from "chromatic/isChromatic";
+import { CodeExample } from "components/CodeExample/CodeExample";
+import { type FC, useEffect, useState } from "react";
+
+interface AgentExternalProps {
+	isExternalAgent: boolean;
+	agent: WorkspaceAgent;
+	workspace: Workspace;
+}
+
+export const AgentExternal: FC<AgentExternalProps> = ({
+	isExternalAgent,
+	agent,
+	workspace,
+}) => {
+	const [externalAgentToken, setExternalAgentToken] = useState<string | null>(
+		null,
+	);
+	const [command, setCommand] = useState<string | null>(null);
+
+	const origin = isChromatic() ? "https://example.com" : window.location.origin;
+	useEffect(() => {
+		if (
+			isExternalAgent &&
+			(agent.status === "timeout" || agent.status === "connecting")
+		) {
+			API.getWorkspaceAgentCredentials(workspace.id, agent.name).then((res) => {
+				setExternalAgentToken(res.agent_token);
+				setCommand(res.command);
+			});
+		}
+	}, [isExternalAgent, agent.status, workspace.id, agent.name]);
+
+	return (
+		<section className="text-base text-muted-foreground pb-2 leading-relaxed">
+			<p>
+				Please run the following command to attach an agent to the{" "}
+				{workspace.name} workspace:
+			</p>
+			<CodeExample
+				code={command ?? ""}
+				secret={false}
+				redactPattern={/CODER_AGENT_TOKEN="([^"]+)"/g}
+				redactReplacement={`CODER_AGENT_TOKEN="********"`}
+				showRevealButton={true}
+			/>
+		</section>
+	);
+};
diff --git a/site/src/modules/resources/AgentRow.tsx b/site/src/modules/resources/AgentRow.tsx
index 3cf757a15c2ab..e642f6494a176 100644
--- a/site/src/modules/resources/AgentRow.tsx
+++ b/site/src/modules/resources/AgentRow.tsx
@@ -27,6 +27,7 @@ import AutoSizer from "react-virtualized-auto-sizer";
 import type { FixedSizeList as List, ListOnScrollProps } from "react-window";
 import { AgentApps, organizeAgentApps } from "./AgentApps/AgentApps";
 import { AgentDevcontainerCard } from "./AgentDevcontainerCard";
+import { AgentExternal } from "./AgentExternal";
 import { AgentLatency } from "./AgentLatency";
 import { AGENT_LOG_LINE_HEIGHT } from "./AgentLogs/AgentLogLine";
 import { AgentLogs } from "./AgentLogs/AgentLogs";
@@ -62,9 +63,10 @@ export const AgentRow: FC<AgentRowProps> = ({
 	const appSections = organizeAgentApps(agent.apps);
 	const hasAppsToDisplay =
 		!browser_only || appSections.some((it) => it.apps.length > 0);
+	const isExternalAgent = workspace.latest_build.has_external_agent;
 	const shouldDisplayAgentApps =
 		(agent.status === "connected" && hasAppsToDisplay) ||
-		agent.status === "connecting";
+		(agent.status === "connecting" && !isExternalAgent);
 	const hasVSCodeApp =
 		agent.display_apps.includes("vscode") ||
 		agent.display_apps.includes("vscode_insiders");
@@ -258,7 +260,7 @@ export const AgentRow: FC<AgentRowProps> = ({
 					</section>
 				)}
 
-				{agent.status === "connecting" && (
+				{agent.status === "connecting" && !isExternalAgent && (
 					<section css={styles.apps}>
 						<Skeleton
 							width={80}
@@ -293,6 +295,15 @@ export const AgentRow: FC<AgentRowProps> = ({
 					</section>
 				)}
 
+				{isExternalAgent &&
+					(agent.status === "timeout" || agent.status === "connecting") && (
+						<AgentExternal
+							isExternalAgent={isExternalAgent}
+							agent={agent}
+							workspace={workspace}
+						/>
+					)}
+
 				<AgentMetadata initialMetadata={initialMetadata} agent={agent} />
 			</div>
 
diff --git a/site/src/modules/workspaces/actions.ts b/site/src/modules/workspaces/actions.ts
index 8b17d3e937c74..533cf981ed6d8 100644
--- a/site/src/modules/workspaces/actions.ts
+++ b/site/src/modules/workspaces/actions.ts
@@ -63,6 +63,14 @@ export const abilitiesByWorkspaceStatus = (
 		};
 	}
 
+	if (workspace.latest_build.has_external_agent) {
+		return {
+			actions: [],
+			canCancel: false,
+			canAcceptJobs: true,
+		};
+	}
+
 	const status = workspace.latest_build.status;
 
 	switch (status) {

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/19178.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/19178.diff" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/19178.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/19178.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>