▾ Index
Don't have an ngrok account?

Sign up for free to get more bandwidth, longer tunnel timeouts, and a lot more.

ngrok Link Documentation

ngrok link is a specialized, enhanced version of ngrok specifically designed for running in production environments. Specifically, it is intended for two major use cases:

  1. It is a lightweight VPN alternative that provides the automation and security necessary to establish targeted, secure links into customer environments.
  2. It enables IoT devices to expose control functionality to customers or administrators at stable, secured endpoints. Remote shell access for debugging and administration can be safely exposed in this manner as well.

ngrok link is tuned for running optimally as part of your infrastructure and exposes a number of additional security features to give fine grained access and authentication control. Most importantly, these features are exposed via APIs so that you can automate your entire workflow with ngrok.

Intended Audience

THIS DOCUMENT ASSUMES YOU HAVE ALREADY READ AND UNDERSTOOD the ngrok documentation. If you have not, you should read the main documentation now. The following content is intended only as a supplement and will not be helpful without the proper context.

Differences

Because ngrok link is specialized for production environments, there are changes in the way it operates compared to a 'standard' ngrok agent. Those differences are enumerated here.

The following changes have been made to ngrok's configuration defaults.

Installing ngrok as a service

ngrok link includes additional functionality that makes it easy to install and manage itself as a native operating system service on Windows, OS X and Linux. This makes it extraordinarily easy to set up ngrok in a production configuration that will cause it to start on machine boot, restart after crashes, and integrate with the native tools system administrators are familiar with to manage and inspect its state.

When running as a service, ngrok configures itself from its configuration file and starts all tunnels defined in the configuration file. When ngrok runs as a service, it executes the equivalent behavior of running ngrok start --all.

Installation

Installing ngrok as a service is the same on all on operating systems. First, create an ngrok.yml configuration file somewhere on your machine. For this example, I'll assume it's in C:\ngrok\ngrok.yml. In your configuration file, make sure you include an authtoken and define all of the tunnels that you want to start. Then run: 

ngrok service install -config C:\ngrok\ngrok.yml

This will validate that the configuration file is valid, and if so, install ngrok as a service using the given configuration file. The service installation includes the location of the ngrok binary, so don't move or delete it after you've installed the service.

Management

After your service is installed, you probably want to start it. You can easily do that with: 

ngrok service start

ngrok exposes the following commands to make service administration easy. The commands take no arguments and do what you would expect.

Windows

On Windows, ngrok installs itself as a Windows service. It can be managed via Windows Services and it logs all errors and warnings to the Windows event log.

OS X

On Darwin, ngrok creates an appropriate plist file and installs itself to run via launchd. Warnings and errors are logged via syslog.

Linux

On Linux, only systems with upstart or systemd installed are supported for service installation. If neither is installed, you will need to set up your own management of the ngrok process as a service. Warnings and errors are logged via syslog.

Per-client Authtoken Credentials

For production systems, every client must authenticate with a unique authtoken credential. This allows you to deactivate devices that are old or compromised. Further, it allows you to enforce a separate ACL policy on every connected device that limits what tunnels it is allowed to bind.

Generation

You can create authtokens from the Tunnel Authtokens tab in your ngrok dashboard. Click "Add Tunnel Authtoken" and then enter a human-readable description of the device or location where you intend to install the authtoken for tracking purposes.

In both the UI and API, the full authtoken you generate will only be shown once, immediately after creation!

ACL Enforcement

Credential ACLs describe what a client who connects with a given authtoken is allowed to do. For example, you may want to restrict each client to only have permission to bind a specific set of tunnel endpoints. When you create a credential, specify a list of ACL behaviors are allowed for any client connecting with that authtoken.

Generating credentials with ACLs is only available via the create credential API at the moment.

Endpoint Configurations

Endpoint configurations define reusable pieces of functionality that can be applied to any number of reserved domains or reserved addresses on your account.

Endpoint configurations are comprised of one or more modules. Each module defines a piece of functionality that will be executed on traffic that transits through any domain or address that you attach the endpoint configuration to. Each module defines its own set of configuration options and may be managed independently via its own API resources. Modules can perform authentication, performance optimizations like compression, enrich requests, handle errors, enforce policy and more.

Endpoint Configuration Types

Every endpoint configuration must be defined with a type. The type determines both which modules may be added to the configuration as well as how the configuration may be attached to a reserved domain or reserved address. The documentation for each module will list the configuration types it may be added to.

There are currently three types of endpoint configurations: http, https, and tcp.

Attaching to Reserved Domains and Addresses

Endpoint configurations may be attached to any number of reserved domains or addresses. When the configuration is attached, that domain or address will start applying the configuration's modules to traffic that transits through any tunnels started on those domains or addresses.

Reserved domains have two endpoint configuration references: http_endpoint_configuration_id and https_endpoint_configuration_id. These govern how http and https traffic are handled, respectively. The type of configuration that you attach must be http and https, respectively, for those references.

Reserved addresses have a single endpoint configuration reference endpoint_configuration_id. This configuration reference must be of type tcp.

Changes to HTTP Traffic

Traffic that is handled by endpoint configurations goes through a new codepath in ngrok's edge servers. This new codepath has a few subtle changes to how HTTP traffic is handled that are enumerated below:

Header Casing

HTTP headers the backend sees now have their capitalization canonicalized. The HTTP RFC defines this change as compatible. Previously, 

curl --header “foo-BAR: baz” foo.ngrok.io
resulted in the backend seeing 
foo-BAR: baz
now it sees: 
Foo-Bar: baz

Header Ordering

HTTP headers now may be reordered whereas ngrok previously never re-ordered headers. The HTTP RFC defines this behavior as compatible.

X-Forwarded-For

If an X-Forwarded-For header was supplied by the caller, ngrok now combines those values in a single header field. The RFC describing X-Forwarded-For describes this as the intended behavior. Previously, 

curl --header “X-Forwarded-For: 1.2.3.4” foo.ngrok.io
resulted in the backend seeing: 
X-Forwarded-For: 1.2.3.4
X-Forwarded-For: 5.6.7.8
Now it sees: 
X-Forwarded-For: 1.2.3.4, 5.6.7.8

Stripped Hop-By-Hop Headers

ngrok used to pass through the following hop-by-hop headers. It will now strip them (and set its own values, if necessary).

Endpoint Configuration Modules

Circuit Breaker

Supported on types: ,

Circuit breakers are used to protect upstream servers by rejecting traffic to them when they become overwhelmed, allowing them time to recover back into a steady operational state. When the upstream server starts to fail requests at too high of a rate, the circuit is "opened".

The circuit breaker is an implementation of Netflix's Hystrix circuit breaker specification.

If the upstream server responds with more than the threshold percentage of requests with 50X status codes, the circuit breaker pre-emptively reject all subsequent requests at the ngrok edge with a 503 until the upstream server's error rate drops below the threshold percentage.

Compression

Supported on types: ,

The Compression module automatically compresses your responses between the http client and the ngrok edge which can make your websites load faster on low bandwidth networks.

If an HTTP request includes an Accept-Encoding header, HTTP responses will be automatically compressed and a Content-Encoding response header will be added.

If the response was already compressed by the upstream server, ngrok takes no action.

gzip and deflate encodings are supported.

IP Policy

Supported on types: , ,

The IP Policy modules lets you restrict the allowed traffic to tunnel endpoints by explicitly whitelisting a set of IPs that are permitted to access those endpoints.

Allow connections to the tunnel endpoint only if the source IP of the connection matches an IP or IP range in any of the specified IP Policies. If multiple policies are specified, a connection will be allowed if it matches an IP address in any of the policies. Formally, the IP is checked against a union of all the IP policies.

The IP policy module is intended to replace and deprecate the existing IP Whitelist resource. Please read the documentation section about IP policy and IP whitelist interactions carefully.

Mutual TLS Authentication

Supported on type:

Also known as "TLS client authentication", connections must complete a mutual TLS handshake in which the client presents a valid certificate signed by any of the root certificate authorities that you upload.

The Common Name of the client's TLS certificate is injected into the header X-Tls-Client-Cn that is sent to your application server. This allows you to identify the requesting client for purposes of group membership, permissioning, revocation checks, profile lookup, etc.

Root CAs must be specified in PEM format. You may specify multiple root CAs by concatenating them together.

OAuth

Supported on type:

The OAuth module enforces an OAuth authentication flow in front of any endpoint it is enabled on. Any HTTP client accessing an OAuth-protected endpoint will be redirected to a chosen identity provider (currently Google, Microsoft, Github or Facebook) for authentication. When they are redirected back to the protected endpoint, ngrok will check a series of authorization constraints that allow you to define who is authorized to access the resource by setting a list of email addresses, email domains and other requirements. If the user is authorized, their request will be forwarded through to the upstream server and ngrok's edge will set an HTTP cookie on their browser session to keep them logged in so that the authentication flow is not repeated.

Configuration, customization, and use of the OAuth module is documented in the OAuth documentation section.

Request Headers

Supported on types: ,

The Request Headers module allows you to add and remove headers from HTTP requests before they are sent to your upstream server.

Changes made to request headers will not be visible to other modules; they will only be seen by your upstream server.

Header addition and removal functions similarly for request and response headers. See HTTP Headers for more details.

Response Headers

Supported on types: ,

The Response Headers module allows you to add and remove headers from HTTP responses before they are returned to the client. This is especially useful for enforcing the use of security headers on all responses returned by your application.

Changes made to response headers will not be visible to other modules; they will only be seen by the client.

Header addition and removal functions similarly for request and response headers. See HTTP Headers for more details.

TLS Termination

Supported on type:

The TLS Termination module allows you to configure whether ngrok terminates TLS traffic at its edge or forwards the TLS traffic through unterminated, in which case the TLS traffic will need to be terminated by your application server (or by the ngrok agent).

If the TLS Termination module is not specified, the default behavior is to terminate all TLS traffic at the ngrok edge.

If the TLS Termination module is enabled and TLS termination has been disabled, then you must have the ngrok agent start a tls tunnel to receive traffic. Furthermore, if TLS termination is disabled, no other http or https modules (e.g. Compression, OAuth, etc) will be supported on this endpoint configuration.

If you update a configuration to change whether it terminates TLS traffic or not, all tunnels running with that configuration will immediately begin to fail requests. All tunnels started with that configuration will need to be stopped and then restarted with their protocol changed (either https -> tls or vice-versa.

Webhook Validation

Supported on types: ,

The webhook validation module allows ngrok to assert requests to your endoint originate from a supported webhook provider like Slack or Github.

If ngrok can't validate a request as coming from the configured provider it will reject the request with a 403 status.

IP Policies

IP policies are a reusable group of whitelisted IPs or IP ranges (in CIDR blocks) that can be applied on a per-tunnel basis via Endpoint Configurations. An endpoint configuration may specify one or more IP policies. IP policies may be attached to any number of endpoint configurations. If an endpoint configuration specifies multiple IP policies, a connection will be allowed if its source IP matches any policy. Formally, the endpoint configuration defines a computed union of all of its IP policies.

IP Policy Rules

Every IP policy consists of zero or more IP policy rules. Each rule specifies an IP address or IP address range in CIDR notation. Both IPv4 and IPv6 address notations are supported. An IP policy with no rules is valid and will match no IPs.

Interaction with IP Whitelist

IP policies are intended to replace and deprecate the previous primitive ngrok used for IP enforcement, the IP whitelist. Unlike IP policies which must be explicitly associated with tunnels via an endpoint configuration, The IP whitelist is an account-wide primitive that applies to all tunnels on your account.

We do not recommend using both IP policies and the IP whitelist together. But, if you do, a connection will only be allowed through if it matches both the IP whitelist and the configured IP policies. Formally, for a connection to be accepted, it must match the intersection of both the IP whitelist and IP policies configured for the matching endpoint configuration.

TLS Certificates

ngrok supports uploading your own TLS certificates which we will use to terminate traffic to a given reserved domain at the ngrok edge. You may wish to use this functionality in addition to our automatically provisioned certificates if you are using an EV cert or provisioning certificates from your own certificate authority. Uploading a certificate will not change any traffic, you must then attach the certificate to a reserved domain by setting the certificate_id property on the reserved domain with the ID of the certificate you'd like to use for TLS termination.

Certificate Bundles

When uploading a new certificate to ngrok via the API, the certificate_pem field expects a certificate bundle of all certificates necessary to establish a chain of trust to a trusted root certificate authority. Many TLS certificate vendors will provide you with a constructed certificate bundle, but some will return the leaf certificate and the intermediate certificates separately and you must concatenate them to construct the bundle yourself.

Certificate bundles are a series of PEM-encoded X.509 certificates that have been concatenated together in a specific order. A bundle will look like the following: 

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The first certificate in the bundle must be the leaf certificate. You can think of the leaf certificate as the one which is signed for your domain and the private key you will upload.

After the leaf are the intermediates certificates, if any. Each intermediate signs the certificate preceding it in the bundle. As an example, the first intermediate will have signed the leaf, and that signature is part of the leaf certificate itself. The final certificate is signed by the root certificate. You may also included the root certificate in the bundle as well, but it is not necessary or common practice to do so.

Private Keys

ngrok accepts the following formats for the private_key_pem field:

All of the above (PKCS#1, PKCS#8, and SEC 1) are represented with ASN.1 DER (a binary format), encoded as PEM.

ngrok will not accept any private keys that are encrypted (e.g. with DES)..

OAuth Authentication

This documentation assumes familiarity with OAuth 2.0 workflows and terminology.

OAuth authentication uses configurable constraints to restrict endpoint access to only authorized users. Upstream servers behind an OAuth-protected endpoint can safely assume that requests are from users authenticated with the provider and authorized to use the endpoint.

Google

Creating your own application

Step-by-step instructions below follow Google's documentation on setting up OAuth 2.0 for a web application.

Build the consent screen

  1. Create or select a project on the Google Cloud Platform Console.
  2. Navigate to the project's OAuth consent screen.
  3. Select whether your application is an internal or external app.
  4. Fill out the application name and support email.
  5. Add additional scopes required by your application, saving the full scope URI for later.
  6. Ensure that the email and profile scopes are still selected.
  7. Under Authorized domains, add ngrok.com and your application homepage domain.
  8. Add links to your application homepage and privacy policy. The final consent screen should resemble:
  9. Save the application.
    • Applications that require verification cannot complete the consent screen and are not supported by ngrok.

Create credentials for ngrok

  1. Navigate to Credentials for your project.
  2. Select "Create credentials" from the top menu and select "OAuth Client ID".
  3. Choose "Web application" from the list of application types.
  4. Name your secret, then set "Authorized Redirect URIs" to https://oauth.ngrok.com/oauth2/callback. The final credentials form should resemble:
  5. Securely store the Client ID and secret from the final screen:

Update your endpoint configuration

  1. Return to the ngrok dashboard and create or edit an OAuth endpoint configuration module.
  2. Choose to use your own application with Google as the provider.
  3. Include the client ID, secret, and scopes configured in your application.
  4. Add the following scopes to your application if they are not already present:
    • https://www.googleapis.com/auth/userinfo.profile
    • https://www.googleapis.com/auth/userinfo.email

Additional application setup information

Headers provided by ngrok

ngrok strips the following headers from authorized requests and sets them with data from Google:

ngrok-auth-user-id Numeric ID of the authorized user.
ngrok-auth-user-name Full name of the authorized user.
ngrok-auth-email Authorized user's primary email address.
ngrok-oauth-access-token Custom applications only: the user's OAuth access token. It is valid for at least 5 seconds.

Microsoft

Creating your own application

Step-by-step instructions below closely follow Microsoft documentation to create a new application for ngrok within the Azure portal.

Register an application
  1. Sign-in to the Azure portal then select or create a tenant for your application.
  2. Search for "Azure Active Directory" and select it.
  3. Select "App registrations" on the left hand navigation.
  4. Select "New registration" at the top.
  5. Enter a name for your application.
  6. ngrok does not support single tenant applications. Choose supported account types from:
    • Accounts in any organizational directory (Any Azure AD directory - Multitenant)
    • Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
  7. Choose a "Web" redirect URI and enter https://oauth.ngrok.com/oauth2/callback.
  8. Register your application. The final form should resemble:
Configure your application
  1. When viewing your application, choose "Overview" on the left hand navigation.
  2. Store the "Application (client) ID" in the top information section for later.
  3. Select "API permissions" on the left hand navigation.
  4. Add additional scopes that your application requires and store them for later.
    • Scopes which require an application review by Microsoft are unsupported.
    • Scopes that require admin consent prevent tenants' users from authorizing until consent is granted.
  5. Ensure User.Read or a more permissive scope (e.g. User.Read.All) is configured for ngrok. Example minimal configuration:
  6. Choose "Certificates and Secrets" on the left hand navigation.
  7. Select "New Client Secret" at the bottom, name the secret, set an expiration, and hit create.
  8. Creation is asynchronous. When complete, save the secret from the "Value" column (blurred below) for later:

Update your endpoint configuration

  1. Return to the ngrok dashboard and create or edit an OAuth endpoint configuration module.
  2. Choose to use your own application with Microsoft as the provider.
  3. Include the scopes, client ID, and client secret for your application.

Additional application setup information

Headers provided by ngrok

ngrok strips the following headers from authorized requests and sets them with data from Microsoft:

ngrok-auth-user-id Unique user identifier from the user's directoryObject.
ngrok-auth-user-name User's display name in the address book. Typically full name with middle initial.
ngrok-auth-email User's email address, from the user's mail attribute with fallback to userPrincipalName when empty.
ngrok-oauth-access-token Custom applications only: the user's OAuth access token. It is valid for at least 5 seconds.

GitHub

Creating your own OAuth application

  1. Follow GitHub's documentation until the final step of submitting the registration form.
  2. Set the Authorization callback URL to https://oauth.ngrok.com/oauth2/callback.
  3. Submit the form. A working example registration:
  4. Save the client ID and client secret from the application overview:
  5. Return to the ngrok dashboard and create or edit an OAuth endpoint configuration module.
  6. Choose to use your own application with GitHub as the provider.
  7. Include the client ID and secret from earlier.
  8. Add any scopes your application requires.
    • Include the read:user scope (or more permissive, like user) for ngrok.
  9. Add any team or organization constraints by the their mention handle(s), excluding the @ prefix.
    • For example, the ngrok organization's mention handle is @ngrok, so the organization constraint would be ngrok. Similarly, the @ngrok/developers team would be matched by the constraint ngrok/developers.
    • If a constraint is specified, the read:org scope is required. A more permissive scope, such as org, also works.
    • Organizations must allow third-party access to your app.

Headers provided by ngrok

ngrok strips the following headers from authorized requests and sets them with data from GitHub:

ngrok-auth-user-id Unique numeric ID of the authorized user.
ngrok-auth-user-name Display name of the authorized user (e.g. "John Smith").
ngrok-auth-email Public profile email address of the authorized user.
ngrok-auth-github-user-id The username of the authorized user.
ngrok-auth-github-organization Only when a team or organization constraint matches: the first matching GitHub organization's mention handle (e.g "coreutils").
ngrok-auth-github-team Only when a team constraint matches: the first matching GitHub team mention handle (e.g "coreutils/contributors").
ngrok-oauth-access-token Custom applications only: the user's OAuth access token. It is valid for at least 5 seconds.

Using Organization and Teams

To authorize users based on organization or team membership, the organization must allow third party access. There are multiple ways to grant access:

The ngrok managed application can authorize users based on organization or team. For organizations concerned about membership privacy, your own application should always be used. When granting third-party access to the managed application, anyone using the managed application may constrain based on your organization's membership.

Header presence and constraint ordering

Organization and team headers are present only when an organization or team constraint matches. For example, an endpoint constrained solely on the ngrok organization will always have authorized users with the ngrok organization header. An endpoint without any organization or team constraints will receive no organization or team header.

ngrok authorizes against users' first 200 memberships of each constraint in chronological order of the team or organization's creation. Headers are filled from the first user data match in order:

  1. From any team membership, check the parent organization.
  2. Check team membership.
  3. Check organization membership.

Facebook

Creating your own application

Register an application

For additional assistance, see the Facebook app registration documentation.

  1. Visit the App Dashboard, log in, and convert your account into a developer account if necessary.
  2. Select "Add a New App" or "Create App."
  3. Choose a user-visible name and contact email.
  4. Submit the form. A valid example app:

Configure your application
  1. After creation, you should see a list of products to add. If you don't, view your application from the dashboard and scroll down to "Add a product."
  2. Select "Set Up" for Facebook Login.
  3. On the left hand navigation, select Facebook Login then choose "Settings" below it.
  4. Add to "Valid OAuth Redirect URI" https://oauth.ngrok.com/oauth2/callback
  5. Save the Facebook Login settings page. Final configuration should match:
  6. Select Settings on the left hand navigation, then choose advanced.
  7. Fill out additional settings for your application.
    • ngrok does not support Server IP whitelisting.
  8. Enable "Require App Secret". See documentation for how to call Facebook Graph API with this feature.
  9. Save settings. A minimally complete security section of advanced settings:
  10. Visit basic settings on the left hand navigation.
  11. At the top, save your App ID and App Secret for later.
  12. Fill out the privacy policy URL. This URL must accessible when entered for verification.
  13. Select a category for your application.
  14. Hit save changes. A minimally complete basic settings:
  15. Select the toggle for "In development" at the top of the page and confirm switching to live mode.
  16. Your application should now show as live:
Update your endpoint configuration

  1. Return to the ngrok dashboard and create or edit an OAuth endpoint configuration module.
  2. Choose to use your own application with Facebook as the provider.
  3. Include the app id and app secret that were stored earlier.
  4. Add any scopes required by your application.
  5. Add the email scope if it is not already present.

