Credentials
Create Tunnel Credential
Create a new tunnel authtoken credential. This authtoken credential can be used to start a new tunnel session. The response to this API call is the only time the generated token is available. If you need it for future use, you must save it securely yourself.
Request
POST /credentials
Example Request
curl \
-X POST \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"development cred for alan@example.com"}' \
https://api.ngrok.com/credentials
Parameters
Name | Type | Description |
---|---|---|
description | string | human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes. |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
owner_id | string | If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot. |
Response
Returns a 201 response on success
Example Response
{
"id": "cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq",
"uri": "https://api.ngrok.com/credentials/cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq",
"created_at": "2024-01-23T18:08:53Z",
"description": "development cred for alan@example.com",
"token": "2bMmTxA1AgJDXFkNXGBp4lOCyAq_5vYzoxDeCHWJ8kbVXdago",
"acl": [],
"owner_id": "usr_2bMmTvwAeimYs2Djgy0GGWfk5nE"
}
Fields
Name | Type | Description |
---|---|---|
id | string | unique tunnel credential resource identifier |
uri | string | URI of the tunnel credential API resource |
created_at | string | timestamp when the tunnel credential was created, RFC 3339 format |
description | string | human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes. |
token | string | the credential's authtoken that can be used to authenticate an ngrok agent. This value is only available one time, on the API response from credential creation, otherwise it is null. |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
owner_id | string | If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot. |
Delete Tunnel Credential
Delete a tunnel authtoken credential by ID
Request
DELETE /credentials/{id}
Example Request
curl \
-X DELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/credentials/cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq
Response
Returns a 204 response with no body on success
Get Tunnel Credential
Get detailed information about a tunnel authtoken credential
Request
GET /credentials/{id}
Example Request
curl \
-X GET \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/credentials/cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq
Response
Returns a 200 response on success
Example Response
{
"id": "cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq",
"uri": "https://api.ngrok.com/credentials/cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq",
"created_at": "2024-01-23T18:08:53Z",
"description": "device alpha-2",
"metadata": "{\"device_id\": \"d5111ba7-0cc5-4ba3-8398-e6c79e4e89c2\"}",
"token": null,
"acl": [],
"owner_id": "usr_2bMmTvwAeimYs2Djgy0GGWfk5nE"
}
Fields
Name | Type | Description |
---|---|---|
id | string | unique tunnel credential resource identifier |
uri | string | URI of the tunnel credential API resource |
created_at | string | timestamp when the tunnel credential was created, RFC 3339 format |
description | string | human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes. |
token | string | the credential's authtoken that can be used to authenticate an ngrok agent. This value is only available one time, on the API response from credential creation, otherwise it is null. |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
owner_id | string | If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot. |
List Tunnel Credentials
List all tunnel authtoken credentials on this account
Request
GET /credentials
Example Request
curl \
-X GET \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/credentials
Response
Returns a 200 response on success
Example Response
{
"credentials": [
{
"id": "cr_2bMmTyXTNiniHZeUeBnUPP19E0x",
"uri": "https://api.ngrok.com/credentials/cr_2bMmTyXTNiniHZeUeBnUPP19E0x",
"created_at": "2024-01-23T18:08:53Z",
"description": "for device #132",
"token": null,
"acl": ["bind:1.tcp.ngrok.io:20002", "bind:132.devices.company.com"],
"owner_id": "usr_2bMmTvwAeimYs2Djgy0GGWfk5nE"
},
{
"id": "cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq",
"uri": "https://api.ngrok.com/credentials/cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq",
"created_at": "2024-01-23T18:08:53Z",
"description": "development cred for alan@example.com",
"token": null,
"acl": [],
"owner_id": "usr_2bMmTvwAeimYs2Djgy0GGWfk5nE"
},
{
"id": "cr_2bMmTqOlTUXOaWq4OadC3bL4fVY",
"uri": "https://api.ngrok.com/credentials/cr_2bMmTqOlTUXOaWq4OadC3bL4fVY",
"created_at": "2024-01-23T18:08:52Z",
"description": "credential for \"api-examples-0bf973f64d46a8e3@example.com\"",
"token": null,
"acl": [],
"owner_id": "usr_2bMmTvwAeimYs2Djgy0GGWfk5nE"
}
],
"uri": "https://api.ngrok.com/credentials",
"next_page_uri": null
}
Fields
Name | Type | Description |
---|---|---|
credentials | Credential | the list of all tunnel credentials on this account |
uri | string | URI of the tunnel credential list API resource |
next_page_uri | string | URI of the next page, or null if there is no next page |
Credential fields
Name | Type | Description |
---|---|---|
id | string | unique tunnel credential resource identifier |
uri | string | URI of the tunnel credential API resource |
created_at | string | timestamp when the tunnel credential was created, RFC 3339 format |
description | string | human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes. |
token | string | the credential's authtoken that can be used to authenticate an ngrok agent. This value is only available one time, on the API response from credential creation, otherwise it is null. |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
owner_id | string | If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot. |
Update Tunnel Credential
Update attributes of an tunnel authtoken credential by ID
Request
PATCH /credentials/{id}
Example Request
curl \
-X PATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"device alpha-2","metadata":"{\"device_id\": \"d5111ba7-0cc5-4ba3-8398-e6c79e4e89c2\"}"}' \
https://api.ngrok.com/credentials/cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq
Parameters
Name | Type | Description |
---|---|---|
id | string | |
description | string | human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes. |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
Response
Returns a 200 response on success
Example Response
{
"id": "cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq",
"uri": "https://api.ngrok.com/credentials/cr_2bMmTxA1AgJDXFkNXGBp4lOCyAq",
"created_at": "2024-01-23T18:08:53Z",
"description": "device alpha-2",
"metadata": "{\"device_id\": \"d5111ba7-0cc5-4ba3-8398-e6c79e4e89c2\"}",
"token": null,
"acl": [],
"owner_id": "usr_2bMmTvwAeimYs2Djgy0GGWfk5nE"
}
Fields
Name | Type | Description |
---|---|---|
id | string | unique tunnel credential resource identifier |
uri | string | URI of the tunnel credential API resource |
created_at | string | timestamp when the tunnel credential was created, RFC 3339 format |
description | string | human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes. |
token | string | the credential's authtoken that can be used to authenticate an ngrok agent. This value is only available one time, on the API response from credential creation, otherwise it is null. |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
owner_id | string | If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot. |