Skip to main content

Identity and Access Management

Overview

ngrok includes a robust identity and access management (IAM) system. ngrok's IAM functionality enables you to:

  • Issue, rotate and revoke unique credentials for each principal in your account (either a human user or an automated process).
  • Enforce least-privilege access for each principal acting within your ngrok account
  • Attribute all mutations to distinct principals in your ngrok account recorded in audit logs
  • Configure single sign-on (SSO) to federate identity and SCIM to enable provisioning from your own IdP
  • Administrate multiple ngrok accounts with a single user

Concepts

Before diving into ngrok's IAM system, it's helpful to be acquainted with the terminology and concepts ngrok uses to describe its IAM primitives.

  • Accounts: ngrok Accounts are the containers in which you create and consume ngrok services.
  • Users: An Account contains one or more Users. Users are members of the Account who can take actions within it, like creating objects, start agents or making API requests. Users may be members of multiple accounts and are not owned by any single account.
  • Bot Users: Accounts also contain Bot Users which are like Users but meant to be used for automated processes. Other systems may call these 'Service Accounts'.
  • Principals(/obs/#principal-object): A principal is either a User or Bot User. Principals are members of an Account that may take actions inside of it.
  • Credentials: These are the keys and tokens that Principals use to authenticate with the ngrok service. Types of Credential include Authtokens, API Keys, and SSH Public Keys.
  • Authtokens: Principals begin Agent sessions and create Endpoints by authenticating with Authtoken.
  • API Keys: Principals make API Requests by authenticating with an API Key.
  • SSH Public Keys: Principals create Endpoints via the SSH Reverse Tunnel Agent with an SSH Public Key.
  • Invitations: Invitations are a mechanism to add a new User with a given email address to an Account.
  • RBAC: Role Base Access Control is used to limit the permissions of what actions a User may take within your account.
  • Account Domain Controls: Account Domain Controls are used to create policy on Users who log in or sign up with a given email domain.