Additional application setup information

Headers provided by ngrok

ngrok strips the following headers from authorized requests and sets them with data from Facebook's user API:

ngrok-auth-user-id Unique, per-app numeric user ID. From id on the user resource.
ngrok-auth-user-name User's full name from name on the user resource.
ngrok-auth-email User's primary email address, from email on the user resource.
ngrok-oauth-access-token Custom applications only: the user's OAuth access token. It is valid for at least 5 seconds.

User permission revocation

Facebook allows revocation of any permission as part of the authorization flow. ngrok will enforce that users initially grant all configured permissions. However, at any time after endpoint authorization, users may selectively revoke permissions. If your application requires more than the default or email scope, you must follow Facebook's rules for handling revoked permissions without violating terms of use.

Managed Application Limitations

Managed OAuth applications are owned by ngrok and intended for quick use or testing. We highly recommend that you bring your own application. There are limitations on managed application since since many endpoints share them:

Request Modifications

Paths

Upstream servers behind endpoints protected by OAuth should not expect to receive any paths beginning with /oauth2/. Although more paths may be added, the following paths are currently used by ngrok:

/oauth2/callback Creates the OAuth session as part of forwarded provider callbacks.
/oauth2/authorize Initiates capture with a capture URI of /. This allows easily clearing the session on an error and forcing reauthorization with the provider.

Cookies

ngrok uses cookies to secure the authorization workflow, store user credentials, and cache authorized user data for headers. Cookie values should be considered opaque and not modified. Cookies names are prefixed with ngrok. by default. ngrok may overwrite, modify, hide, or delete prefixed cookies with the names below as part of every request:

session Stores all user data and credentials.
nonce Ties an authorization attempt to a single browser. The nonce value is within the cookie name, for example: ngrok.nonce.1692b0c51436f5ed

Constraint Changes and Sessions

OAuth endpoint configuration uses a cookie-based session. Consider the following when changing authorization constraints:

Authorization Check Interval

Authorization check interval controls the frequency of the refresh phase of the OAuth workflow. In order to prevent abuse, refreshes have minimum frequency of once per 3 minutes.

When configuring an authorization check interval, note that long intervals will result in delayed authorization against changed provider data. This has security considerations, especially when revoking permissions. For example, with an authorization check interval of 1 day, the following is possible:

  1. Day 1 08:00: user makes a request and successfully authorizes.
  2. Day 1 10:00: the authorized GitHub organization removes the user.
  3. Day 1 11:00: user successfully accesses the tunnel.
  4. Day 2 08:30: user accesses the tunnel, reauthorizes, and is denied access.
Any of the following actions, taken between step 2 and 3, would force reauthorization:

Detailed Auth Workflow

OAuth authentication is best separated into a three phase workflow: capture, callback, and refresh.

Capture

Requests were not previously authorized enter the capture phase and begin OAuth2. ngrok redirects the user to the provider with a secret state. The state is used to store the initial request URI, or capture URI, with additional security data. State expires 30 minutes from capture and will allow users to retry on expiration, discarding the original capture URI in order to prevent replays.

Methods other than GET also trigger capture; discarding the request body and method in the process. After successful authentication and authorization, users are redirected with a 302 and perform a GET against the capture URI.

Callback

Callback occurs as the final user-facing phase. There are up to three redirects made: the provider initiated redirect to the common callback forwarder, a redirect back to the initial domain, and a final redirect to the initial capture URI.

As endpoint configurations may be used across many domains, the common callback forwarder serves as a secure proxy back to the originating domain. Except in cases where the state query parameter was modified or discarded, this redirect is transparent to the user.

On the originating domain at /oauth2/callback, the request state is verified, errors are handled, and OAuth is completed. Errors from the provider are displayed to the user with instructions for how to continue. If no errors occur, a session is written to the session cookie, by default ngrok.session, and users are redirected to the capture URI.

Refresh

Users that complete provider authorization always complete at least one data refresh. Afterward, this phase is repeated based on authorization check interval. Refresh populates headers and performs authorization with data from the provider.

If endpoint authorization fails with data from a refresh, granted OAuth credentials from the provider are retained. Unauthorized users are notified to contact the owner of the application to request access. Subsequent requests repeat the refresh phase until the maximum session lifetime is reached, the grant expires, or endpoint authorization is updated to allow them.

HTTP Headers

The Request Headers and Response Headers modules use the same semantics for header additions and removals.

Headers to add are specified as key/value pairs. Headers to remove are specified as a list of header names. Header names for both additions and removals will be canonicalized per the Changes to HTTP Traffic.

If an added header already exists, the header will appear multiple times; the original header value will not be overwritten.

If a header is specified for both addition and removal, the original value will first be removed and the new value used in its place.

Header Templates

Variables can be interpolated into a header value using JSONPath expressions surrounded by ${} syntax. For example, using ${.ngrok.request_id} as a header value will cause it to be filled in with the ngrok-generated Request ID.

At this time, the object used for variable lookup contains the following values: 

{
    "ngrok": {
      // ngrok-generated Request Id
      "request_id": "...",
      // original client IP
      "client_ip": "...",
      "geo": {
        // two-letter ISO country code based on the client IP
        "country_code": "...",
        // approximate latitude based on the client IP
        "latitude": "...",
        // approximate longitude based on the client IP
        "longitude": "...",
        // the radius in kilometers around the latitude and longitude
        // where the client IP is likely to originate from
        "lat_long_radius_km": "..."
      }
    }
}

The ngrok.com REST API

ngrok.com exposes a REST API that grants programmatic access to all of ngrok's resources.

Base URL and Authentication

Base URL https://api.ngrok.com/
Authentication Bearer token authentication with an ngrok.com API key token

The API keys to access the ngrok.com REST API are available on your ngrok.com dashboard under the Auth tab. API keys can also be created via the API keys API. All requests to the API must include an API key as a bearer token in the Authorization header as demonstrated in the following example.

Access the root API resource
curl -H "Authorization: Bearer <<TOKEN>>" -H "Ngrok-Version: 2" https://api.ngrok.com/

Supported Content Types

Request parameters may be encoded to the API using either application/x-www-form-urlencoded or application/json. Ensure that your client sets the request's Content-Type header appropriately. All responses returned by the API are application/json.

Versioning and API Stability

The caller must specify a version by sending an Ngrok-Version header with each request. The latest version is 2. Versions 0 and 1 are supported for some accounts but deprecated.

The ngrok.com API guarantees that breaking changes to the API will never be made unless the caller explicitly opts in to a newer version. Examples of non-breaking changes to the API that will not be opt-in include the following.

Pagination

List endpoints can be paginated using the query parameters limit and before_id. Results are returned ordered from newest to oldest. The maximum value of limit is 100. If a limit is not specified, it will default to 100. If before_id is not specified, the first page of results will be returned. You can provide an explicit value for before_id to retrieve items created before the given ID. Each response to a list request will include a next_page_uri field, which will be the full URL you can request to retrieve the next page of results. If there are no more results, next_page_uri will be null.

Create API Key

Create a new API key. The generated API key can be used to authenticateto the ngrok API.

Request
POST/api_keys
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"ad-hoc dev testing","metadata":"{\"environment\":\"dev\"}"}' \
https://api.ngrok.com/api_keys
Parameters
description string human-readable description of what uses the API key to authenticate. optional, max 255 bytes.
metadata string arbitrary user-defined data of this API key. optional, max 4096 bytes
Response

Returns a 200 response on success

Example Response
{
  "id": "ak_1jE2cI1skWrMldJxRC3hG6aNL7E",
  "uri": "https://api.ngrok.com/api_keys/ak_1jE2cI1skWrMldJxRC3hG6aNL7E",
  "description": "ad-hoc dev testing",
  "metadata": "{\"environment\":\"dev\"}",
  "created_at": "2020-10-22T08:23:27Z",
  "token": "1jE2cI1skWrMldJxRC3hG6aNL7E_4P77rPvVgNLLucvjsANUd"
}
Fields
id string unique API key resource identifier
uri string URI to the API resource of this API key
description string human-readable description of what uses the API key to authenticate. optional, max 255 bytes.
metadata string arbitrary user-defined data of this API key. optional, max 4096 bytes
created_at string timestamp when the api key was created, RFC 3339 format
token string the bearer token that can be placed into the Authorization header to authenticate request to the ngrok API. This value is only available one time, on the API response from key creation. Otherwise it is null.

Delete API Key

Delete an API key by ID

Request
DELETE/api_keys/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/api_keys/ak_1jE2cI1skWrMldJxRC3hG6aNL7E
Response

Returns a 204 response with no body on success

Get API Key

Get the details of an API key by ID.

Request
GET/api_keys/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/api_keys/ak_1jE2cI1skWrMldJxRC3hG6aNL7E
Response

Returns a 200 response on success

Example Response
{
  "id": "ak_1jE2cI1skWrMldJxRC3hG6aNL7E",
  "uri": "https://api.ngrok.com/api_keys/ak_1jE2cI1skWrMldJxRC3hG6aNL7E",
  "description": "ad-hoc dev testing",
  "metadata": "{\"environment\":\"dev\", \"owner_id\": 123}",
  "created_at": "2020-10-22T08:23:27Z",
  "token": null
}
Fields
id string unique API key resource identifier
uri string URI to the API resource of this API key
description string human-readable description of what uses the API key to authenticate. optional, max 255 bytes.
metadata string arbitrary user-defined data of this API key. optional, max 4096 bytes
created_at string timestamp when the api key was created, RFC 3339 format
token string the bearer token that can be placed into the Authorization header to authenticate request to the ngrok API. This value is only available one time, on the API response from key creation. Otherwise it is null.

List API Keys

List all API keys owned by this account

Request
GET/api_keys
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/api_keys
Response

Returns a 200 response on success

Example Response
{
  "keys": [
    {
      "id": "ak_1jE2cI1skWrMldJxRC3hG6aNL7E",
      "uri": "https://api.ngrok.com/api_keys/ak_1jE2cI1skWrMldJxRC3hG6aNL7E",
      "description": "ad-hoc dev testing",
      "metadata": "{\"environment\":\"dev\"}",
      "created_at": "2020-10-22T08:23:27Z",
      "token": null
    },
    {
      "id": "ak_1jE2cAOQ9stwwkMfKSQvW7k5hPl",
      "uri": "https://api.ngrok.com/api_keys/ak_1jE2cAOQ9stwwkMfKSQvW7k5hPl",
      "description": "api key for example generation",
      "metadata": "",
      "created_at": "2020-10-22T08:23:26Z",
      "token": null
    }
  ],
  "uri": "https://api.ngrok.com/api_keys",
  "next_page_uri": null
}
Fields
keys APIKey the list of API keys for this account
uri string URI of the API keys list API resource
next_page_uri string URI of the next page, or null if there is no next page
APIKey fields
id string unique API key resource identifier
uri string URI to the API resource of this API key
description string human-readable description of what uses the API key to authenticate. optional, max 255 bytes.
metadata string arbitrary user-defined data of this API key. optional, max 4096 bytes
created_at string timestamp when the api key was created, RFC 3339 format
token string the bearer token that can be placed into the Authorization header to authenticate request to the ngrok API. This value is only available one time, on the API response from key creation. Otherwise it is null.

Update API Key

Update attributes of an API key by ID.

Request
PATCH/api_keys/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"metadata":"{\"environment\":\"dev\", \"owner_id\": 123}"}' \
https://api.ngrok.com/api_keys/ak_1jE2cI1skWrMldJxRC3hG6aNL7E
Parameters
id string
description string human-readable description of what uses the API key to authenticate. optional, max 255 bytes.
metadata string arbitrary user-defined data of this API key. optional, max 4096 bytes
Response

Returns a 200 response on success

Example Response
{
  "id": "ak_1jE2cI1skWrMldJxRC3hG6aNL7E",
  "uri": "https://api.ngrok.com/api_keys/ak_1jE2cI1skWrMldJxRC3hG6aNL7E",
  "description": "ad-hoc dev testing",
  "metadata": "{\"environment\":\"dev\", \"owner_id\": 123}",
  "created_at": "2020-10-22T08:23:27Z",
  "token": null
}
Fields
id string unique API key resource identifier
uri string URI to the API resource of this API key
description string human-readable description of what uses the API key to authenticate. optional, max 255 bytes.
metadata string arbitrary user-defined data of this API key. optional, max 4096 bytes
created_at string timestamp when the api key was created, RFC 3339 format
token string the bearer token that can be placed into the Authorization header to authenticate request to the ngrok API. This value is only available one time, on the API response from key creation. Otherwise it is null.

Create Abuse Report

Creates a new abuse report which will be reviewed by our system and abuse response team. This API is only available to authorized accounts. Contact abuse@ngrok.com to request access

Request
POST/abuse_reports
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"urls":["http://legit-facebook-login.ngrok.io/login"],"metadata":"{\"incident_id\":1233122}"}' \
https://api.ngrok.com/abuse_reports
Parameters
urls List<string> a list of URLs containing suspected abusive content
metadata string arbitrary user-defined data about this abuse report. Optional, max 4096 bytes.
Response

Returns a 200 response on success

Example Response
{
  "id": "abrp_1jE2ceSVmsWiF4NpkY4TlU7uJkI",
  "uri": "https://api.ngrok.com/abuse_reports/abrp_1jE2ceSVmsWiF4NpkY4TlU7uJkI",
  "created_at": "2020-10-22T08:23:30Z",
  "urls": [
    "http://legit-facebook-login.ngrok.io/login"
  ],
  "metadata": "{\"incident_id\":1233122}",
  "status": "PROCESSED",
  "hostnames": [
    {
      "hostname": "legit-facebook-login.ngrok.io",
      "status": "BANNED"
    }
  ]
}
Fields
id string ID of the abuse report
uri string URI of the abuse report API resource
created_at string timestamp that the abuse report record was created in RFC 3339 format
urls List<string> a list of URLs containing suspected abusive content
metadata string arbitrary user-defined data about this abuse report. Optional, max 4096 bytes.
status string Indicates whether ngrok has processed the abuse report. one of PENDING, PROCESSED, or PARTIALLY_PROCESSED
hostnames AbuseReportHostname an array of hostname statuses related to the report
AbuseReportHostname fields
hostname string the hostname ngrok has parsed out of one of the reported URLs in this abuse report
status string indicates what action ngrok has taken against the hostname. one of PENDING, BANNED, UNBANNED, or IGNORE

Get Abuse Report

Get the detailed status of abuse report by ID.

Request
GET/abuse_reports/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/abuse_reports/abrp_1jE2ceSVmsWiF4NpkY4TlU7uJkI
Response

Returns a 200 response on success

Example Response
{
  "id": "abrp_1jE2ceSVmsWiF4NpkY4TlU7uJkI",
  "uri": "https://api.ngrok.com/abuse_reports/abrp_1jE2ceSVmsWiF4NpkY4TlU7uJkI",
  "created_at": "2020-10-22T08:23:30Z",
  "urls": [
    "http://legit-facebook-login.ngrok.io/login"
  ],
  "metadata": "{\"incident_id\":1233122}",
  "status": "PROCESSED",
  "hostnames": [
    {
      "hostname": "legit-facebook-login.ngrok.io",
      "status": "BANNED"
    }
  ]
}
Fields
id string ID of the abuse report
uri string URI of the abuse report API resource
created_at string timestamp that the abuse report record was created in RFC 3339 format
urls List<string> a list of URLs containing suspected abusive content
metadata string arbitrary user-defined data about this abuse report. Optional, max 4096 bytes.
status string Indicates whether ngrok has processed the abuse report. one of PENDING, PROCESSED, or PARTIALLY_PROCESSED
hostnames AbuseReportHostname an array of hostname statuses related to the report
AbuseReportHostname fields
hostname string the hostname ngrok has parsed out of one of the reported URLs in this abuse report
status string indicates what action ngrok has taken against the hostname. one of PENDING, BANNED, UNBANNED, or IGNORE

Create Certificate Authority

Upload a new Certificate Authority

Request
POST/certificate_authorities
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"Internal Coprorates Services Authority","metadata":"{\"internal_id\": \"7d2caeee-cdc3-4b26-b2c2-b280b8287552\"}","ca_pem":"-----BEGIN CERTIFICATE-----\nMIIEETCCAvmgAwIBAgIUU3N6lNzPqar4400cLQMcVHFl+mEwDQYJKoZIhvcNAQEL\nBQAwgZcxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5l\neTEZMBcGA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQg\nU2VydmljZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9w\nYmVhci5leGFtcGxlMB4XDTIwMDUwMTE2Mjc1OVoXDTIxMDUwMTE2Mjc1OVowgZcx\nCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5leTEZMBcG\nA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQgU2Vydmlj\nZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9wYmVhci5l\neGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7y/EAN0yZkA0\nnRpMBfomnnS8KMWHb90kvGfhkCDR8WCQz5mX7eDEYDthRQrEgp63qtJ7IoCM5f0A\nUD6J2m/mZecP7SfA8OuTAZ7UyRixpZh0zJQSgj24Sh1LQuYci0DNXrei+R1qBvd+\npmpZwkKygNrbZYe3oY1PZ3jEYPSAQzIObDF7LhdhLLrcfWa9BHOGMLnALNMY558b\nvoijTCEmRrSavdvrAS9LDRipEXT8EQOWZZT9VbPtgSBalvStdoupAptmPIWjXftf\nWi1kry+P0xVFZG9iZwUeAT6fSJ+gJD8M1UXWaQbocYrctESP0sZEFM3rzdWqrZb7\n3cH3K5OCvwIDAQABo1MwUTAdBgNVHQ4EFgQUsZdchgUimRHLiPRWw51+DGBmlfMw\nHwYDVR0jBBgwFoAUsZdchgUimRHLiPRWw51+DGBmlfMwDwYDVR0TAQH/BAUwAwEB\n/zANBgkqhkiG9w0BAQsFAAOCAQEANk25tt8sSfn6Qu1bbhWRbjKgS5z+j9LqyCna\nv3fbSchMthaQR7w0vL69ayroeYdqDZkRMmHjuYKY4NyqyXkkaqVO63wEicCo55d9\npIKuPzc/7xwdRephosjGTQ4QaQ4OnrdpJZieI92m9ODexgsab84AYmwNpbGOI/tK\nnPsQr8x1RfLs2gbBwQ4MYVM3tQQbX0o+yve5nz/NCOq4vdG+eKON5u6VYMkOOg9F\nVyNY1iISQkpNk/AF6Vi9BGuDb5Hg0phEl1Q0ntCO7ZHAUHjy0ucqXZiXoXdXZcs3\n3zKKLUKva59EDBZ5TUucvXh8VemBtNc6hd1mX4Tq7lAreG9pjQ==\n-----END CERTIFICATE-----"}' \
https://api.ngrok.com/certificate_authorities
Parameters
description string human-readable description of this Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this Certificate Authority. optional, max 4096 bytes.
ca_pem string raw PEM of the Certificate Authority
Response

Returns a 200 response on success

Example Response
{
  "id": "ca_1jE2cqj9YU2XzT6dImzagHqCK6I",
  "uri": "https://api.ngrok.com/certificate_authorities/ca_1jE2cqj9YU2XzT6dImzagHqCK6I",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "Internal Coprorates Services Authority",
  "metadata": "{\"internal_id\": \"7d2caeee-cdc3-4b26-b2c2-b280b8287552\"}",
  "ca_pem": "-----BEGIN CERTIFICATE-----\nMIIEETCCAvmgAwIBAgIUU3N6lNzPqar4400cLQMcVHFl+mEwDQYJKoZIhvcNAQEL\nBQAwgZcxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5l\neTEZMBcGA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQg\nU2VydmljZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9w\nYmVhci5leGFtcGxlMB4XDTIwMDUwMTE2Mjc1OVoXDTIxMDUwMTE2Mjc1OVowgZcx\nCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5leTEZMBcG\nA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQgU2Vydmlj\nZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9wYmVhci5l\neGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7y/EAN0yZkA0\nnRpMBfomnnS8KMWHb90kvGfhkCDR8WCQz5mX7eDEYDthRQrEgp63qtJ7IoCM5f0A\nUD6J2m/mZecP7SfA8OuTAZ7UyRixpZh0zJQSgj24Sh1LQuYci0DNXrei+R1qBvd+\npmpZwkKygNrbZYe3oY1PZ3jEYPSAQzIObDF7LhdhLLrcfWa9BHOGMLnALNMY558b\nvoijTCEmRrSavdvrAS9LDRipEXT8EQOWZZT9VbPtgSBalvStdoupAptmPIWjXftf\nWi1kry+P0xVFZG9iZwUeAT6fSJ+gJD8M1UXWaQbocYrctESP0sZEFM3rzdWqrZb7\n3cH3K5OCvwIDAQABo1MwUTAdBgNVHQ4EFgQUsZdchgUimRHLiPRWw51+DGBmlfMw\nHwYDVR0jBBgwFoAUsZdchgUimRHLiPRWw51+DGBmlfMwDwYDVR0TAQH/BAUwAwEB\n/zANBgkqhkiG9w0BAQsFAAOCAQEANk25tt8sSfn6Qu1bbhWRbjKgS5z+j9LqyCna\nv3fbSchMthaQR7w0vL69ayroeYdqDZkRMmHjuYKY4NyqyXkkaqVO63wEicCo55d9\npIKuPzc/7xwdRephosjGTQ4QaQ4OnrdpJZieI92m9ODexgsab84AYmwNpbGOI/tK\nnPsQr8x1RfLs2gbBwQ4MYVM3tQQbX0o+yve5nz/NCOq4vdG+eKON5u6VYMkOOg9F\nVyNY1iISQkpNk/AF6Vi9BGuDb5Hg0phEl1Q0ntCO7ZHAUHjy0ucqXZiXoXdXZcs3\n3zKKLUKva59EDBZ5TUucvXh8VemBtNc6hd1mX4Tq7lAreG9pjQ==\n-----END CERTIFICATE-----\n",
  "subject_common_name": "Intranet Services Authority",
  "not_before": "2020-05-01T16:27:59Z",
  "not_after": "2021-05-01T16:27:59Z",
  "key_usages": [],
  "extended_key_usages": []
}
Fields
id string unique identifier for this Certificate Authority
uri string URI of the Certificate Authority API resource
created_at string timestamp when the Certificate Authority was created, RFC 3339 format
description string human-readable description of this Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this Certificate Authority. optional, max 4096 bytes.
ca_pem string raw PEM of the Certificate Authority
subject_common_name string subject common name of the Certificate Authority
not_before string timestamp when this Certificate Authority becomes valid, RFC 3339 format
not_after string timestamp when this Certificate Authority becomes invalid, RFC 3339 format
key_usages List<string> set of actions the private key of this Certificate Authority can be used for
extended_key_usages List<string> extended set of actions the private key of this Certificate Authority can be used for

Delete Certificate Authority

Delete a Certificate Authority

Request
DELETE/certificate_authorities/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/certificate_authorities/ca_1jE2cqj9YU2XzT6dImzagHqCK6I
Response

Returns a 204 response with no body on success

Get Certificate Authority

Get detailed information about a certficate authority

Request
GET/certificate_authorities/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/certificate_authorities/ca_1jE2cqj9YU2XzT6dImzagHqCK6I
Response

Returns a 200 response on success

Example Response
{
  "id": "ca_1jE2cqj9YU2XzT6dImzagHqCK6I",
  "uri": "https://api.ngrok.com/certificate_authorities/ca_1jE2cqj9YU2XzT6dImzagHqCK6I",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "Internal Corporate Services Authority (Legacy)",
  "metadata": "{\"internal_id\": \"7d2caeee-cdc3-4b26-b2c2-b280b8287552\"}",
  "ca_pem": "-----BEGIN CERTIFICATE-----\nMIIEETCCAvmgAwIBAgIUU3N6lNzPqar4400cLQMcVHFl+mEwDQYJKoZIhvcNAQEL\nBQAwgZcxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5l\neTEZMBcGA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQg\nU2VydmljZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9w\nYmVhci5leGFtcGxlMB4XDTIwMDUwMTE2Mjc1OVoXDTIxMDUwMTE2Mjc1OVowgZcx\nCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5leTEZMBcG\nA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQgU2Vydmlj\nZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9wYmVhci5l\neGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7y/EAN0yZkA0\nnRpMBfomnnS8KMWHb90kvGfhkCDR8WCQz5mX7eDEYDthRQrEgp63qtJ7IoCM5f0A\nUD6J2m/mZecP7SfA8OuTAZ7UyRixpZh0zJQSgj24Sh1LQuYci0DNXrei+R1qBvd+\npmpZwkKygNrbZYe3oY1PZ3jEYPSAQzIObDF7LhdhLLrcfWa9BHOGMLnALNMY558b\nvoijTCEmRrSavdvrAS9LDRipEXT8EQOWZZT9VbPtgSBalvStdoupAptmPIWjXftf\nWi1kry+P0xVFZG9iZwUeAT6fSJ+gJD8M1UXWaQbocYrctESP0sZEFM3rzdWqrZb7\n3cH3K5OCvwIDAQABo1MwUTAdBgNVHQ4EFgQUsZdchgUimRHLiPRWw51+DGBmlfMw\nHwYDVR0jBBgwFoAUsZdchgUimRHLiPRWw51+DGBmlfMwDwYDVR0TAQH/BAUwAwEB\n/zANBgkqhkiG9w0BAQsFAAOCAQEANk25tt8sSfn6Qu1bbhWRbjKgS5z+j9LqyCna\nv3fbSchMthaQR7w0vL69ayroeYdqDZkRMmHjuYKY4NyqyXkkaqVO63wEicCo55d9\npIKuPzc/7xwdRephosjGTQ4QaQ4OnrdpJZieI92m9ODexgsab84AYmwNpbGOI/tK\nnPsQr8x1RfLs2gbBwQ4MYVM3tQQbX0o+yve5nz/NCOq4vdG+eKON5u6VYMkOOg9F\nVyNY1iISQkpNk/AF6Vi9BGuDb5Hg0phEl1Q0ntCO7ZHAUHjy0ucqXZiXoXdXZcs3\n3zKKLUKva59EDBZ5TUucvXh8VemBtNc6hd1mX4Tq7lAreG9pjQ==\n-----END CERTIFICATE-----\n",
  "subject_common_name": "Intranet Services Authority",
  "not_before": "2020-05-01T16:27:59Z",
  "not_after": "2021-05-01T16:27:59Z",
  "key_usages": [],
  "extended_key_usages": []
}
Fields
id string unique identifier for this Certificate Authority
uri string URI of the Certificate Authority API resource
created_at string timestamp when the Certificate Authority was created, RFC 3339 format
description string human-readable description of this Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this Certificate Authority. optional, max 4096 bytes.
ca_pem string raw PEM of the Certificate Authority
subject_common_name string subject common name of the Certificate Authority
not_before string timestamp when this Certificate Authority becomes valid, RFC 3339 format
not_after string timestamp when this Certificate Authority becomes invalid, RFC 3339 format
key_usages List<string> set of actions the private key of this Certificate Authority can be used for
extended_key_usages List<string> extended set of actions the private key of this Certificate Authority can be used for

List Certificate Authorities

List all Certificate Authority on this account

Request
GET/certificate_authorities
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/certificate_authorities
Response

Returns a 200 response on success

Example Response
{
  "certificate_authorities": [
    {
      "id": "ca_1jE2cvJLxRfC4ESuftO6fipqkkI",
      "uri": "https://api.ngrok.com/certificate_authorities/ca_1jE2cvJLxRfC4ESuftO6fipqkkI",
      "created_at": "2020-10-22T08:23:32Z",
      "description": "Device Connectivity Authority",
      "metadata": "",
      "ca_pem": "-----BEGIN CERTIFICATE-----\nMIIEAzCCAuugAwIBAgIUGN+Gv4BdJ17VoVXWrz9j51jcfYowDQYJKoZIhvcNAQEL\nBQAwgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH\nDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApBQ01FLCBJbmMuMR4wHAYDVQQDDBVB\nQ01FIERldmljZSBBdXRob3JpdHkxHzAdBgkqhkiG9w0BCQEWEG9wc0BhY21lLmV4\nYW1wbGUwHhcNMjAwNTAxMTYyNTA5WhcNMjEwNTAxMTYyNTA5WjCBkDELMAkGA1UE\nBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lz\nY28xEzARBgNVBAoMCkFDTUUsIEluYy4xHjAcBgNVBAMMFUFDTUUgRGV2aWNlIEF1\ndGhvcml0eTEfMB0GCSqGSIb3DQEJARYQb3BzQGFjbWUuZXhhbXBsZTCCASIwDQYJ\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO8vxADdMmZANJ0aTAX6Jp50vCjFh2/d\nJLxn4ZAg0fFgkM+Zl+3gxGA7YUUKxIKet6rSeyKAjOX9AFA+idpv5mXnD+0nwPDr\nkwGe1MkYsaWYdMyUEoI9uEodS0LmHItAzV63ovkdagb3fqZqWcJCsoDa22WHt6GN\nT2d4xGD0gEMyDmwxey4XYSy63H1mvQRzhjC5wCzTGOefG76Io0whJka0mr3b6wEv\nSw0YqRF0/BEDlmWU/VWz7YEgWpb0rXaLqQKbZjyFo137X1otZK8vj9MVRWRvYmcF\nHgE+n0ifoCQ/DNVF1mkG6HGK3LREj9LGRBTN683Vqq2W+93B9yuTgr8CAwEAAaNT\nMFEwHQYDVR0OBBYEFLGXXIYFIpkRy4j0VsOdfgxgZpXzMB8GA1UdIwQYMBaAFLGX\nXIYFIpkRy4j0VsOdfgxgZpXzMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL\nBQADggEBAFyO7ZWj9w6xzoBWu/XbIVwsQ3kE5k+wrRGyp2rh2v4msAEveCIZP5kT\nCSdr2vr+9HQYiKf1ftsp9tGTLXwrhz3ztC8jIqo4A0grw5B61J0lj+2grKNq1/CK\nxQcpkbnetzo4zsDqFRoN2VK40Ovo4b/IknFa38t06b4t8cYQIqUdkFHMSSIz3Mvx\nRIK6MZlilT8zkWhi9kfCJe/s3cVEAJixNkgO4XNo5VhhxFenyvAL2vDM27dWVtDG\nqL3MFZbcy0/74AJsJDSrflGUQxjrK3WI9PkpKp/xey54XJAbhF63z1VwkJwSwufv\nW9HgidfMN9icgxkScyWpB9KrZHcsLk4=\n-----END CERTIFICATE-----\n",
      "subject_common_name": "ACME Device Authority",
      "not_before": "2020-05-01T16:25:09Z",
      "not_after": "2021-05-01T16:25:09Z",
      "key_usages": [],
      "extended_key_usages": []
    },
    {
      "id": "ca_1jE2cqj9YU2XzT6dImzagHqCK6I",
      "uri": "https://api.ngrok.com/certificate_authorities/ca_1jE2cqj9YU2XzT6dImzagHqCK6I",
      "created_at": "2020-10-22T08:23:32Z",
      "description": "Internal Coprorates Services Authority",
      "metadata": "{\"internal_id\": \"7d2caeee-cdc3-4b26-b2c2-b280b8287552\"}",
      "ca_pem": "-----BEGIN CERTIFICATE-----\nMIIEETCCAvmgAwIBAgIUU3N6lNzPqar4400cLQMcVHFl+mEwDQYJKoZIhvcNAQEL\nBQAwgZcxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5l\neTEZMBcGA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQg\nU2VydmljZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9w\nYmVhci5leGFtcGxlMB4XDTIwMDUwMTE2Mjc1OVoXDTIxMDUwMTE2Mjc1OVowgZcx\nCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5leTEZMBcG\nA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQgU2Vydmlj\nZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9wYmVhci5l\neGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7y/EAN0yZkA0\nnRpMBfomnnS8KMWHb90kvGfhkCDR8WCQz5mX7eDEYDthRQrEgp63qtJ7IoCM5f0A\nUD6J2m/mZecP7SfA8OuTAZ7UyRixpZh0zJQSgj24Sh1LQuYci0DNXrei+R1qBvd+\npmpZwkKygNrbZYe3oY1PZ3jEYPSAQzIObDF7LhdhLLrcfWa9BHOGMLnALNMY558b\nvoijTCEmRrSavdvrAS9LDRipEXT8EQOWZZT9VbPtgSBalvStdoupAptmPIWjXftf\nWi1kry+P0xVFZG9iZwUeAT6fSJ+gJD8M1UXWaQbocYrctESP0sZEFM3rzdWqrZb7\n3cH3K5OCvwIDAQABo1MwUTAdBgNVHQ4EFgQUsZdchgUimRHLiPRWw51+DGBmlfMw\nHwYDVR0jBBgwFoAUsZdchgUimRHLiPRWw51+DGBmlfMwDwYDVR0TAQH/BAUwAwEB\n/zANBgkqhkiG9w0BAQsFAAOCAQEANk25tt8sSfn6Qu1bbhWRbjKgS5z+j9LqyCna\nv3fbSchMthaQR7w0vL69ayroeYdqDZkRMmHjuYKY4NyqyXkkaqVO63wEicCo55d9\npIKuPzc/7xwdRephosjGTQ4QaQ4OnrdpJZieI92m9ODexgsab84AYmwNpbGOI/tK\nnPsQr8x1RfLs2gbBwQ4MYVM3tQQbX0o+yve5nz/NCOq4vdG+eKON5u6VYMkOOg9F\nVyNY1iISQkpNk/AF6Vi9BGuDb5Hg0phEl1Q0ntCO7ZHAUHjy0ucqXZiXoXdXZcs3\n3zKKLUKva59EDBZ5TUucvXh8VemBtNc6hd1mX4Tq7lAreG9pjQ==\n-----END CERTIFICATE-----\n",
      "subject_common_name": "Intranet Services Authority",
      "not_before": "2020-05-01T16:27:59Z",
      "not_after": "2021-05-01T16:27:59Z",
      "key_usages": [],
      "extended_key_usages": []
    },
    {
      "id": "ca_1jE2cirmhVyB4aHwf5VUiWzbTty",
      "uri": "https://api.ngrok.com/certificate_authorities/ca_1jE2cirmhVyB4aHwf5VUiWzbTty",
      "created_at": "2020-10-22T08:23:31Z",
      "description": "",
      "metadata": "",
      "ca_pem": "-----BEGIN CERTIFICATE-----\nMIIEETCCAvmgAwIBAgIUU3N6lNzPqar4400cLQMcVHFl+mEwDQYJKoZIhvcNAQEL\nBQAwgZcxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5l\neTEZMBcGA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQg\nU2VydmljZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9w\nYmVhci5leGFtcGxlMB4XDTIwMDUwMTE2Mjc1OVoXDTIxMDUwMTE2Mjc1OVowgZcx\nCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5leTEZMBcG\nA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQgU2Vydmlj\nZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9wYmVhci5l\neGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7y/EAN0yZkA0\nnRpMBfomnnS8KMWHb90kvGfhkCDR8WCQz5mX7eDEYDthRQrEgp63qtJ7IoCM5f0A\nUD6J2m/mZecP7SfA8OuTAZ7UyRixpZh0zJQSgj24Sh1LQuYci0DNXrei+R1qBvd+\npmpZwkKygNrbZYe3oY1PZ3jEYPSAQzIObDF7LhdhLLrcfWa9BHOGMLnALNMY558b\nvoijTCEmRrSavdvrAS9LDRipEXT8EQOWZZT9VbPtgSBalvStdoupAptmPIWjXftf\nWi1kry+P0xVFZG9iZwUeAT6fSJ+gJD8M1UXWaQbocYrctESP0sZEFM3rzdWqrZb7\n3cH3K5OCvwIDAQABo1MwUTAdBgNVHQ4EFgQUsZdchgUimRHLiPRWw51+DGBmlfMw\nHwYDVR0jBBgwFoAUsZdchgUimRHLiPRWw51+DGBmlfMwDwYDVR0TAQH/BAUwAwEB\n/zANBgkqhkiG9w0BAQsFAAOCAQEANk25tt8sSfn6Qu1bbhWRbjKgS5z+j9LqyCna\nv3fbSchMthaQR7w0vL69ayroeYdqDZkRMmHjuYKY4NyqyXkkaqVO63wEicCo55d9\npIKuPzc/7xwdRephosjGTQ4QaQ4OnrdpJZieI92m9ODexgsab84AYmwNpbGOI/tK\nnPsQr8x1RfLs2gbBwQ4MYVM3tQQbX0o+yve5nz/NCOq4vdG+eKON5u6VYMkOOg9F\nVyNY1iISQkpNk/AF6Vi9BGuDb5Hg0phEl1Q0ntCO7ZHAUHjy0ucqXZiXoXdXZcs3\n3zKKLUKva59EDBZ5TUucvXh8VemBtNc6hd1mX4Tq7lAreG9pjQ==\n-----END CERTIFICATE-----\n",
      "subject_common_name": "Intranet Services Authority",
      "not_before": "2020-05-01T16:27:59Z",
      "not_after": "2021-05-01T16:27:59Z",
      "key_usages": [],
      "extended_key_usages": []
    }
  ],
  "uri": "https://api.ngrok.com/certificate_authorities",
  "next_page_uri": null
}
Fields
certificate_authorities CertificateAuthority the list of all certificate authorities on this account
uri string URI of the certificates authorities list API resource
next_page_uri string URI of the next page, or null if there is no next page
CertificateAuthority fields
id string unique identifier for this Certificate Authority
uri string URI of the Certificate Authority API resource
created_at string timestamp when the Certificate Authority was created, RFC 3339 format
description string human-readable description of this Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this Certificate Authority. optional, max 4096 bytes.
ca_pem string raw PEM of the Certificate Authority
subject_common_name string subject common name of the Certificate Authority
not_before string timestamp when this Certificate Authority becomes valid, RFC 3339 format
not_after string timestamp when this Certificate Authority becomes invalid, RFC 3339 format
key_usages List<string> set of actions the private key of this Certificate Authority can be used for
extended_key_usages List<string> extended set of actions the private key of this Certificate Authority can be used for

Update Certificate Authority

Update attributes of a Certificate Authority by ID

Request
PATCH/certificate_authorities/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"Internal Corporate Services Authority (Legacy)"}' \
https://api.ngrok.com/certificate_authorities/ca_1jE2cqj9YU2XzT6dImzagHqCK6I
Parameters
id string
description string human-readable description of this Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this Certificate Authority. optional, max 4096 bytes.
Response

Returns a 200 response on success

Example Response
{
  "id": "ca_1jE2cqj9YU2XzT6dImzagHqCK6I",
  "uri": "https://api.ngrok.com/certificate_authorities/ca_1jE2cqj9YU2XzT6dImzagHqCK6I",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "Internal Corporate Services Authority (Legacy)",
  "metadata": "{\"internal_id\": \"7d2caeee-cdc3-4b26-b2c2-b280b8287552\"}",
  "ca_pem": "-----BEGIN CERTIFICATE-----\nMIIEETCCAvmgAwIBAgIUU3N6lNzPqar4400cLQMcVHFl+mEwDQYJKoZIhvcNAQEL\nBQAwgZcxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5l\neTEZMBcGA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQg\nU2VydmljZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9w\nYmVhci5leGFtcGxlMB4XDTIwMDUwMTE2Mjc1OVoXDTIxMDUwMTE2Mjc1OVowgZcx\nCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5leTEZMBcG\nA1UECgwQRHJvcGJlYXIgUHR5IEx0ZDEkMCIGA1UEAwwbSW50cmFuZXQgU2Vydmlj\nZXMgQXV0aG9yaXR5MSgwJgYJKoZIhvcNAQkBFhlzZWN1cml0eUBkcm9wYmVhci5l\neGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7y/EAN0yZkA0\nnRpMBfomnnS8KMWHb90kvGfhkCDR8WCQz5mX7eDEYDthRQrEgp63qtJ7IoCM5f0A\nUD6J2m/mZecP7SfA8OuTAZ7UyRixpZh0zJQSgj24Sh1LQuYci0DNXrei+R1qBvd+\npmpZwkKygNrbZYe3oY1PZ3jEYPSAQzIObDF7LhdhLLrcfWa9BHOGMLnALNMY558b\nvoijTCEmRrSavdvrAS9LDRipEXT8EQOWZZT9VbPtgSBalvStdoupAptmPIWjXftf\nWi1kry+P0xVFZG9iZwUeAT6fSJ+gJD8M1UXWaQbocYrctESP0sZEFM3rzdWqrZb7\n3cH3K5OCvwIDAQABo1MwUTAdBgNVHQ4EFgQUsZdchgUimRHLiPRWw51+DGBmlfMw\nHwYDVR0jBBgwFoAUsZdchgUimRHLiPRWw51+DGBmlfMwDwYDVR0TAQH/BAUwAwEB\n/zANBgkqhkiG9w0BAQsFAAOCAQEANk25tt8sSfn6Qu1bbhWRbjKgS5z+j9LqyCna\nv3fbSchMthaQR7w0vL69ayroeYdqDZkRMmHjuYKY4NyqyXkkaqVO63wEicCo55d9\npIKuPzc/7xwdRephosjGTQ4QaQ4OnrdpJZieI92m9ODexgsab84AYmwNpbGOI/tK\nnPsQr8x1RfLs2gbBwQ4MYVM3tQQbX0o+yve5nz/NCOq4vdG+eKON5u6VYMkOOg9F\nVyNY1iISQkpNk/AF6Vi9BGuDb5Hg0phEl1Q0ntCO7ZHAUHjy0ucqXZiXoXdXZcs3\n3zKKLUKva59EDBZ5TUucvXh8VemBtNc6hd1mX4Tq7lAreG9pjQ==\n-----END CERTIFICATE-----\n",
  "subject_common_name": "Intranet Services Authority",
  "not_before": "2020-05-01T16:27:59Z",
  "not_after": "2021-05-01T16:27:59Z",
  "key_usages": [],
  "extended_key_usages": []
}
Fields
id string unique identifier for this Certificate Authority
uri string URI of the Certificate Authority API resource
created_at string timestamp when the Certificate Authority was created, RFC 3339 format
description string human-readable description of this Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this Certificate Authority. optional, max 4096 bytes.
ca_pem string raw PEM of the Certificate Authority
subject_common_name string subject common name of the Certificate Authority
not_before string timestamp when this Certificate Authority becomes valid, RFC 3339 format
not_after string timestamp when this Certificate Authority becomes invalid, RFC 3339 format
key_usages List<string> set of actions the private key of this Certificate Authority can be used for
extended_key_usages List<string> extended set of actions the private key of this Certificate Authority can be used for

Replace Circuit Breaker Module

Request
PUT/endpoint_configurations/{id}/circuit_breaker
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"tripped_duration":120,"rolling_window":300,"num_buckets":5,"volume_threshold":20,"error_threshold_percentage":0.2}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/circuit_breaker
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
tripped_duration uint32 Integer number of seconds after which the circuit is tripped to wait before re-evaluating upstream health
rolling_window uint32 Integer number of seconds in the statistical rolling window that metrics are retained for.
num_buckets uint32 Integer number of buckets into which metrics are retained. Max 128.
volume_threshold uint32 Integer number of requests in a rolling window that will trip the circuit. Helpful if traffic volume is low.
error_threshold_percentage float64 Error threshold percentage should be between 0 - 1.0, not 0-100.0
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "tripped_duration": 120,
  "rolling_window": 300,
  "num_buckets": 5,
  "volume_threshold": 20,
  "error_threshold_percentage": 0.2
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
tripped_duration uint32 Integer number of seconds after which the circuit is tripped to wait before re-evaluating upstream health
rolling_window uint32 Integer number of seconds in the statistical rolling window that metrics are retained for.
num_buckets uint32 Integer number of buckets into which metrics are retained. Max 128.
volume_threshold uint32 Integer number of requests in a rolling window that will trip the circuit. Helpful if traffic volume is low.
error_threshold_percentage float64 Error threshold percentage should be between 0 - 1.0, not 0-100.0

Get Circuit Breaker Module

Request
GET/endpoint_configurations/{id}/circuit_breaker
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/circuit_breaker
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "tripped_duration": 120,
  "rolling_window": 300,
  "num_buckets": 5,
  "volume_threshold": 20,
  "error_threshold_percentage": 0.2
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
tripped_duration uint32 Integer number of seconds after which the circuit is tripped to wait before re-evaluating upstream health
rolling_window uint32 Integer number of seconds in the statistical rolling window that metrics are retained for.
num_buckets uint32 Integer number of buckets into which metrics are retained. Max 128.
volume_threshold uint32 Integer number of requests in a rolling window that will trip the circuit. Helpful if traffic volume is low.
error_threshold_percentage float64 Error threshold percentage should be between 0 - 1.0, not 0-100.0

Delete Circuit Breaker Module

Request
DELETE/endpoint_configurations/{id}/circuit_breaker
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/circuit_breaker
Response

Returns a 204 response with no body on success

Replace Compression Module

Request
PUT/endpoint_configurations/{id}/compression
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"enabled":false}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/compression
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
Response

Returns a 200 response on success

Example Response
{
  "enabled": false
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified

Get Compression Module

Request
GET/endpoint_configurations/{id}/compression
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/compression
Response

Returns a 200 response on success

Example Response
{
  "enabled": false
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified

Delete Compression Module

Request
DELETE/endpoint_configurations/{id}/compression
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/compression
Response

Returns a 204 response with no body on success

Create Endpoint Configuration

Create a new endpoint configuration

Request
POST/endpoint_configurations
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"type":"https","description":"app servers","request_headers":{"add":{"X-Frontend":"ngrok"},"remove":["Cache-Control"]}}' \
https://api.ngrok.com/endpoint_configurations
Parameters
type string they type of traffic this endpoint configuration can be applied to. one of: http, https, tcp
description string human-readable description of what this endpoint configuration will be do when applied or what traffic it will be applied to. Optional, max 255 bytes
metadata string arbitrary user-defined machine-readable data of this endpoint configuration. Optional, max 4096 bytes.
circuit_breaker EndpointCircuitBreaker circuit breaker module configuration or null
compression EndpointCompression compression module configuration or null
request_headers EndpointRequestHeaders request headers module configuration or null
response_headers EndpointResponseHeaders response headers module configuration or null
ip_policy EndpointIPPolicyMutate ip policy module configuration or null
mutual_tls EndpointMutualTLSMutate mutual TLS module configuration or null
tls_termination EndpointTLSTermination TLS termination module configuration or null
webhook_validation EndpointWebhookValidation webhook validation module configuration or null
oauth EndpointOAuth oauth module configuration or null
logging EndpointLoggingMutate logging module configuration or null
saml EndpointSAMLMutate saml module configuration or null
oidc EndpointOIDC oidc module configuration or null
EndpointCircuitBreaker parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
tripped_duration uint32 Integer number of seconds after which the circuit is tripped to wait before re-evaluating upstream health
rolling_window uint32 Integer number of seconds in the statistical rolling window that metrics are retained for.
num_buckets uint32 Integer number of buckets into which metrics are retained. Max 128.
volume_threshold uint32 Integer number of requests in a rolling window that will trip the circuit. Helpful if traffic volume is low.
error_threshold_percentage float64 Error threshold percentage should be between 0 - 1.0, not 0-100.0
EndpointCompression parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
EndpointRequestHeaders parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Request before being sent to the upstream application server
remove List<string> a list of header names that will be removed from the HTTP Request before being sent to the upstream application server
EndpointResponseHeaders parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Response returned to the HTTP client
remove List<string> a list of header names that will be removed from the HTTP Response returned to the HTTP client
EndpointIPPolicyMutate parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
ip_policy_ids List<string> list of all IP policies that will be used to check if a source IP is allowed access to the endpoint
EndpointMutualTLSMutate parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
certificate_authority_ids List<string> list of certificate authorities that will be used to validate the TLS client certificate presnted by the initiatiator of the TLS connection
EndpointTLSTermination parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
terminate_at string edge if the ngrok edge should terminate TLS traffic, upstream if TLS traffic should be passed through to the upstream ngrok agent / application server for termination. if upstream is chosen, most other modules will be disallowed because they rely on the ngrok edge being able to access the underlying traffic.
min_version string The minimum TLS version used for termination and advertised to the client during the TLS handshake. if unspecified, ngrok will choose an industry-safe default. This value must be null if terminate_at is set to upstream.
EndpointWebhookValidation parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider string a string indicating which webhook provider will be sending webhooks to this endpoint. Value must be one of the supported providers: SLACK, SNS, STRIPE, GITHUB, TWILIO, SHOPIFY, GITLAB, INTERCOM.
secret string a string secret used to validate requests from the given provider. All providers except AWS SNS require a secret
EndpointOAuth parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider EndpointOAuthProvider an object which defines the identity provider to use for authentication and configuration for who may access the endpoint
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
auth_check_interval uint32 Integer number of seconds after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource.
EndpointOAuthProvider parameters
github EndpointOAuthGitHub configuration for using github as the identity provider
facebook EndpointOAuthFacebook configuration for using facebook as the identity provider
microsoft EndpointOAuthMicrosoft configuration for using microsoft as the identity provider
google EndpointOAuthGoogle configuration for using google as the identity provider
EndpointOAuthGitHub parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
teams List<string> a list of github teams identifiers. users will be allowed access to the endpoint if they are a member of any of these teams. identifiers should be in the 'slug' format qualified with the org name, e.g. org-name/team-name
organizations List<string> a list of github org identifiers. users who are members of any of the listed organizations will be allowed access. identifiers should be the organization's 'slug'
EndpointOAuthFacebook parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthMicrosoft parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthGoogle parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointLoggingMutate parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
event_stream_ids List<string> list of all EventStreams that will be used to configure and export this endpoint's logs
EndpointSAMLMutate parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadata_url string The IdP's metadata URL which returns the XML IdP EntityDescriptor. The IdP's metadata URL specifies how to connect to the IdP as well as its public key which is then used to validate the signature on incoming SAML assertions to the ACS endpoint.
idp_metadata string The full XML IdP EntityDescriptor in bytes. This parameter is mutually exclusive with idp_metadata_url. It is recommended to use that parameter instead if the IdP exposes a metadata URL.
force_authn boolean If true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiated boolean If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groups List<string> If present, only users who are a member of one of the listed groups may access the target endpoint.
EndpointOIDC parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
issuer string URL of the OIDC "OpenID provider". This is the base URL used for discovery.
client_id string The OIDC app's client ID and OIDC audience.
client_secret string The OIDC app's client secret.
scopes List<string> The set of scopes to request from the OIDC identity provider.
Response

Returns a 200 response on success

Example Response
{
  "id": "ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL",
  "type": "https",
  "description": "app servers",
  "metadata": "",
  "created_at": "2020-10-22T08:23:26Z",
  "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL",
  "basic_auth": null,
  "circuit_breaker": null,
  "compression": null,
  "request_headers": {
    "enabled": true,
    "add": {
      "x-frontend": "ngrok"
    },
    "remove": [
      "cache-control"
    ]
  },
  "response_headers": null,
  "ip_policy": null,
  "mutual_tls": null,
  "tls_termination": null,
  "webhook_validation": null,
  "oauth": null,
  "logging": null,
  "saml": null,
  "oidc": null
}
Fields
id string unique identifier of this endpoint configuration
type string they type of traffic this endpoint configuration can be applied to. one of: http, https, tcp
description string human-readable description of what this endpoint configuration will be do when applied or what traffic it will be applied to. Optional, max 255 bytes
metadata string arbitrary user-defined machine-readable data of this endpoint configuration. Optional, max 4096 bytes.
created_at string timestamp when the endpoint configuration was created, RFC 3339 format
uri string URI of the endpoint configuration API resource
circuit_breaker EndpointCircuitBreaker circuit breaker module configuration or null
compression EndpointCompression compression module configuration or null
request_headers EndpointRequestHeaders request headers module configuration or null
response_headers EndpointResponseHeaders response headers module configuration or null
ip_policy EndpointIPPolicy ip policy module configuration or null
mutual_tls EndpointMutualTLS mutual TLS module configuration or null
tls_termination EndpointTLSTermination TLS termination module configuration or null
webhook_validation EndpointWebhookValidation webhook validation module configuration or null
oauth EndpointOAuth oauth module configuration or null
logging EndpointLogging logging module configuration or null
saml EndpointSAML saml module configuration or null
oidc EndpointOIDC oidc module configuration or null
EndpointCircuitBreaker fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
tripped_duration uint32 Integer number of seconds after which the circuit is tripped to wait before re-evaluating upstream health
rolling_window uint32 Integer number of seconds in the statistical rolling window that metrics are retained for.
num_buckets uint32 Integer number of buckets into which metrics are retained. Max 128.
volume_threshold uint32 Integer number of requests in a rolling window that will trip the circuit. Helpful if traffic volume is low.
error_threshold_percentage float64 Error threshold percentage should be between 0 - 1.0, not 0-100.0
EndpointCompression fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
EndpointRequestHeaders fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Request before being sent to the upstream application server
remove List<string> a list of header names that will be removed from the HTTP Request before being sent to the upstream application server
EndpointResponseHeaders fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Response returned to the HTTP client
remove List<string> a list of header names that will be removed from the HTTP Response returned to the HTTP client
EndpointIPPolicy fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
ip_policies Ref
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointMutualTLS fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
certificate_authorities Ref PEM-encoded CA certificates that will be used to validate. Multiple CAs may be provided by concatenating them together.
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointTLSTermination fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
terminate_at string edge if the ngrok edge should terminate TLS traffic, upstream if TLS traffic should be passed through to the upstream ngrok agent / application server for termination. if upstream is chosen, most other modules will be disallowed because they rely on the ngrok edge being able to access the underlying traffic.
min_version string The minimum TLS version used for termination and advertised to the client during the TLS handshake. if unspecified, ngrok will choose an industry-safe default. This value must be null if terminate_at is set to upstream.
EndpointWebhookValidation fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider string a string indicating which webhook provider will be sending webhooks to this endpoint. Value must be one of the supported providers: SLACK, SNS, STRIPE, GITHUB, TWILIO, SHOPIFY, GITLAB, INTERCOM.
secret string a string secret used to validate requests from the given provider. All providers except AWS SNS require a secret
EndpointOAuth fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider EndpointOAuthProvider an object which defines the identity provider to use for authentication and configuration for who may access the endpoint
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
auth_check_interval uint32 Integer number of seconds after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource.
EndpointOAuthProvider fields
github EndpointOAuthGitHub configuration for using github as the identity provider
facebook EndpointOAuthFacebook configuration for using facebook as the identity provider
microsoft EndpointOAuthMicrosoft configuration for using microsoft as the identity provider
google EndpointOAuthGoogle configuration for using google as the identity provider
EndpointOAuthGitHub fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
teams List<string> a list of github teams identifiers. users will be allowed access to the endpoint if they are a member of any of these teams. identifiers should be in the 'slug' format qualified with the org name, e.g. org-name/team-name
organizations List<string> a list of github org identifiers. users who are members of any of the listed organizations will be allowed access. identifiers should be the organization's 'slug'
EndpointOAuthFacebook fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthMicrosoft fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthGoogle fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointLogging fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
event_streams Ref list of all EventStreams that will be used to configure and export this endpoint's logs
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointSAML fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadata_url string The IdP's metadata URL which returns the XML IdP EntityDescriptor. The IdP's metadata URL specifies how to connect to the IdP as well as its public key which is then used to validate the signature on incoming SAML assertions to the ACS endpoint.
idp_metadata string The full XML IdP EntityDescriptor in bytes. This parameter is mutually exclusive with idp_metadata_url. It is recommended to use that parameter instead if the IdP exposes a metadata URL.
force_authn boolean If true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiated boolean If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groups List<string> If present, only users who are a member of one of the listed groups may access the target endpoint.
entity_id string The SP Entity's unique ID. This always takes the form of a URL. In ngrok's implementation, this URL is the same as the metadata URL. This will need to be specified to the IdP as configuration.
assertion_consumer_service_url string The public URL of the SP's Assertion Consumer Service. This is where the IdP will redirect to during an authentication flow. This will need to be specified to the IdP as configuration.
single_logout_url string The public URL of the SP's Single Logout Service. This is where the IdP will redirect to during a single logout flow. This will optionally need to be specified to the IdP as configuration.
request_signing_certificate_pem string PEM-encoded x.509 certificate of the key pair that is used to sign all SAML requests that the ngrok SP makes to the IdP. Many IdPs do not support request signing verification, but we highly recommend specifying this in the IdP's configuration if it is supported.
metadata_url string A public URL where the SP's metadata is hosted. If an IdP supports dynamic configuration, this is the URL it can use to retrieve the SP metadata.
EndpointOIDC fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
issuer string URL of the OIDC "OpenID provider". This is the base URL used for discovery.
client_id string The OIDC app's client ID and OIDC audience.
client_secret string The OIDC app's client secret.
scopes List<string> The set of scopes to request from the OIDC identity provider.

Delete Endpoint Configuration

Delete an endpoint configuration. This operation will fail if the endpoint configuration is still referenced by any reserved domain or reserved address.

Request
DELETE/endpoint_configurations/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL
Response

Returns a 204 response with no body on success

Get Endpoint Configuration

Returns detailed information about an endpoint configuration

Request
GET/endpoint_configurations/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL
Response

Returns a 200 response on success

Example Response
{
  "id": "ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL",
  "type": "https",
  "description": "app servers",
  "metadata": "",
  "created_at": "2020-10-22T08:23:26Z",
  "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL",
  "basic_auth": null,
  "circuit_breaker": null,
  "compression": null,
  "request_headers": {
    "enabled": true,
    "add": {
      "x-frontend": "ngrok"
    },
    "remove": [
      "cache-control"
    ]
  },
  "response_headers": null,
  "ip_policy": {
    "enabled": true,
    "ip_policies": [
      {
        "id": "ipp_1jE2cDOLHhizwOJcBPDuqUOPSxV",
        "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cDOLHhizwOJcBPDuqUOPSxV"
      }
    ]
  },
  "mutual_tls": null,
  "tls_termination": null,
  "webhook_validation": null,
  "oauth": null,
  "logging": null,
  "saml": null,
  "oidc": null
}
Fields
id string unique identifier of this endpoint configuration
type string they type of traffic this endpoint configuration can be applied to. one of: http, https, tcp
description string human-readable description of what this endpoint configuration will be do when applied or what traffic it will be applied to. Optional, max 255 bytes
metadata string arbitrary user-defined machine-readable data of this endpoint configuration. Optional, max 4096 bytes.
created_at string timestamp when the endpoint configuration was created, RFC 3339 format
uri string URI of the endpoint configuration API resource
circuit_breaker EndpointCircuitBreaker circuit breaker module configuration or null
compression EndpointCompression compression module configuration or null
request_headers EndpointRequestHeaders request headers module configuration or null
response_headers EndpointResponseHeaders response headers module configuration or null
ip_policy EndpointIPPolicy ip policy module configuration or null
mutual_tls EndpointMutualTLS mutual TLS module configuration or null
tls_termination EndpointTLSTermination TLS termination module configuration or null
webhook_validation EndpointWebhookValidation webhook validation module configuration or null
oauth EndpointOAuth oauth module configuration or null
logging EndpointLogging logging module configuration or null
saml EndpointSAML saml module configuration or null
oidc EndpointOIDC oidc module configuration or null
EndpointCircuitBreaker fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
tripped_duration uint32 Integer number of seconds after which the circuit is tripped to wait before re-evaluating upstream health
rolling_window uint32 Integer number of seconds in the statistical rolling window that metrics are retained for.
num_buckets uint32 Integer number of buckets into which metrics are retained. Max 128.
volume_threshold uint32 Integer number of requests in a rolling window that will trip the circuit. Helpful if traffic volume is low.
error_threshold_percentage float64 Error threshold percentage should be between 0 - 1.0, not 0-100.0
EndpointCompression fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
EndpointRequestHeaders fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Request before being sent to the upstream application server
remove List<string> a list of header names that will be removed from the HTTP Request before being sent to the upstream application server
EndpointResponseHeaders fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Response returned to the HTTP client
remove List<string> a list of header names that will be removed from the HTTP Response returned to the HTTP client
EndpointIPPolicy fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
ip_policies Ref
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointMutualTLS fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
certificate_authorities Ref PEM-encoded CA certificates that will be used to validate. Multiple CAs may be provided by concatenating them together.
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointTLSTermination fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
terminate_at string edge if the ngrok edge should terminate TLS traffic, upstream if TLS traffic should be passed through to the upstream ngrok agent / application server for termination. if upstream is chosen, most other modules will be disallowed because they rely on the ngrok edge being able to access the underlying traffic.
min_version string The minimum TLS version used for termination and advertised to the client during the TLS handshake. if unspecified, ngrok will choose an industry-safe default. This value must be null if terminate_at is set to upstream.
EndpointWebhookValidation fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider string a string indicating which webhook provider will be sending webhooks to this endpoint. Value must be one of the supported providers: SLACK, SNS, STRIPE, GITHUB, TWILIO, SHOPIFY, GITLAB, INTERCOM.
secret string a string secret used to validate requests from the given provider. All providers except AWS SNS require a secret
EndpointOAuth fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider EndpointOAuthProvider an object which defines the identity provider to use for authentication and configuration for who may access the endpoint
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
auth_check_interval uint32 Integer number of seconds after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource.
EndpointOAuthProvider fields
github EndpointOAuthGitHub configuration for using github as the identity provider
facebook EndpointOAuthFacebook configuration for using facebook as the identity provider
microsoft EndpointOAuthMicrosoft configuration for using microsoft as the identity provider
google EndpointOAuthGoogle configuration for using google as the identity provider
EndpointOAuthGitHub fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
teams List<string> a list of github teams identifiers. users will be allowed access to the endpoint if they are a member of any of these teams. identifiers should be in the 'slug' format qualified with the org name, e.g. org-name/team-name
organizations List<string> a list of github org identifiers. users who are members of any of the listed organizations will be allowed access. identifiers should be the organization's 'slug'
EndpointOAuthFacebook fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthMicrosoft fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthGoogle fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointLogging fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
event_streams Ref list of all EventStreams that will be used to configure and export this endpoint's logs
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointSAML fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadata_url string The IdP's metadata URL which returns the XML IdP EntityDescriptor. The IdP's metadata URL specifies how to connect to the IdP as well as its public key which is then used to validate the signature on incoming SAML assertions to the ACS endpoint.
idp_metadata string The full XML IdP EntityDescriptor in bytes. This parameter is mutually exclusive with idp_metadata_url. It is recommended to use that parameter instead if the IdP exposes a metadata URL.
force_authn boolean If true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiated boolean If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groups List<string> If present, only users who are a member of one of the listed groups may access the target endpoint.
entity_id string The SP Entity's unique ID. This always takes the form of a URL. In ngrok's implementation, this URL is the same as the metadata URL. This will need to be specified to the IdP as configuration.
assertion_consumer_service_url string The public URL of the SP's Assertion Consumer Service. This is where the IdP will redirect to during an authentication flow. This will need to be specified to the IdP as configuration.
single_logout_url string The public URL of the SP's Single Logout Service. This is where the IdP will redirect to during a single logout flow. This will optionally need to be specified to the IdP as configuration.
request_signing_certificate_pem string PEM-encoded x.509 certificate of the key pair that is used to sign all SAML requests that the ngrok SP makes to the IdP. Many IdPs do not support request signing verification, but we highly recommend specifying this in the IdP's configuration if it is supported.
metadata_url string A public URL where the SP's metadata is hosted. If an IdP supports dynamic configuration, this is the URL it can use to retrieve the SP metadata.
EndpointOIDC fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
issuer string URL of the OIDC "OpenID provider". This is the base URL used for discovery.
client_id string The OIDC app's client ID and OIDC audience.
client_secret string The OIDC app's client secret.
scopes List<string> The set of scopes to request from the OIDC identity provider.

List Endpoint Configurations

Returns a list of all endpoint configurations on this account

Request
GET/endpoint_configurations
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations
Response

Returns a 200 response on success

Example Response
{
  "endpoint_configurations": [
    {
      "id": "ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL",
      "type": "https",
      "description": "app servers",
      "metadata": "",
      "created_at": "2020-10-22T08:23:26Z",
      "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL",
      "basic_auth": null,
      "circuit_breaker": null,
      "compression": null,
      "request_headers": {
        "enabled": true,
        "add": {
          "x-frontend": "ngrok"
        },
        "remove": [
          "cache-control"
        ]
      },
      "response_headers": null,
      "ip_policy": null,
      "mutual_tls": null,
      "tls_termination": null,
      "webhook_validation": null,
      "oauth": null,
      "logging": null,
      "saml": null,
      "oidc": null
    },
    {
      "id": "ec_1jE2c7UZey38qy3l2queyo7zo0d",
      "type": "https",
      "description": "web servers",
      "metadata": "",
      "created_at": "2020-10-22T08:23:26Z",
      "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2c7UZey38qy3l2queyo7zo0d",
      "basic_auth": null,
      "circuit_breaker": {
        "enabled": true,
        "tripped_duration": 0,
        "rolling_window": 0,
        "num_buckets": 0,
        "volume_threshold": 0,
        "error_threshold_percentage": 0.2
      },
      "compression": {
        "enabled": true
      },
      "request_headers": null,
      "response_headers": {
        "enabled": true,
        "add": {
          "content-security-policy": "script-src 'self'",
          "x-frame-options": "DENY"
        },
        "remove": []
      },
      "ip_policy": null,
      "mutual_tls": null,
      "tls_termination": null,
      "webhook_validation": null,
      "oauth": null,
      "logging": null,
      "saml": null,
      "oidc": null
    }
  ],
  "uri": "https://api.ngrok.com/endpoint_configurations",
  "next_page_uri": null
}
Fields
endpoint_configurations EndpointConfiguration the list of all endpoint configurations on this account
uri string URI of the endpoint configurations list API resource
next_page_uri string URI of the next page, or null if there is no next page
EndpointConfiguration fields
id string unique identifier of this endpoint configuration
type string they type of traffic this endpoint configuration can be applied to. one of: http, https, tcp
description string human-readable description of what this endpoint configuration will be do when applied or what traffic it will be applied to. Optional, max 255 bytes
metadata string arbitrary user-defined machine-readable data of this endpoint configuration. Optional, max 4096 bytes.
created_at string timestamp when the endpoint configuration was created, RFC 3339 format
uri string URI of the endpoint configuration API resource
circuit_breaker EndpointCircuitBreaker circuit breaker module configuration or null
compression EndpointCompression compression module configuration or null
request_headers EndpointRequestHeaders request headers module configuration or null
response_headers EndpointResponseHeaders response headers module configuration or null
ip_policy EndpointIPPolicy ip policy module configuration or null
mutual_tls EndpointMutualTLS mutual TLS module configuration or null
tls_termination EndpointTLSTermination TLS termination module configuration or null
webhook_validation EndpointWebhookValidation webhook validation module configuration or null
oauth EndpointOAuth oauth module configuration or null
logging EndpointLogging logging module configuration or null
saml EndpointSAML saml module configuration or null
oidc EndpointOIDC oidc module configuration or null
EndpointCircuitBreaker fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
tripped_duration uint32 Integer number of seconds after which the circuit is tripped to wait before re-evaluating upstream health
rolling_window uint32 Integer number of seconds in the statistical rolling window that metrics are retained for.
num_buckets uint32 Integer number of buckets into which metrics are retained. Max 128.
volume_threshold uint32 Integer number of requests in a rolling window that will trip the circuit. Helpful if traffic volume is low.
error_threshold_percentage float64 Error threshold percentage should be between 0 - 1.0, not 0-100.0
EndpointCompression fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
EndpointRequestHeaders fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Request before being sent to the upstream application server
remove List<string> a list of header names that will be removed from the HTTP Request before being sent to the upstream application server
EndpointResponseHeaders fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Response returned to the HTTP client
remove List<string> a list of header names that will be removed from the HTTP Response returned to the HTTP client
EndpointIPPolicy fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
ip_policies Ref
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointMutualTLS fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
certificate_authorities Ref PEM-encoded CA certificates that will be used to validate. Multiple CAs may be provided by concatenating them together.
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointTLSTermination fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
terminate_at string edge if the ngrok edge should terminate TLS traffic, upstream if TLS traffic should be passed through to the upstream ngrok agent / application server for termination. if upstream is chosen, most other modules will be disallowed because they rely on the ngrok edge being able to access the underlying traffic.
min_version string The minimum TLS version used for termination and advertised to the client during the TLS handshake. if unspecified, ngrok will choose an industry-safe default. This value must be null if terminate_at is set to upstream.
EndpointWebhookValidation fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider string a string indicating which webhook provider will be sending webhooks to this endpoint. Value must be one of the supported providers: SLACK, SNS, STRIPE, GITHUB, TWILIO, SHOPIFY, GITLAB, INTERCOM.
secret string a string secret used to validate requests from the given provider. All providers except AWS SNS require a secret
EndpointOAuth fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider EndpointOAuthProvider an object which defines the identity provider to use for authentication and configuration for who may access the endpoint
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
auth_check_interval uint32 Integer number of seconds after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource.
EndpointOAuthProvider fields
github EndpointOAuthGitHub configuration for using github as the identity provider
facebook EndpointOAuthFacebook configuration for using facebook as the identity provider
microsoft EndpointOAuthMicrosoft configuration for using microsoft as the identity provider
google EndpointOAuthGoogle configuration for using google as the identity provider
EndpointOAuthGitHub fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
teams List<string> a list of github teams identifiers. users will be allowed access to the endpoint if they are a member of any of these teams. identifiers should be in the 'slug' format qualified with the org name, e.g. org-name/team-name
organizations List<string> a list of github org identifiers. users who are members of any of the listed organizations will be allowed access. identifiers should be the organization's 'slug'
EndpointOAuthFacebook fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthMicrosoft fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthGoogle fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointLogging fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
event_streams Ref list of all EventStreams that will be used to configure and export this endpoint's logs
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointSAML fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadata_url string The IdP's metadata URL which returns the XML IdP EntityDescriptor. The IdP's metadata URL specifies how to connect to the IdP as well as its public key which is then used to validate the signature on incoming SAML assertions to the ACS endpoint.
idp_metadata string The full XML IdP EntityDescriptor in bytes. This parameter is mutually exclusive with idp_metadata_url. It is recommended to use that parameter instead if the IdP exposes a metadata URL.
force_authn boolean If true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiated boolean If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groups List<string> If present, only users who are a member of one of the listed groups may access the target endpoint.
entity_id string The SP Entity's unique ID. This always takes the form of a URL. In ngrok's implementation, this URL is the same as the metadata URL. This will need to be specified to the IdP as configuration.
assertion_consumer_service_url string The public URL of the SP's Assertion Consumer Service. This is where the IdP will redirect to during an authentication flow. This will need to be specified to the IdP as configuration.
single_logout_url string The public URL of the SP's Single Logout Service. This is where the IdP will redirect to during a single logout flow. This will optionally need to be specified to the IdP as configuration.
request_signing_certificate_pem string PEM-encoded x.509 certificate of the key pair that is used to sign all SAML requests that the ngrok SP makes to the IdP. Many IdPs do not support request signing verification, but we highly recommend specifying this in the IdP's configuration if it is supported.
metadata_url string A public URL where the SP's metadata is hosted. If an IdP supports dynamic configuration, this is the URL it can use to retrieve the SP metadata.
EndpointOIDC fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
issuer string URL of the OIDC "OpenID provider". This is the base URL used for discovery.
client_id string The OIDC app's client ID and OIDC audience.
client_secret string The OIDC app's client secret.
scopes List<string> The set of scopes to request from the OIDC identity provider.

Update Endpoint Configuration

Updates an endpoint configuration. If a module is not specified in the update, it will not be modified. However, each module configuration that is specified will completely replace the existing value. There is no way to delete an existing module via this API, instead use the delete module API.

Request
PATCH/endpoint_configurations/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"ip_policy":{"ip_policy_ids":["ipp_1jE2cDOLHhizwOJcBPDuqUOPSxV"]}}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL
Parameters
id string unique identifier of this endpoint configuration
description string human-readable description of what this endpoint configuration will be do when applied or what traffic it will be applied to. Optional, max 255 bytes
metadata string arbitrary user-defined machine-readable data of this endpoint configuration. Optional, max 4096 bytes.
circuit_breaker EndpointCircuitBreaker circuit breaker module configuration or null
compression EndpointCompression compression module configuration or null
request_headers EndpointRequestHeaders request headers module configuration or null
response_headers EndpointResponseHeaders response headers module configuration or null
ip_policy EndpointIPPolicyMutate ip policy module configuration or null
mutual_tls EndpointMutualTLSMutate mutual TLS module configuration or null
tls_termination EndpointTLSTermination TLS termination module configuration or null
webhook_validation EndpointWebhookValidation webhook validation module configuration or null
oauth EndpointOAuth oauth module configuration or null
logging EndpointLoggingMutate logging module configuration or null
saml EndpointSAMLMutate saml module configuration or null
oidc EndpointOIDC oidc module configuration or null
EndpointCircuitBreaker parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
tripped_duration uint32 Integer number of seconds after which the circuit is tripped to wait before re-evaluating upstream health
rolling_window uint32 Integer number of seconds in the statistical rolling window that metrics are retained for.
num_buckets uint32 Integer number of buckets into which metrics are retained. Max 128.
volume_threshold uint32 Integer number of requests in a rolling window that will trip the circuit. Helpful if traffic volume is low.
error_threshold_percentage float64 Error threshold percentage should be between 0 - 1.0, not 0-100.0
EndpointCompression parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
EndpointRequestHeaders parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Request before being sent to the upstream application server
remove List<string> a list of header names that will be removed from the HTTP Request before being sent to the upstream application server
EndpointResponseHeaders parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Response returned to the HTTP client
remove List<string> a list of header names that will be removed from the HTTP Response returned to the HTTP client
EndpointIPPolicyMutate parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
ip_policy_ids List<string> list of all IP policies that will be used to check if a source IP is allowed access to the endpoint
EndpointMutualTLSMutate parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
certificate_authority_ids List<string> list of certificate authorities that will be used to validate the TLS client certificate presnted by the initiatiator of the TLS connection
EndpointTLSTermination parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
terminate_at string edge if the ngrok edge should terminate TLS traffic, upstream if TLS traffic should be passed through to the upstream ngrok agent / application server for termination. if upstream is chosen, most other modules will be disallowed because they rely on the ngrok edge being able to access the underlying traffic.
min_version string The minimum TLS version used for termination and advertised to the client during the TLS handshake. if unspecified, ngrok will choose an industry-safe default. This value must be null if terminate_at is set to upstream.
EndpointWebhookValidation parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider string a string indicating which webhook provider will be sending webhooks to this endpoint. Value must be one of the supported providers: SLACK, SNS, STRIPE, GITHUB, TWILIO, SHOPIFY, GITLAB, INTERCOM.
secret string a string secret used to validate requests from the given provider. All providers except AWS SNS require a secret
EndpointOAuth parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider EndpointOAuthProvider an object which defines the identity provider to use for authentication and configuration for who may access the endpoint
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
auth_check_interval uint32 Integer number of seconds after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource.
EndpointOAuthProvider parameters
github EndpointOAuthGitHub configuration for using github as the identity provider
facebook EndpointOAuthFacebook configuration for using facebook as the identity provider
microsoft EndpointOAuthMicrosoft configuration for using microsoft as the identity provider
google EndpointOAuthGoogle configuration for using google as the identity provider
EndpointOAuthGitHub parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
teams List<string> a list of github teams identifiers. users will be allowed access to the endpoint if they are a member of any of these teams. identifiers should be in the 'slug' format qualified with the org name, e.g. org-name/team-name
organizations List<string> a list of github org identifiers. users who are members of any of the listed organizations will be allowed access. identifiers should be the organization's 'slug'
EndpointOAuthFacebook parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthMicrosoft parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthGoogle parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointLoggingMutate parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
event_stream_ids List<string> list of all EventStreams that will be used to configure and export this endpoint's logs
EndpointSAMLMutate parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadata_url string The IdP's metadata URL which returns the XML IdP EntityDescriptor. The IdP's metadata URL specifies how to connect to the IdP as well as its public key which is then used to validate the signature on incoming SAML assertions to the ACS endpoint.
idp_metadata string The full XML IdP EntityDescriptor in bytes. This parameter is mutually exclusive with idp_metadata_url. It is recommended to use that parameter instead if the IdP exposes a metadata URL.
force_authn boolean If true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiated boolean If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groups List<string> If present, only users who are a member of one of the listed groups may access the target endpoint.
EndpointOIDC parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
issuer string URL of the OIDC "OpenID provider". This is the base URL used for discovery.
client_id string The OIDC app's client ID and OIDC audience.
client_secret string The OIDC app's client secret.
scopes List<string> The set of scopes to request from the OIDC identity provider.
Response

Returns a 200 response on success

Example Response
{
  "id": "ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL",
  "type": "https",
  "description": "app servers",
  "metadata": "",
  "created_at": "2020-10-22T08:23:26Z",
  "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2cAfZ3CzcKuVWbBb1brF5hvL",
  "basic_auth": null,
  "circuit_breaker": null,
  "compression": null,
  "request_headers": {
    "enabled": true,
    "add": {
      "x-frontend": "ngrok"
    },
    "remove": [
      "cache-control"
    ]
  },
  "response_headers": null,
  "ip_policy": {
    "enabled": true,
    "ip_policies": [
      {
        "id": "ipp_1jE2cDOLHhizwOJcBPDuqUOPSxV",
        "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cDOLHhizwOJcBPDuqUOPSxV"
      }
    ]
  },
  "mutual_tls": null,
  "tls_termination": null,
  "webhook_validation": null,
  "oauth": null,
  "logging": null,
  "saml": null,
  "oidc": null
}
Fields
id string unique identifier of this endpoint configuration
type string they type of traffic this endpoint configuration can be applied to. one of: http, https, tcp
description string human-readable description of what this endpoint configuration will be do when applied or what traffic it will be applied to. Optional, max 255 bytes
metadata string arbitrary user-defined machine-readable data of this endpoint configuration. Optional, max 4096 bytes.
created_at string timestamp when the endpoint configuration was created, RFC 3339 format
uri string URI of the endpoint configuration API resource
circuit_breaker EndpointCircuitBreaker circuit breaker module configuration or null
compression EndpointCompression compression module configuration or null
request_headers EndpointRequestHeaders request headers module configuration or null
response_headers EndpointResponseHeaders response headers module configuration or null
ip_policy EndpointIPPolicy ip policy module configuration or null
mutual_tls EndpointMutualTLS mutual TLS module configuration or null
tls_termination EndpointTLSTermination TLS termination module configuration or null
webhook_validation EndpointWebhookValidation webhook validation module configuration or null
oauth EndpointOAuth oauth module configuration or null
logging EndpointLogging logging module configuration or null
saml EndpointSAML saml module configuration or null
oidc EndpointOIDC oidc module configuration or null
EndpointCircuitBreaker fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
tripped_duration uint32 Integer number of seconds after which the circuit is tripped to wait before re-evaluating upstream health
rolling_window uint32 Integer number of seconds in the statistical rolling window that metrics are retained for.
num_buckets uint32 Integer number of buckets into which metrics are retained. Max 128.
volume_threshold uint32 Integer number of requests in a rolling window that will trip the circuit. Helpful if traffic volume is low.
error_threshold_percentage float64 Error threshold percentage should be between 0 - 1.0, not 0-100.0
EndpointCompression fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
EndpointRequestHeaders fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Request before being sent to the upstream application server
remove List<string> a list of header names that will be removed from the HTTP Request before being sent to the upstream application server
EndpointResponseHeaders fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Response returned to the HTTP client
remove List<string> a list of header names that will be removed from the HTTP Response returned to the HTTP client
EndpointIPPolicy fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
ip_policies Ref
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointMutualTLS fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
certificate_authorities Ref PEM-encoded CA certificates that will be used to validate. Multiple CAs may be provided by concatenating them together.
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointTLSTermination fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
terminate_at string edge if the ngrok edge should terminate TLS traffic, upstream if TLS traffic should be passed through to the upstream ngrok agent / application server for termination. if upstream is chosen, most other modules will be disallowed because they rely on the ngrok edge being able to access the underlying traffic.
min_version string The minimum TLS version used for termination and advertised to the client during the TLS handshake. if unspecified, ngrok will choose an industry-safe default. This value must be null if terminate_at is set to upstream.
EndpointWebhookValidation fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider string a string indicating which webhook provider will be sending webhooks to this endpoint. Value must be one of the supported providers: SLACK, SNS, STRIPE, GITHUB, TWILIO, SHOPIFY, GITLAB, INTERCOM.
secret string a string secret used to validate requests from the given provider. All providers except AWS SNS require a secret
EndpointOAuth fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider EndpointOAuthProvider an object which defines the identity provider to use for authentication and configuration for who may access the endpoint
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
auth_check_interval uint32 Integer number of seconds after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource.
EndpointOAuthProvider fields
github EndpointOAuthGitHub configuration for using github as the identity provider
facebook EndpointOAuthFacebook configuration for using facebook as the identity provider
microsoft EndpointOAuthMicrosoft configuration for using microsoft as the identity provider
google EndpointOAuthGoogle configuration for using google as the identity provider
EndpointOAuthGitHub fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
teams List<string> a list of github teams identifiers. users will be allowed access to the endpoint if they are a member of any of these teams. identifiers should be in the 'slug' format qualified with the org name, e.g. org-name/team-name
organizations List<string> a list of github org identifiers. users who are members of any of the listed organizations will be allowed access. identifiers should be the organization's 'slug'
EndpointOAuthFacebook fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthMicrosoft fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthGoogle fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointLogging fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
event_streams Ref list of all EventStreams that will be used to configure and export this endpoint's logs
Ref fields
id string a resource identifier
uri string a uri for locating a resource
EndpointSAML fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadata_url string The IdP's metadata URL which returns the XML IdP EntityDescriptor. The IdP's metadata URL specifies how to connect to the IdP as well as its public key which is then used to validate the signature on incoming SAML assertions to the ACS endpoint.
idp_metadata string The full XML IdP EntityDescriptor in bytes. This parameter is mutually exclusive with idp_metadata_url. It is recommended to use that parameter instead if the IdP exposes a metadata URL.
force_authn boolean If true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiated boolean If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groups List<string> If present, only users who are a member of one of the listed groups may access the target endpoint.
entity_id string The SP Entity's unique ID. This always takes the form of a URL. In ngrok's implementation, this URL is the same as the metadata URL. This will need to be specified to the IdP as configuration.
assertion_consumer_service_url string The public URL of the SP's Assertion Consumer Service. This is where the IdP will redirect to during an authentication flow. This will need to be specified to the IdP as configuration.
single_logout_url string The public URL of the SP's Single Logout Service. This is where the IdP will redirect to during a single logout flow. This will optionally need to be specified to the IdP as configuration.
request_signing_certificate_pem string PEM-encoded x.509 certificate of the key pair that is used to sign all SAML requests that the ngrok SP makes to the IdP. Many IdPs do not support request signing verification, but we highly recommend specifying this in the IdP's configuration if it is supported.
metadata_url string A public URL where the SP's metadata is hosted. If an IdP supports dynamic configuration, this is the URL it can use to retrieve the SP metadata.
EndpointOIDC fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
issuer string URL of the OIDC "OpenID provider". This is the base URL used for discovery.
client_id string The OIDC app's client ID and OIDC audience.
client_secret string The OIDC app's client secret.
scopes List<string> The set of scopes to request from the OIDC identity provider.

Create Event Destination

Create a new Event Destination. It will not apply to anything until it is associated with an Event Stream, and that Event Stream is associated with an Endpoint Config.

Request
POST/event_destinations
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"metadata":"{\"environment\":\"dev\"}","description":"kinesis dev stream","format":"json","target":{"kinesis":{"auth":{"creds":{"aws_access_key_id":"AKIAIOSFODNN7EXAMPLE","aws_secret_access_key":"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"}},"stream_arn":"arn:aws:kinesis:us-east-2:123456789012:stream/mystream2"}}}' \
https://api.ngrok.com/event_destinations
Parameters
metadata string Arbitrary user-defined machine-readable data of this Event Destination. Optional, max 4096 bytes.
description string Human-readable description of the Event Destination. Optional, max 255 bytes.
format string The output format you would like to serialize events into when sending to their target. Currently the only accepted value is JSON.
target EventTarget An object that encapsulates where and how to send your events. An event destination must contain exactly one of the following objects, leaving the rest null: kinesis, firehose, cloudwatch_logs, or s3.
EventTarget parameters
firehose EventTargetFirehose Configuration used to send events to Amazon Kinesis Data Firehose.
kinesis EventTargetKinesis Configuration used to send events to Amazon Kinesis.
cloudwatch_logs EventTargetCloudwatchLogs Configuration used to send events to Amazon CloudWatch Logs.
EventTargetFirehose parameters
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
delivery_stream_arn string An Amazon Resource Name specifying the Firehose delivery stream to deposit events into.
AWSAuth parameters
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole parameters
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials parameters
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetKinesis parameters
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
stream_arn string An Amazon Resource Name specifying the Kinesis stream to deposit events into.
AWSAuth parameters
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole parameters
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials parameters
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetCloudwatchLogs parameters
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
log_group_arn string An Amazon Resource Name specifying the CloudWatch Logs group to deposit events into.
AWSAuth parameters
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole parameters
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials parameters
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
Response

Returns a 200 response on success

Example Response
{
  "id": "ed_1lCDOwmB464y7RkboPIPYl9Afjf",
  "metadata": "{\"environment\":\"dev\"}",
  "created_at": "2020-12-04T14:29:10Z",
  "description": "kinesis dev stream",
  "format": "json",
  "target": {
    "firehose": null,
    "kinesis": {
      "auth": {
        "role": null,
        "creds": {
          "aws_access_key_id": "AKIAIOSFODNN7EXAMPLE",
          "aws_secret_access_key": null
        }
      },
      "stream_arn": "arn:aws:kinesis:us-east-2:123456789012:stream/mystream2"
    },
    "cloudwatch_logs": null
  },
  "uri": "https://api.ngrok.com/event_destinations/1lCDOwmB464y7RkboPIPYl9Afjf"
}
Fields
id string Unique identifier for this Event Destination.
metadata string Arbitrary user-defined machine-readable data of this Event Destination. Optional, max 4096 bytes.
created_at string Timestamp when the Event Destination was created, RFC 3339 format.
description string Human-readable description of the Event Destination. Optional, max 255 bytes.
format string The output format you would like to serialize events into when sending to their target. Currently the only accepted value is JSON.
target EventTarget An object that encapsulates where and how to send your events. An event destination must contain exactly one of the following objects, leaving the rest null: kinesis, firehose, cloudwatch_logs, or s3.
uri string URI of the Event Destination API resource.
EventTarget fields
firehose EventTargetFirehose Configuration used to send events to Amazon Kinesis Data Firehose.
kinesis EventTargetKinesis Configuration used to send events to Amazon Kinesis.
cloudwatch_logs EventTargetCloudwatchLogs Configuration used to send events to Amazon CloudWatch Logs.
EventTargetFirehose fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
delivery_stream_arn string An Amazon Resource Name specifying the Firehose delivery stream to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetKinesis fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
stream_arn string An Amazon Resource Name specifying the Kinesis stream to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetCloudwatchLogs fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
log_group_arn string An Amazon Resource Name specifying the CloudWatch Logs group to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.

Delete Event Destination

Delete an Event Destination. If the Event Destination is still referenced by an Event Stream, this will throw an error until that Event Stream has removed that reference.

Request
DELETE/event_destinations/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/event_destinations/ed_1lCDOwmB464y7RkboPIPYl9Afjf
Response

Returns a 204 response with no body on success

Get Event Destination

Get detailed information about an Event Destination by ID.

Request
GET/event_destinations/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/event_destinations/ed_1lCDOwmB464y7RkboPIPYl9Afjf
Response

Returns a 200 response on success

Example Response
{
  "id": "ed_1lCDOwmB464y7RkboPIPYl9Afjf",
  "metadata": "{\"environment\":\"dev\", \"stream\":1}",
  "created_at": "2020-12-04T14:29:10Z",
  "description": "kinesis dev stream 1 of 3",
  "format": "json",
  "target": {
    "firehose": null,
    "kinesis": {
      "auth": {
        "role": null,
        "creds": {
          "aws_access_key_id": "AKIAIOSFODNN7EXAMPLE",
          "aws_secret_access_key": null
        }
      },
      "stream_arn": "arn:aws:kinesis:us-east-2:123456789012:stream/mystream2"
    },
    "cloudwatch_logs": null
  },
  "uri": "https://api.ngrok.com/event_destinations/1lCDOwmB464y7RkboPIPYl9Afjf"
}
Fields
id string Unique identifier for this Event Destination.
metadata string Arbitrary user-defined machine-readable data of this Event Destination. Optional, max 4096 bytes.
created_at string Timestamp when the Event Destination was created, RFC 3339 format.
description string Human-readable description of the Event Destination. Optional, max 255 bytes.
format string The output format you would like to serialize events into when sending to their target. Currently the only accepted value is JSON.
target EventTarget An object that encapsulates where and how to send your events. An event destination must contain exactly one of the following objects, leaving the rest null: kinesis, firehose, cloudwatch_logs, or s3.
uri string URI of the Event Destination API resource.
EventTarget fields
firehose EventTargetFirehose Configuration used to send events to Amazon Kinesis Data Firehose.
kinesis EventTargetKinesis Configuration used to send events to Amazon Kinesis.
cloudwatch_logs EventTargetCloudwatchLogs Configuration used to send events to Amazon CloudWatch Logs.
EventTargetFirehose fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
delivery_stream_arn string An Amazon Resource Name specifying the Firehose delivery stream to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetKinesis fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
stream_arn string An Amazon Resource Name specifying the Kinesis stream to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetCloudwatchLogs fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
log_group_arn string An Amazon Resource Name specifying the CloudWatch Logs group to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.

List Event Destinations

List all Event Destinations on this account.

Request
GET/event_destinations
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/event_destinations
Response

Returns a 200 response on success

Example Response
{
  "event_destinations": [
    {
      "id": "ed_1lCDOwmB464y7RkboPIPYl9Afjf",
      "metadata": "{\"environment\":\"dev\"}",
      "created_at": "2020-12-04T14:29:10Z",
      "description": "kinesis dev stream",
      "format": "json",
      "target": {
        "firehose": null,
        "kinesis": {
          "auth": {
            "role": null,
            "creds": {
              "aws_access_key_id": "AKIAIOSFODNN7EXAMPLE",
              "aws_secret_access_key": null
            }
          },
          "stream_arn": "arn:aws:kinesis:us-east-2:123456789012:stream/mystream2"
        },
        "cloudwatch_logs": null
      },
      "uri": "https://api.ngrok.com/event_destinations/1lCDOwmB464y7RkboPIPYl9Afjf"
    },
    {
      "id": "ed_1lCDOtvMfYDcdJ7uGnusPeH99iF",
      "metadata": "",
      "created_at": "2020-12-04T14:29:10Z",
      "description": "",
      "format": "json",
      "target": {
        "firehose": null,
        "kinesis": {
          "auth": {
            "role": null,
            "creds": {
              "aws_access_key_id": "AKIAIOSFODNN7EXAMPLE",
              "aws_secret_access_key": null
            }
          },
          "stream_arn": "arn:aws:kinesis:us-east-2:123456789012:stream/mystream1"
        },
        "cloudwatch_logs": null
      },
      "uri": "https://api.ngrok.com/event_destinations/1lCDOtvMfYDcdJ7uGnusPeH99iF"
    },
    {
      "id": "ed_1lCDOlSfOIacu6zDcD4b3RBYP8I",
      "metadata": "",
      "created_at": "2020-12-04T14:29:09Z",
      "description": "",
      "format": "json",
      "target": {
        "firehose": null,
        "kinesis": {
          "auth": {
            "role": null,
            "creds": {
              "aws_access_key_id": "AKIAIOSFODNN7EXAMPLE",
              "aws_secret_access_key": null
            }
          },
          "stream_arn": "arn:aws:kinesis:us-east-2:123456789012:stream/mystream"
        },
        "cloudwatch_logs": null
      },
      "uri": "https://api.ngrok.com/event_destinations/1lCDOlSfOIacu6zDcD4b3RBYP8I"
    }
  ],
  "uri": "https://api.ngrok.com/event_destinations",
  "next_page_uri": null
}
Fields
event_destinations EventDestination The list of all Event Destinations on this account.
uri string URI of the Event Destinations list API resource.
next_page_uri string URI of the next page, or null if there is no next page.
EventDestination fields
id string Unique identifier for this Event Destination.
metadata string Arbitrary user-defined machine-readable data of this Event Destination. Optional, max 4096 bytes.
created_at string Timestamp when the Event Destination was created, RFC 3339 format.
description string Human-readable description of the Event Destination. Optional, max 255 bytes.
format string The output format you would like to serialize events into when sending to their target. Currently the only accepted value is JSON.
target EventTarget An object that encapsulates where and how to send your events. An event destination must contain exactly one of the following objects, leaving the rest null: kinesis, firehose, cloudwatch_logs, or s3.
uri string URI of the Event Destination API resource.
EventTarget fields
firehose EventTargetFirehose Configuration used to send events to Amazon Kinesis Data Firehose.
kinesis EventTargetKinesis Configuration used to send events to Amazon Kinesis.
cloudwatch_logs EventTargetCloudwatchLogs Configuration used to send events to Amazon CloudWatch Logs.
EventTargetFirehose fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
delivery_stream_arn string An Amazon Resource Name specifying the Firehose delivery stream to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetKinesis fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
stream_arn string An Amazon Resource Name specifying the Kinesis stream to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetCloudwatchLogs fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
log_group_arn string An Amazon Resource Name specifying the CloudWatch Logs group to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.

Update Event Destination

Update attributes of an Event Destination.

Request
PATCH/event_destinations/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"metadata":"{\"environment\":\"dev\", \"stream\":1}","description":"kinesis dev stream 1 of 3"}' \
https://api.ngrok.com/event_destinations/ed_1lCDOwmB464y7RkboPIPYl9Afjf
Parameters
id string Unique identifier for this Event Destination.
metadata string Arbitrary user-defined machine-readable data of this Event Destination. Optional, max 4096 bytes.
description string Human-readable description of the Event Destination. Optional, max 255 bytes.
format string The output format you would like to serialize events into when sending to their target. Currently the only accepted value is JSON.
target EventTarget An object that encapsulates where and how to send your events. An event destination must contain exactly one of the following objects, leaving the rest null: kinesis, firehose, cloudwatch_logs, or s3.
EventTarget parameters
firehose EventTargetFirehose Configuration used to send events to Amazon Kinesis Data Firehose.
kinesis EventTargetKinesis Configuration used to send events to Amazon Kinesis.
cloudwatch_logs EventTargetCloudwatchLogs Configuration used to send events to Amazon CloudWatch Logs.
EventTargetFirehose parameters
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
delivery_stream_arn string An Amazon Resource Name specifying the Firehose delivery stream to deposit events into.
AWSAuth parameters
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole parameters
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials parameters
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetKinesis parameters
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
stream_arn string An Amazon Resource Name specifying the Kinesis stream to deposit events into.
AWSAuth parameters
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole parameters
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials parameters
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetCloudwatchLogs parameters
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
log_group_arn string An Amazon Resource Name specifying the CloudWatch Logs group to deposit events into.
AWSAuth parameters
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole parameters
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials parameters
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
Response

Returns a 200 response on success

Example Response
{
  "id": "ed_1lCDOwmB464y7RkboPIPYl9Afjf",
  "metadata": "{\"environment\":\"dev\", \"stream\":1}",
  "created_at": "2020-12-04T14:29:10Z",
  "description": "kinesis dev stream 1 of 3",
  "format": "json",
  "target": {
    "firehose": null,
    "kinesis": {
      "auth": {
        "role": null,
        "creds": {
          "aws_access_key_id": "AKIAIOSFODNN7EXAMPLE",
          "aws_secret_access_key": null
        }
      },
      "stream_arn": "arn:aws:kinesis:us-east-2:123456789012:stream/mystream2"
    },
    "cloudwatch_logs": null
  },
  "uri": "https://api.ngrok.com/event_destinations/1lCDOwmB464y7RkboPIPYl9Afjf"
}
Fields
id string Unique identifier for this Event Destination.
metadata string Arbitrary user-defined machine-readable data of this Event Destination. Optional, max 4096 bytes.
created_at string Timestamp when the Event Destination was created, RFC 3339 format.
description string Human-readable description of the Event Destination. Optional, max 255 bytes.
format string The output format you would like to serialize events into when sending to their target. Currently the only accepted value is JSON.
target EventTarget An object that encapsulates where and how to send your events. An event destination must contain exactly one of the following objects, leaving the rest null: kinesis, firehose, cloudwatch_logs, or s3.
uri string URI of the Event Destination API resource.
EventTarget fields
firehose EventTargetFirehose Configuration used to send events to Amazon Kinesis Data Firehose.
kinesis EventTargetKinesis Configuration used to send events to Amazon Kinesis.
cloudwatch_logs EventTargetCloudwatchLogs Configuration used to send events to Amazon CloudWatch Logs.
EventTargetFirehose fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
delivery_stream_arn string An Amazon Resource Name specifying the Firehose delivery stream to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetKinesis fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
stream_arn string An Amazon Resource Name specifying the Kinesis stream to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.
EventTargetCloudwatchLogs fields
auth AWSAuth Configuration for how to authenticate into your AWS account. Exactly one of role or creds should be configured.
log_group_arn string An Amazon Resource Name specifying the CloudWatch Logs group to deposit events into.
AWSAuth fields
role AWSRole A role for ngrok to assume on your behalf to deposit events into your AWS account.
creds AWSCredentials Credentials to your AWS account if you prefer ngrok to sign in with long-term access keys.
AWSRole fields
role_arn string An ARN that specifies the role that ngrok should use to deliver to the configured target.
AWSCredentials fields
aws_access_key_id string The ID portion of an AWS access key.
aws_secret_access_key string The secret portion of an AWS access key.

Create Event Stream

Create a new Event Stream. It will not apply to anything until you associate it with one or more Endpoint Configs.

Request
POST/event_streams
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"metadata":"{\"environment\": \"staging\"}","description":"low sampling, basic HTTP logs","fields":["http.request.method","http.response.status_code","conn.client_ip"],"event_type":"http_request_complete","destination_ids":["ed_1lCDOtvMfYDcdJ7uGnusPeH99iF"],"sampling_rate":0.1}' \
https://api.ngrok.com/event_streams
Parameters
metadata string Arbitrary user-defined machine-readable data of this Event Stream. Optional, max 4096 bytes.
description string Human-readable description of the Event Stream. Optional, max 255 bytes.
fields List<string> A list of protocol-specific fields you want to collect on each event.
event_type string The protocol that determines which events will be collected. Supported values are tcp_connection_closed and http_request_complete.
destination_ids List<string> A list of Event Destination IDs which should be used for this Event Stream. Event Streams are required to have at least one Event Destination.
sampling_rate float64 The percentage of all events you would like to capture. Valid values range from 0.01, representing 1% of all events to 1.00, representing 100% of all events.
Response

Returns a 200 response on success

Example Response
{
  "id": "es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM",
  "uri": "https://api.ngrok.com/event_streams/es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM",
  "created_at": "2020-12-04T14:29:10Z",
  "metadata": "{\"environment\": \"staging\"}",
  "description": "low sampling, basic HTTP logs",
  "fields": [
    "http.request.method",
    "http.response.status_code",
    "conn.client_ip"
  ],
  "event_type": "http_request_complete",
  "destination_ids": [
    "ed_1lCDOtvMfYDcdJ7uGnusPeH99iF"
  ],
  "sampling_rate": 0.1
}
Fields
id string Unique identifier for this Event Stream.
uri string URI of the Event Stream API resource.
created_at string Timestamp when the Event Stream was created, RFC 3339 format.
metadata string Arbitrary user-defined machine-readable data of this Event Stream. Optional, max 4096 bytes.
description string Human-readable description of the Event Stream. Optional, max 255 bytes.
fields List<string> A list of protocol-specific fields you want to collect on each event.
event_type string The protocol that determines which events will be collected. Supported values are tcp_connection_closed and http_request_complete.
destination_ids List<string> A list of Event Destination IDs which should be used for this Event Stream. Event Streams are required to have at least one Event Destination.
sampling_rate float64 The percentage of all events you would like to capture. Valid values range from 0.01, representing 1% of all events to 1.00, representing 100% of all events.

Delete Event Stream

Delete an Event Stream. Associated Event Destinations will be preserved.

Request
DELETE/event_streams/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/event_streams/es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM
Response

Returns a 204 response with no body on success

Get Event Stream

Get detailed information about an Event Stream by ID.

Request
GET/event_streams/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/event_streams/es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM
Response

Returns a 200 response on success

Example Response
{
  "id": "es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM",
  "uri": "https://api.ngrok.com/event_streams/es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM",
  "created_at": "2020-12-04T14:29:10Z",
  "metadata": "{\"environment\": \"staging\"}",
  "description": "medium sampling, basic HTTP logs",
  "fields": [
    "http.request.method",
    "http.response.status_code",
    "conn.client_ip"
  ],
  "event_type": "http_request_complete",
  "destination_ids": [
    "ed_1lCDOtvMfYDcdJ7uGnusPeH99iF"
  ],
  "sampling_rate": 0.3
}
Fields
id string Unique identifier for this Event Stream.
uri string URI of the Event Stream API resource.
created_at string Timestamp when the Event Stream was created, RFC 3339 format.
metadata string Arbitrary user-defined machine-readable data of this Event Stream. Optional, max 4096 bytes.
description string Human-readable description of the Event Stream. Optional, max 255 bytes.
fields List<string> A list of protocol-specific fields you want to collect on each event.
event_type string The protocol that determines which events will be collected. Supported values are tcp_connection_closed and http_request_complete.
destination_ids List<string> A list of Event Destination IDs which should be used for this Event Stream. Event Streams are required to have at least one Event Destination.
sampling_rate float64 The percentage of all events you would like to capture. Valid values range from 0.01, representing 1% of all events to 1.00, representing 100% of all events.

List Event Streams

List all Event Streams available on this account.

Request
GET/event_streams
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/event_streams
Response

Returns a 200 response on success

Example Response
{
  "event_streams": [
    {
      "id": "es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM",
      "uri": "https://api.ngrok.com/event_streams/es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM",
      "created_at": "2020-12-04T14:29:10Z",
      "metadata": "{\"environment\": \"staging\"}",
      "description": "low sampling, basic HTTP logs",
      "fields": [
        "http.request.method",
        "http.response.status_code",
        "conn.client_ip"
      ],
      "event_type": "http_request_complete",
      "destination_ids": [
        "ed_1lCDOtvMfYDcdJ7uGnusPeH99iF"
      ],
      "sampling_rate": 0.1
    },
    {
      "id": "es_1lCDOqSIg8AuyOhLBlEfcs5QfJo",
      "uri": "https://api.ngrok.com/event_streams/es_1lCDOqSIg8AuyOhLBlEfcs5QfJo",
      "created_at": "2020-12-04T14:29:09Z",
      "metadata": "",
      "description": "",
      "fields": [
        "http.request.method",
        "http.response.status_code",
        "conn.client_ip"
      ],
      "event_type": "http_request_complete",
      "destination_ids": [
        "ed_1lCDOlSfOIacu6zDcD4b3RBYP8I"
      ],
      "sampling_rate": 0.1
    },
    {
      "id": "es_1lCDOjCj5z6Ney9fKpobNEFXZEG",
      "uri": "https://api.ngrok.com/event_streams/es_1lCDOjCj5z6Ney9fKpobNEFXZEG",
      "created_at": "2020-12-04T14:29:09Z",
      "metadata": "",
      "description": "",
      "fields": [
        "http.request.method",
        "http.response.status_code",
        "conn.client_ip"
      ],
      "event_type": "http_request_complete",
      "destination_ids": [
        "ed_1lCDOlSfOIacu6zDcD4b3RBYP8I"
      ],
      "sampling_rate": 0.1
    }
  ],
  "uri": "https://api.ngrok.com/event_streams",
  "next_page_uri": null
}
Fields
event_streams EventStream The list of all Event Streams on this account.
uri string URI of the Event Stream list API resource.
next_page_uri string URI of the next page, or null if there is no next page.
EventStream fields
id string Unique identifier for this Event Stream.
uri string URI of the Event Stream API resource.
created_at string Timestamp when the Event Stream was created, RFC 3339 format.
metadata string Arbitrary user-defined machine-readable data of this Event Stream. Optional, max 4096 bytes.
description string Human-readable description of the Event Stream. Optional, max 255 bytes.
fields List<string> A list of protocol-specific fields you want to collect on each event.
event_type string The protocol that determines which events will be collected. Supported values are tcp_connection_closed and http_request_complete.
destination_ids List<string> A list of Event Destination IDs which should be used for this Event Stream. Event Streams are required to have at least one Event Destination.
sampling_rate float64 The percentage of all events you would like to capture. Valid values range from 0.01, representing 1% of all events to 1.00, representing 100% of all events.

Update Event Stream

Update attributes of an Event Stream by ID.

Request
PATCH/event_streams/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"medium sampling, basic HTTP logs","sampling_rate":0.3}' \
https://api.ngrok.com/event_streams/es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM
Parameters
id string Unique identifier for this Event Stream.
metadata string Arbitrary user-defined machine-readable data of this Event Stream. Optional, max 4096 bytes.
description string Human-readable description of the Event Stream. Optional, max 255 bytes.
fields List<string> A list of protocol-specific fields you want to collect on each event.
destination_ids List<string> A list of Event Destination IDs which should be used for this Event Stream. Event Streams are required to have at least one Event Destination.
sampling_rate float64 The percentage of all events you would like to capture. Valid values range from 0.01, representing 1% of all events to 1.00, representing 100% of all events.
Response

Returns a 200 response on success

Example Response
{
  "id": "es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM",
  "uri": "https://api.ngrok.com/event_streams/es_1lCDOwp9T5Ii7Bpnpl7IAuhXWLM",
  "created_at": "2020-12-04T14:29:10Z",
  "metadata": "{\"environment\": \"staging\"}",
  "description": "medium sampling, basic HTTP logs",
  "fields": [
    "http.request.method",
    "http.response.status_code",
    "conn.client_ip"
  ],
  "event_type": "http_request_complete",
  "destination_ids": [
    "ed_1lCDOtvMfYDcdJ7uGnusPeH99iF"
  ],
  "sampling_rate": 0.3
}
Fields
id string Unique identifier for this Event Stream.
uri string URI of the Event Stream API resource.
created_at string Timestamp when the Event Stream was created, RFC 3339 format.
metadata string Arbitrary user-defined machine-readable data of this Event Stream. Optional, max 4096 bytes.
description string Human-readable description of the Event Stream. Optional, max 255 bytes.
fields List<string> A list of protocol-specific fields you want to collect on each event.
event_type string The protocol that determines which events will be collected. Supported values are tcp_connection_closed and http_request_complete.
destination_ids List<string> A list of Event Destination IDs which should be used for this Event Stream. Event Streams are required to have at least one Event Destination.
sampling_rate float64 The percentage of all events you would like to capture. Valid values range from 0.01, representing 1% of all events to 1.00, representing 100% of all events.

Create IP Policy

Create a new IP policy. It will not apply to any traffic until you associate to a traffic source via an endpoint configuration or IP restriction.

Request
POST/ip_policies
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"API Outbound Gateway","action":"allow"}' \
https://api.ngrok.com/ip_policies
Parameters
description string human-readable description of the source IPs of this IP policy. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy. optional, max 4096 bytes.
action string the IP policy action. Supported values are allow or deny
Response

Returns a 200 response on success

Example Response
{
  "id": "ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m",
  "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m",
  "created_at": "2020-10-22T08:23:26Z",
  "description": "API Outbound Gateway",
  "metadata": "",
  "action": "allow"
}
Fields
id string unique identifier for this IP policy
uri string URI of the IP Policy API resource
created_at string timestamp when the IP policy was created, RFC 3339 format
description string human-readable description of the source IPs of this IP policy. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy. optional, max 4096 bytes.
action string the IP policy action. Supported values are allow or deny

Delete IP Policy

Delete an IP policy. If the IP policy is referenced by another object for the purposes of traffic restriction it will be treated as if the IP policy remains but has zero rules.

Request
DELETE/ip_policies/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_policies/ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m
Response

Returns a 204 response with no body on success

Get IP Policy

Get detailed information about an IP policy by ID.

Request
GET/ip_policies/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_policies/ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m
Response

Returns a 200 response on success

Example Response
{
  "id": "ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m",
  "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m",
  "created_at": "2020-10-22T08:23:26Z",
  "description": "API Outbound Gateway",
  "metadata": "metadata={\"pod-id\": \"b3d9c464-4f48-4783-a741-d7d7d5db310f\"}",
  "action": "allow"
}
Fields
id string unique identifier for this IP policy
uri string URI of the IP Policy API resource
created_at string timestamp when the IP policy was created, RFC 3339 format
description string human-readable description of the source IPs of this IP policy. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy. optional, max 4096 bytes.
action string the IP policy action. Supported values are allow or deny

List IP Policies

List all IP policies on this account

Request
GET/ip_policies
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_policies
Response

Returns a 200 response on success

Example Response
{
  "ip_policies": [
    {
      "id": "ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m",
      "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m",
      "created_at": "2020-10-22T08:23:26Z",
      "description": "API Outbound Gateway",
      "metadata": "",
      "action": "allow"
    },
    {
      "id": "ipp_1jE2c5VSBcWDNIhIqsVqtK85WE7",
      "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2c5VSBcWDNIhIqsVqtK85WE7",
      "created_at": "2020-10-22T08:23:26Z",
      "description": "Developer Environments",
      "metadata": "",
      "action": "allow"
    }
  ],
  "uri": "https://api.ngrok.com/ip_policies",
  "next_page_uri": null
}
Fields
ip_policies IPPolicy the list of all IP policies on this account
uri string URI of the IP policy list API resource
next_page_uri string URI of the next page, or null if there is no next page
IPPolicy fields
id string unique identifier for this IP policy
uri string URI of the IP Policy API resource
created_at string timestamp when the IP policy was created, RFC 3339 format
description string human-readable description of the source IPs of this IP policy. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy. optional, max 4096 bytes.
action string the IP policy action. Supported values are allow or deny

Update IP Policy

Update attributes of an IP policy by ID

Request
PATCH/ip_policies/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"metadata":"metadata={\"pod-id\": \"b3d9c464-4f48-4783-a741-d7d7d5db310f\"}"}' \
https://api.ngrok.com/ip_policies/ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m
Parameters
id string
description string human-readable description of the source IPs of this IP policy. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy. optional, max 4096 bytes.
Response

Returns a 200 response on success

Example Response
{
  "id": "ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m",
  "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cAAyqnsF07IfRwXOY0jMA3m",
  "created_at": "2020-10-22T08:23:26Z",
  "description": "API Outbound Gateway",
  "metadata": "metadata={\"pod-id\": \"b3d9c464-4f48-4783-a741-d7d7d5db310f\"}",
  "action": "allow"
}
Fields
id string unique identifier for this IP policy
uri string URI of the IP Policy API resource
created_at string timestamp when the IP policy was created, RFC 3339 format
description string human-readable description of the source IPs of this IP policy. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy. optional, max 4096 bytes.
action string the IP policy action. Supported values are allow or deny

Replace IP Policy Module

Request
PUT/endpoint_configurations/{id}/ip_policy
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"ip_policy_ids":["ipp_1jE2cliL3jjxhVJWfNHJtcF7Ukx"]}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/ip_policy
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
ip_policy_ids List<string> list of all IP policies that will be used to check if a source IP is allowed access to the endpoint
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "ip_policies": [
    {
      "id": "ipp_1jE2cliL3jjxhVJWfNHJtcF7Ukx",
      "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cliL3jjxhVJWfNHJtcF7Ukx"
    }
  ]
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
ip_policies Ref
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Get IP Policy Module

Request
GET/endpoint_configurations/{id}/ip_policy
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/ip_policy
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "ip_policies": [
    {
      "id": "ipp_1jE2cliL3jjxhVJWfNHJtcF7Ukx",
      "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cliL3jjxhVJWfNHJtcF7Ukx"
    }
  ]
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
ip_policies Ref
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Delete IP Policy Module

Request
DELETE/endpoint_configurations/{id}/ip_policy
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/ip_policy
Response

Returns a 204 response with no body on success

Create IP Policy Rule

Create a new IP policy rule attached to an IP Policy.

Request
POST/ip_policy_rules
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"nyc office","cidr":"212.3.14.0/24","ip_policy_id":"ipp_1jE2clSDsO85GIJrfS1yKq9StkD"}' \
https://api.ngrok.com/ip_policy_rules
Parameters
description string human-readable description of the source IPs of this IP rule. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy rule. optional, max 4096 bytes.
cidr string an IP or IP range specified in CIDR notation. IPv4 and IPv6 are both supported.
ip_policy_id string ID of the IP policy this IP policy rule will be attached to
Response

Returns a 200 response on success

Example Response
{
  "id": "ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv",
  "uri": "https://api.ngrok.com/ip_policy_rules/ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv",
  "created_at": "2020-10-22T08:23:31Z",
  "description": "nyc office",
  "metadata": "",
  "cidr": "212.3.14.0/24",
  "ip_policy": {
    "id": "ipp_1jE2clSDsO85GIJrfS1yKq9StkD",
    "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2clSDsO85GIJrfS1yKq9StkD"
  }
}
Fields
id string unique identifier for this IP policy rule
uri string URI of the IP policy rule API resource
created_at string timestamp when the IP policy rule was created, RFC 3339 format
description string human-readable description of the source IPs of this IP rule. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy rule. optional, max 4096 bytes.
cidr string an IP or IP range specified in CIDR notation. IPv4 and IPv6 are both supported.
ip_policy Ref object describing the IP policy this IP Policy Rule belongs to
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Delete IP Policy Rule

Delete an IP policy rule.

Request
DELETE/ip_policy_rules/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_policy_rules/ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv
Response

Returns a 204 response with no body on success

Get IP Policy Rule

Get detailed information about an IP policy rule by ID.

Request
GET/ip_policy_rules/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_policy_rules/ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv
Response

Returns a 200 response on success

Example Response
{
  "id": "ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv",
  "uri": "https://api.ngrok.com/ip_policy_rules/ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv",
  "created_at": "2020-10-22T08:23:31Z",
  "description": "nyc office",
  "metadata": "",
  "cidr": "212.3.15.0/24",
  "ip_policy": {
    "id": "ipp_1jE2clSDsO85GIJrfS1yKq9StkD",
    "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2clSDsO85GIJrfS1yKq9StkD"
  }
}
Fields
id string unique identifier for this IP policy rule
uri string URI of the IP policy rule API resource
created_at string timestamp when the IP policy rule was created, RFC 3339 format
description string human-readable description of the source IPs of this IP rule. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy rule. optional, max 4096 bytes.
cidr string an IP or IP range specified in CIDR notation. IPv4 and IPv6 are both supported.
ip_policy Ref object describing the IP policy this IP Policy Rule belongs to
Ref fields
id string a resource identifier
uri string a uri for locating a resource

List IP Policy Rules

List all IP policy rules on this account

Request
GET/ip_policy_rules
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_policy_rules
Response

Returns a 200 response on success

Example Response
{
  "ip_policy_rules": [
    {
      "id": "ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv",
      "uri": "https://api.ngrok.com/ip_policy_rules/ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv",
      "created_at": "2020-10-22T08:23:31Z",
      "description": "nyc office",
      "metadata": "",
      "cidr": "212.3.14.0/24",
      "ip_policy": {
        "id": "ipp_1jE2clSDsO85GIJrfS1yKq9StkD",
        "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2clSDsO85GIJrfS1yKq9StkD"
      }
    },
    {
      "id": "ipr_1jE2cn9BL7oeWWUfo6MikYhQTAp",
      "uri": "https://api.ngrok.com/ip_policy_rules/ipr_1jE2cn9BL7oeWWUfo6MikYhQTAp",
      "created_at": "2020-10-22T08:23:31Z",
      "description": "sf office",
      "metadata": "",
      "cidr": "132.2.19.0/24",
      "ip_policy": {
        "id": "ipp_1jE2clSDsO85GIJrfS1yKq9StkD",
        "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2clSDsO85GIJrfS1yKq9StkD"
      }
    },
    {
      "id": "ipr_1jE2cjgsZivIa8Qy32fG9UeJP1H",
      "uri": "https://api.ngrok.com/ip_policy_rules/ipr_1jE2cjgsZivIa8Qy32fG9UeJP1H",
      "created_at": "2020-10-22T08:23:31Z",
      "description": "alan laptop",
      "metadata": "",
      "cidr": "2.2.2.2/32",
      "ip_policy": {
        "id": "ipp_1jE2clSDsO85GIJrfS1yKq9StkD",
        "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2clSDsO85GIJrfS1yKq9StkD"
      }
    }
  ],
  "uri": "https://api.ngrok.com/ip_policy_rules",
  "next_page_uri": null
}
Fields
ip_policy_rules IPPolicyRule the list of all IP policy rules on this account
uri string URI of the IP policy rule list API resource
next_page_uri string URI of the next page, or null if there is no next page
IPPolicyRule fields
id string unique identifier for this IP policy rule
uri string URI of the IP policy rule API resource
created_at string timestamp when the IP policy rule was created, RFC 3339 format
description string human-readable description of the source IPs of this IP rule. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy rule. optional, max 4096 bytes.
cidr string an IP or IP range specified in CIDR notation. IPv4 and IPv6 are both supported.
ip_policy Ref object describing the IP policy this IP Policy Rule belongs to
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Update IP Policy Rule

Update attributes of an IP policy rule by ID

Request
PATCH/ip_policy_rules/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"cidr":"212.3.15.0/24"}' \
https://api.ngrok.com/ip_policy_rules/ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv
Parameters
id string
description string human-readable description of the source IPs of this IP rule. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy rule. optional, max 4096 bytes.
cidr string an IP or IP range specified in CIDR notation. IPv4 and IPv6 are both supported.
Response

Returns a 200 response on success

Example Response
{
  "id": "ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv",
  "uri": "https://api.ngrok.com/ip_policy_rules/ipr_1jE2co6PVbbWtuzJ1EdsWEqmzBv",
  "created_at": "2020-10-22T08:23:31Z",
  "description": "nyc office",
  "metadata": "",
  "cidr": "212.3.15.0/24",
  "ip_policy": {
    "id": "ipp_1jE2clSDsO85GIJrfS1yKq9StkD",
    "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2clSDsO85GIJrfS1yKq9StkD"
  }
}
Fields
id string unique identifier for this IP policy rule
uri string URI of the IP policy rule API resource
created_at string timestamp when the IP policy rule was created, RFC 3339 format
description string human-readable description of the source IPs of this IP rule. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP policy rule. optional, max 4096 bytes.
cidr string an IP or IP range specified in CIDR notation. IPv4 and IPv6 are both supported.
ip_policy Ref object describing the IP policy this IP Policy Rule belongs to
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Create IP Restriction

Create a new IP restriction

Request
POST/ip_restrictions
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"type":"dashboard","ip_policy_ids":["ipp_1jE2cpgt4SeHuqUOwjmvOJTIbQe"]}' \
https://api.ngrok.com/ip_restrictions
Parameters
description string human-readable description of this IP restriction. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP restriction. optional, max 4096 bytes.
enforced boolean true if the IP restriction will be enforce. if false, only warnings will be issued
type string the type of IP restriction. this defines what traffic will be restricted with the attached policies. four values are currently supported: dashboard, api, agent, and endpoints
ip_policy_ids List<string>
Response

Returns a 200 response on success

Example Response
{
  "id": "ipx_1jE2ctaSaOsn67MHehmKpjjM6FN",
  "uri": "https://api.ngrok.com/ip_restrictions/ipx_1jE2ctaSaOsn67MHehmKpjjM6FN",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "",
  "metadata": "",
  "enforced": false,
  "type": "dashboard",
  "ip_policies": [
    {
      "id": "ipp_1jE2cpgt4SeHuqUOwjmvOJTIbQe",
      "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cpgt4SeHuqUOwjmvOJTIbQe"
    }
  ]
}
Fields
id string unique identifier for this IP restriction
uri string URI of the IP restriction API resource
created_at string timestamp when the IP restriction was created, RFC 3339 format
description string human-readable description of this IP restriction. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP restriction. optional, max 4096 bytes.
enforced boolean true if the IP restriction will be enforce. if false, only warnings will be issued
type string the type of IP restriction. this defines what traffic will be restricted with the attached policies. four values are currently supported: dashboard, api, agent, and endpoints
ip_policies Ref the set of IP policies that are used to enforce the restriction
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Delete IP Restriction

Delete an IP restriction

Request
DELETE/ip_restrictions/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_restrictions/ipx_1jE2ctaSaOsn67MHehmKpjjM6FN
Response

Returns a 204 response with no body on success

Get IP Restriction

Get detailed information about an IP restriction

Request
GET/ip_restrictions/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_restrictions/ipx_1jE2ctaSaOsn67MHehmKpjjM6FN
Response

Returns a 200 response on success

Example Response
{
  "id": "ipx_1jE2ctaSaOsn67MHehmKpjjM6FN",
  "uri": "https://api.ngrok.com/ip_restrictions/ipx_1jE2ctaSaOsn67MHehmKpjjM6FN",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "",
  "metadata": "",
  "enforced": false,
  "type": "dashboard",
  "ip_policies": [
    {
      "id": "ipp_1jE2cpgt4SeHuqUOwjmvOJTIbQe",
      "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cpgt4SeHuqUOwjmvOJTIbQe"
    },
    {
      "id": "ipp_1jE2cvqBOAy2IDbX1SlKNYlpjRt",
      "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cvqBOAy2IDbX1SlKNYlpjRt"
    }
  ]
}
Fields
id string unique identifier for this IP restriction
uri string URI of the IP restriction API resource
created_at string timestamp when the IP restriction was created, RFC 3339 format
description string human-readable description of this IP restriction. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP restriction. optional, max 4096 bytes.
enforced boolean true if the IP restriction will be enforce. if false, only warnings will be issued
type string the type of IP restriction. this defines what traffic will be restricted with the attached policies. four values are currently supported: dashboard, api, agent, and endpoints
ip_policies Ref the set of IP policies that are used to enforce the restriction
Ref fields
id string a resource identifier
uri string a uri for locating a resource

List IP Restrictions

List all IP restrictions on this account

Request
GET/ip_restrictions
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_restrictions
Response

Returns a 200 response on success

Example Response
{
  "ip_restrictions": [
    {
      "id": "ipx_1jE2ctaSaOsn67MHehmKpjjM6FN",
      "uri": "https://api.ngrok.com/ip_restrictions/ipx_1jE2ctaSaOsn67MHehmKpjjM6FN",
      "created_at": "2020-10-22T08:23:32Z",
      "description": "",
      "metadata": "",
      "enforced": false,
      "type": "dashboard",
      "ip_policies": [
        {
          "id": "ipp_1jE2cpgt4SeHuqUOwjmvOJTIbQe",
          "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cpgt4SeHuqUOwjmvOJTIbQe"
        }
      ]
    }
  ],
  "uri": "https://api.ngrok.com/ip_restrictions",
  "next_page_uri": null
}
Fields
ip_restrictions IPRestriction the list of all IP restrictions on this account
uri string URI of the IP resrtrictions list API resource
next_page_uri string URI of the next page, or null if there is no next page
IPRestriction fields
id string unique identifier for this IP restriction
uri string URI of the IP restriction API resource
created_at string timestamp when the IP restriction was created, RFC 3339 format
description string human-readable description of this IP restriction. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP restriction. optional, max 4096 bytes.
enforced boolean true if the IP restriction will be enforce. if false, only warnings will be issued
type string the type of IP restriction. this defines what traffic will be restricted with the attached policies. four values are currently supported: dashboard, api, agent, and endpoints
ip_policies Ref the set of IP policies that are used to enforce the restriction
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Update IP Restriction

Update attributes of an IP restriction by ID

Request
PATCH/ip_restrictions/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"ip_policy_ids":["ipp_1jE2cpgt4SeHuqUOwjmvOJTIbQe","ipp_1jE2cvqBOAy2IDbX1SlKNYlpjRt"]}' \
https://api.ngrok.com/ip_restrictions/ipx_1jE2ctaSaOsn67MHehmKpjjM6FN
Parameters
id string
description string human-readable description of this IP restriction. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP restriction. optional, max 4096 bytes.
enforced boolean true if the IP restriction will be enforce. if false, only warnings will be issued
ip_policy_ids List<string>
Response

Returns a 200 response on success

Example Response
{
  "id": "ipx_1jE2ctaSaOsn67MHehmKpjjM6FN",
  "uri": "https://api.ngrok.com/ip_restrictions/ipx_1jE2ctaSaOsn67MHehmKpjjM6FN",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "",
  "metadata": "",
  "enforced": false,
  "type": "dashboard",
  "ip_policies": [
    {
      "id": "ipp_1jE2cpgt4SeHuqUOwjmvOJTIbQe",
      "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cpgt4SeHuqUOwjmvOJTIbQe"
    },
    {
      "id": "ipp_1jE2cvqBOAy2IDbX1SlKNYlpjRt",
      "uri": "https://api.ngrok.com/ip_policies/ipp_1jE2cvqBOAy2IDbX1SlKNYlpjRt"
    }
  ]
}
Fields
id string unique identifier for this IP restriction
uri string URI of the IP restriction API resource
created_at string timestamp when the IP restriction was created, RFC 3339 format
description string human-readable description of this IP restriction. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP restriction. optional, max 4096 bytes.
enforced boolean true if the IP restriction will be enforce. if false, only warnings will be issued
type string the type of IP restriction. this defines what traffic will be restricted with the attached policies. four values are currently supported: dashboard, api, agent, and endpoints
ip_policies Ref the set of IP policies that are used to enforce the restriction
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Create IP Whitelist Entry

Create a new IP whitelist entry that will restrict traffic to all tunnel endpoints on the account.

Request
POST/ip_whitelist
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"outbound proxy servers","ip_net":"10.1.1.0/24"}' \
https://api.ngrok.com/ip_whitelist
Parameters
description string human-readable description of the source IPs for this IP whitelist entry. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP whitelist entry. optional, max 4096 bytes.
ip_net string an IP address or IP network range in CIDR notation (e.g. 10.1.1.1 or 10.1.0.0/16) of addresses that will be whitelisted to communicate with your tunnel endpoints
Response

Returns a 200 response on success

Example Response
{
  "id": "wl_1jE2cmY9TxGvLx6glGbVi5EZTFk",
  "uri": "https://api.ngrok.com/ip_whitelist/wl_1jE2cmY9TxGvLx6glGbVi5EZTFk",
  "created_at": "2020-10-22T08:23:31Z",
  "description": "outbound proxy servers",
  "metadata": "",
  "ip_net": "10.1.1.0/24"
}
Fields
id string unique identifier for this IP whitelist entry
uri string URI of the IP whitelist entry API resource
created_at string timestamp when the IP whitelist entry was created, RFC 3339 format
description string human-readable description of the source IPs for this IP whitelist entry. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP whitelist entry. optional, max 4096 bytes.
ip_net string an IP address or IP network range in CIDR notation (e.g. 10.1.1.1 or 10.1.0.0/16) of addresses that will be whitelisted to communicate with your tunnel endpoints

Delete IP Whitelist Entry

Delete an IP whitelist entry.

Request
DELETE/ip_whitelist/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_whitelist/wl_1jE2cmY9TxGvLx6glGbVi5EZTFk
Response

Returns a 204 response with no body on success

Get IP Whitelist Entry

Get detailed information about an IP whitelist entry by ID.

Request
GET/ip_whitelist/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_whitelist/wl_1jE2cmY9TxGvLx6glGbVi5EZTFk
Response

Returns a 200 response on success

Example Response
{
  "id": "wl_1jE2cmY9TxGvLx6glGbVi5EZTFk",
  "uri": "https://api.ngrok.com/ip_whitelist/wl_1jE2cmY9TxGvLx6glGbVi5EZTFk",
  "created_at": "2020-10-22T08:23:31Z",
  "description": "home office for alan",
  "metadata": "{\"type\": \"home office\", \"employee_name\": \"alan\"}",
  "ip_net": "10.1.1.0/24"
}
Fields
id string unique identifier for this IP whitelist entry
uri string URI of the IP whitelist entry API resource
created_at string timestamp when the IP whitelist entry was created, RFC 3339 format
description string human-readable description of the source IPs for this IP whitelist entry. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP whitelist entry. optional, max 4096 bytes.
ip_net string an IP address or IP network range in CIDR notation (e.g. 10.1.1.1 or 10.1.0.0/16) of addresses that will be whitelisted to communicate with your tunnel endpoints

List IP Whitelist

List all IP whitelist entries on this account

Request
GET/ip_whitelist
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ip_whitelist
Response

Returns a 200 response on success

Example Response
{
  "whitelist": [
    {
      "id": "wl_1jE2coRpHLaLJVj3kmMbAhHWIS0",
      "uri": "https://api.ngrok.com/ip_whitelist/wl_1jE2coRpHLaLJVj3kmMbAhHWIS0",
      "created_at": "2020-10-22T08:23:31Z",
      "description": "office wifi",
      "metadata": "",
      "ip_net": "78.3.12.121/32"
    },
    {
      "id": "wl_1jE2cmY9TxGvLx6glGbVi5EZTFk",
      "uri": "https://api.ngrok.com/ip_whitelist/wl_1jE2cmY9TxGvLx6glGbVi5EZTFk",
      "created_at": "2020-10-22T08:23:31Z",
      "description": "outbound proxy servers",
      "metadata": "",
      "ip_net": "10.1.1.0/24"
    }
  ],
  "uri": "https://api.ngrok.com/ip_whitelist",
  "next_page_uri": null
}
Fields
whitelist IPWhitelistEntry the list of all IP whitelist entries on this account
uri string URI of the IP whitelist API resource
next_page_uri string URI of the next page, or null if there is no next page
IPWhitelistEntry fields
id string unique identifier for this IP whitelist entry
uri string URI of the IP whitelist entry API resource
created_at string timestamp when the IP whitelist entry was created, RFC 3339 format
description string human-readable description of the source IPs for this IP whitelist entry. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP whitelist entry. optional, max 4096 bytes.
ip_net string an IP address or IP network range in CIDR notation (e.g. 10.1.1.1 or 10.1.0.0/16) of addresses that will be whitelisted to communicate with your tunnel endpoints

Update IP Whitelist Entry

Update attributes of an IP whitelist entry by ID

Request
PATCH/ip_whitelist/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"home office for alan","metadata":"{\"type\": \"home office\", \"employee_name\": \"alan\"}"}' \
https://api.ngrok.com/ip_whitelist/wl_1jE2cmY9TxGvLx6glGbVi5EZTFk
Parameters
id string
description string human-readable description of the source IPs for this IP whitelist entry. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP whitelist entry. optional, max 4096 bytes.
Response

Returns a 200 response on success

Example Response
{
  "id": "wl_1jE2cmY9TxGvLx6glGbVi5EZTFk",
  "uri": "https://api.ngrok.com/ip_whitelist/wl_1jE2cmY9TxGvLx6glGbVi5EZTFk",
  "created_at": "2020-10-22T08:23:31Z",
  "description": "home office for alan",
  "metadata": "{\"type\": \"home office\", \"employee_name\": \"alan\"}",
  "ip_net": "10.1.1.0/24"
}
Fields
id string unique identifier for this IP whitelist entry
uri string URI of the IP whitelist entry API resource
created_at string timestamp when the IP whitelist entry was created, RFC 3339 format
description string human-readable description of the source IPs for this IP whitelist entry. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this IP whitelist entry. optional, max 4096 bytes.
ip_net string an IP address or IP network range in CIDR notation (e.g. 10.1.1.1 or 10.1.0.0/16) of addresses that will be whitelisted to communicate with your tunnel endpoints

Replace Logging Module

Request
PUT/endpoint_configurations/{id}/logging
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"enabled":true,"event_stream_ids":["es_1lCDOjCj5z6Ney9fKpobNEFXZEG","es_1lCDOqSIg8AuyOhLBlEfcs5QfJo"]}' \
https://api.ngrok.com/endpoint_configurations/ec_1lCDOdO0BSiSS7MsngBQd59b4Wg/logging
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
event_stream_ids List<string> list of all EventStreams that will be used to configure and export this endpoint's logs
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "event_streams": [
    {
      "id": "es_1lCDOjCj5z6Ney9fKpobNEFXZEG",
      "uri": "https://api.ngrok.com/event_streams/es_1lCDOjCj5z6Ney9fKpobNEFXZEG"
    },
    {
      "id": "es_1lCDOqSIg8AuyOhLBlEfcs5QfJo",
      "uri": "https://api.ngrok.com/event_streams/es_1lCDOqSIg8AuyOhLBlEfcs5QfJo"
    }
  ]
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
event_streams Ref list of all EventStreams that will be used to configure and export this endpoint's logs
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Get Logging Module

Request
GET/endpoint_configurations/{id}/logging
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1lCDOdO0BSiSS7MsngBQd59b4Wg/logging
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "event_streams": [
    {
      "id": "es_1lCDOjCj5z6Ney9fKpobNEFXZEG",
      "uri": "https://api.ngrok.com/event_streams/es_1lCDOjCj5z6Ney9fKpobNEFXZEG"
    },
    {
      "id": "es_1lCDOqSIg8AuyOhLBlEfcs5QfJo",
      "uri": "https://api.ngrok.com/event_streams/es_1lCDOqSIg8AuyOhLBlEfcs5QfJo"
    }
  ]
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
event_streams Ref list of all EventStreams that will be used to configure and export this endpoint's logs
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Delete Logging Module

Request
DELETE/endpoint_configurations/{id}/logging
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1lCDOdO0BSiSS7MsngBQd59b4Wg/logging
Response

Returns a 204 response with no body on success

Replace Mutual TLS Module

Request
PUT/endpoint_configurations/{id}/mutual_tls
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"enabled":true,"certificate_authority_ids":["ca_1jE2cirmhVyB4aHwf5VUiWzbTty"]}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/mutual_tls
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
certificate_authority_ids List<string> list of certificate authorities that will be used to validate the TLS client certificate presnted by the initiatiator of the TLS connection
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "certificate_authorities": [
    {
      "id": "ca_1jE2cirmhVyB4aHwf5VUiWzbTty",
      "uri": "https://api.ngrok.com/certificate_authorities/ca_1jE2cirmhVyB4aHwf5VUiWzbTty"
    }
  ]
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
certificate_authorities Ref PEM-encoded CA certificates that will be used to validate. Multiple CAs may be provided by concatenating them together.
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Get Mutual TLS Module

Request
GET/endpoint_configurations/{id}/mutual_tls
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/mutual_tls
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "certificate_authorities": [
    {
      "id": "ca_1jE2cirmhVyB4aHwf5VUiWzbTty",
      "uri": "https://api.ngrok.com/certificate_authorities/ca_1jE2cirmhVyB4aHwf5VUiWzbTty"
    }
  ]
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
certificate_authorities Ref PEM-encoded CA certificates that will be used to validate. Multiple CAs may be provided by concatenating them together.
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Delete Mutual TLS Module

Request
DELETE/endpoint_configurations/{id}/mutual_tls
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/mutual_tls
Response

Returns a 204 response with no body on success

Replace OAuth Module

Request
PUT/endpoint_configurations/{id}/oauth
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"provider":{"google":{"client_id":"client-id","client_secret":"client-secret","scopes":["profile","email","https://www.googleapis.com/auth/gmail.compose"],"email_addresses":["alan@example.com"]}},"options_passthrough":true}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/oauth
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider EndpointOAuthProvider an object which defines the identity provider to use for authentication and configuration for who may access the endpoint
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
auth_check_interval uint32 Integer number of seconds after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource.
EndpointOAuthProvider parameters
github EndpointOAuthGitHub configuration for using github as the identity provider
facebook EndpointOAuthFacebook configuration for using facebook as the identity provider
microsoft EndpointOAuthMicrosoft configuration for using microsoft as the identity provider
google EndpointOAuthGoogle configuration for using google as the identity provider
EndpointOAuthGitHub parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
teams List<string> a list of github teams identifiers. users will be allowed access to the endpoint if they are a member of any of these teams. identifiers should be in the 'slug' format qualified with the org name, e.g. org-name/team-name
organizations List<string> a list of github org identifiers. users who are members of any of the listed organizations will be allowed access. identifiers should be the organization's 'slug'
EndpointOAuthFacebook parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthMicrosoft parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthGoogle parameters
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "provider": {
    "github": null,
    "facebook": null,
    "microsoft": null,
    "google": {
      "client_id": "client-id",
      "client_secret": "client-secret",
      "scopes": [
        "profile",
        "email",
        "https://www.googleapis.com/auth/gmail.compose"
      ],
      "email_addresses": [
        "alan@example.com"
      ],
      "email_domains": []
    }
  },
  "options_passthrough": true,
  "cookie_prefix": "ngrok.",
  "inactivity_timeout": 0,
  "maximum_duration": 0,
  "auth_check_interval": 0
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider EndpointOAuthProvider an object which defines the identity provider to use for authentication and configuration for who may access the endpoint
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
auth_check_interval uint32 Integer number of seconds after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource.
EndpointOAuthProvider fields
github EndpointOAuthGitHub configuration for using github as the identity provider
facebook EndpointOAuthFacebook configuration for using facebook as the identity provider
microsoft EndpointOAuthMicrosoft configuration for using microsoft as the identity provider
google EndpointOAuthGoogle configuration for using google as the identity provider
EndpointOAuthGitHub fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
teams List<string> a list of github teams identifiers. users will be allowed access to the endpoint if they are a member of any of these teams. identifiers should be in the 'slug' format qualified with the org name, e.g. org-name/team-name
organizations List<string> a list of github org identifiers. users who are members of any of the listed organizations will be allowed access. identifiers should be the organization's 'slug'
EndpointOAuthFacebook fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthMicrosoft fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthGoogle fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint

Get OAuth Module

Request
GET/endpoint_configurations/{id}/oauth
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/oauth
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "provider": {
    "github": null,
    "facebook": null,
    "microsoft": null,
    "google": {
      "client_id": "client-id",
      "client_secret": "client-secret",
      "scopes": [
        "profile",
        "email",
        "https://www.googleapis.com/auth/gmail.compose"
      ],
      "email_addresses": [
        "alan@example.com"
      ],
      "email_domains": []
    }
  },
  "options_passthrough": true,
  "cookie_prefix": "ngrok.",
  "inactivity_timeout": 0,
  "maximum_duration": 0,
  "auth_check_interval": 0
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider EndpointOAuthProvider an object which defines the identity provider to use for authentication and configuration for who may access the endpoint
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
auth_check_interval uint32 Integer number of seconds after which ngrok guarantees it will refresh user state from the identity provider and recheck whether the user is still authorized to access the endpoint. This is the preferred tunable to use to enforce a minimum amount of time after which a revoked user will no longer be able to access the resource.
EndpointOAuthProvider fields
github EndpointOAuthGitHub configuration for using github as the identity provider
facebook EndpointOAuthFacebook configuration for using facebook as the identity provider
microsoft EndpointOAuthMicrosoft configuration for using microsoft as the identity provider
google EndpointOAuthGoogle configuration for using google as the identity provider
EndpointOAuthGitHub fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
teams List<string> a list of github teams identifiers. users will be allowed access to the endpoint if they are a member of any of these teams. identifiers should be in the 'slug' format qualified with the org name, e.g. org-name/team-name
organizations List<string> a list of github org identifiers. users who are members of any of the listed organizations will be allowed access. identifiers should be the organization's 'slug'
EndpointOAuthFacebook fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthMicrosoft fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint
EndpointOAuthGoogle fields
client_id string the OAuth app client ID. retrieve it from the identity provider's dashboard where you created your own OAuth app. optional. if unspecified, ngrok will use its own managed oauth application which has additional restrictions. see the OAuth module docs for more details. if present, client_secret must be present as well.
client_secret string the OAuth app client secret. retrieve if from the identity provider's dashboard where you created your own OAuth app. optional, see all of the caveats in the docs for client_id.
scopes List<string> a list of provider-specific OAuth scopes with the permissions your OAuth app would like to ask for. these may not be set if you are using the ngrok-managed oauth app (i.e. you must pass both client_id and client_secret to set scopes)
email_addresses List<string> a list of email addresses of users authenticated by identity provider who are allowed access to the endpoint
email_domains List<string> a list of email domains of users authenticated by identity provider who are allowed access to the endpoint

Delete OAuth Module

Request
DELETE/endpoint_configurations/{id}/oauth
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/oauth
Response

Returns a 204 response with no body on success

Replace OIDC Module

Request
PUT/endpoint_configurations/{id}/oidc
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"enabled":true,"issuer":"https://accounts.google.com","client_id":"some-client-id","client_secret":"some-client-secret","scopes":["profile"]}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/oidc
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
issuer string URL of the OIDC "OpenID provider". This is the base URL used for discovery.
client_id string The OIDC app's client ID and OIDC audience.
client_secret string The OIDC app's client secret.
scopes List<string> The set of scopes to request from the OIDC identity provider.
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "options_passthrough": false,
  "cookie_prefix": "",
  "inactivity_timeout": 0,
  "maximum_duration": 0,
  "issuer": "https://accounts.google.com",
  "client_id": "some-client-id",
  "client_secret": "some-client-secret",
  "scopes": [
    "profile"
  ]
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
issuer string URL of the OIDC "OpenID provider". This is the base URL used for discovery.
client_id string The OIDC app's client ID and OIDC audience.
client_secret string The OIDC app's client secret.
scopes List<string> The set of scopes to request from the OIDC identity provider.

Get OIDC Module

Request
GET/endpoint_configurations/{id}/oidc
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/oidc
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "options_passthrough": false,
  "cookie_prefix": "",
  "inactivity_timeout": 0,
  "maximum_duration": 0,
  "issuer": "https://accounts.google.com",
  "client_id": "some-client-id",
  "client_secret": "some-client-secret",
  "scopes": [
    "profile"
  ]
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
issuer string URL of the OIDC "OpenID provider". This is the base URL used for discovery.
client_id string The OIDC app's client ID and OIDC audience.
client_secret string The OIDC app's client secret.
scopes List<string> The set of scopes to request from the OIDC identity provider.

Delete OIDC Module

Request
DELETE/endpoint_configurations/{id}/oidc
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/oidc
Response

Returns a 204 response with no body on success

Replace Request Headers Module

Request
PUT/endpoint_configurations/{id}/request_headers
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"add":{"X-Baz":"qux","X-Foo":"bar"},"remove":["X-Internal-Header"]}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/request_headers
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Request before being sent to the upstream application server
remove List<string> a list of header names that will be removed from the HTTP Request before being sent to the upstream application server
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "add": {
    "x-baz": "qux",
    "x-foo": "bar"
  },
  "remove": [
    "x-internal-header"
  ]
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Request before being sent to the upstream application server
remove List<string> a list of header names that will be removed from the HTTP Request before being sent to the upstream application server

Get Request Headers Module

Request
GET/endpoint_configurations/{id}/request_headers
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/request_headers
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "add": {
    "x-baz": "qux",
    "x-foo": "bar"
  },
  "remove": [
    "x-internal-header"
  ]
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Request before being sent to the upstream application server
remove List<string> a list of header names that will be removed from the HTTP Request before being sent to the upstream application server

Delete Request Headers Module

Request
DELETE/endpoint_configurations/{id}/request_headers
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/request_headers
Response

Returns a 204 response with no body on success

Create Reserved Address

Create a new reserved address.

Request
POST/reserved_addrs
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"SSH for device #001","region":"us"}' \
https://api.ngrok.com/reserved_addrs
Parameters
description string human-readable description of what this reserved address will be used for
metadata string arbitrary user-defined machine-readable data of this reserved address. Optional, max 4096 bytes.
region string reserve the address in this geographic ngrok datacenter. Optional, default is us. (au, eu, ap, us, jp, in, sa)
endpoint_configuration_id string ID of an endpoint configuration of type tcp that will be used to handle inbound traffic to this address
Response

Returns a 200 response on success

Example Response
{
  "id": "ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj",
  "uri": "https://api.ngrok.com/reserved_addrs/ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj",
  "created_at": "2020-10-22T08:23:27Z",
  "description": "SSH for device #001",
  "metadata": "",
  "addr": "1.tcp.ngrok.io:20005",
  "region": "us",
  "endpoint_configuration": null
}
Fields
id string unique reserved address resource identifier
uri string URI of the reserved address API resource
created_at string timestamp when the reserved address was created, RFC 3339 format
description string human-readable description of what this reserved address will be used for
metadata string arbitrary user-defined machine-readable data of this reserved address. Optional, max 4096 bytes.
addr string hostname:port of the reserved address that was assigned at creation time
region string reserve the address in this geographic ngrok datacenter. Optional, default is us. (au, eu, ap, us, jp, in, sa)
endpoint_configuration Ref object reference to the endpoint configuration that will be applied to traffic to this address
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Delete Reserved Address

Delete a reserved address.

Request
DELETE/reserved_addrs/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_addrs/ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj
Response

Returns a 204 response with no body on success

Get Reserved Address

Get the details of a reserved address.

Request
GET/reserved_addrs/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_addrs/ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj
Response

Returns a 200 response on success

Example Response
{
  "id": "ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj",
  "uri": "https://api.ngrok.com/reserved_addrs/ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj",
  "created_at": "2020-10-22T08:23:27Z",
  "description": "SSH for device #001",
  "metadata": "{\"proto\": \"ssh\"}",
  "addr": "1.tcp.ngrok.io:20005",
  "region": "us",
  "endpoint_configuration": {
    "id": "ec_1jE2cC3SCN5t9NREDrfrKHGqoIm",
    "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2cC3SCN5t9NREDrfrKHGqoIm"
  }
}
Fields
id string unique reserved address resource identifier
uri string URI of the reserved address API resource
created_at string timestamp when the reserved address was created, RFC 3339 format
description string human-readable description of what this reserved address will be used for
metadata string arbitrary user-defined machine-readable data of this reserved address. Optional, max 4096 bytes.
addr string hostname:port of the reserved address that was assigned at creation time
region string reserve the address in this geographic ngrok datacenter. Optional, default is us. (au, eu, ap, us, jp, in, sa)
endpoint_configuration Ref object reference to the endpoint configuration that will be applied to traffic to this address
Ref fields
id string a resource identifier
uri string a uri for locating a resource

List Reserved Addresses

List all reserved addresses on this account.

Request
GET/reserved_addrs
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_addrs
Response

Returns a 200 response on success

Example Response
{
  "reserved_addrs": [
    {
      "id": "ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj",
      "uri": "https://api.ngrok.com/reserved_addrs/ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj",
      "created_at": "2020-10-22T08:23:27Z",
      "description": "SSH for device #001",
      "metadata": "",
      "addr": "1.tcp.ngrok.io:20005",
      "region": "us",
      "endpoint_configuration": null
    }
  ],
  "uri": "https://api.ngrok.com/reserved_addrs",
  "next_page_uri": null
}
Fields
reserved_addrs ReservedAddr the list of all reserved addresses on this account
uri string URI of the reserved address list API resource
next_page_uri string URI of the next page, or null if there is no next page
ReservedAddr fields
id string unique reserved address resource identifier
uri string URI of the reserved address API resource
created_at string timestamp when the reserved address was created, RFC 3339 format
description string human-readable description of what this reserved address will be used for
metadata string arbitrary user-defined machine-readable data of this reserved address. Optional, max 4096 bytes.
addr string hostname:port of the reserved address that was assigned at creation time
region string reserve the address in this geographic ngrok datacenter. Optional, default is us. (au, eu, ap, us, jp, in, sa)
endpoint_configuration Ref object reference to the endpoint configuration that will be applied to traffic to this address
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Update Reserved Address

Update the attributes of a reserved address.

Request
PATCH/reserved_addrs/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"metadata":"{\"proto\": \"ssh\"}","endpoint_configuration_id":"ec_1jE2cC3SCN5t9NREDrfrKHGqoIm"}' \
https://api.ngrok.com/reserved_addrs/ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj
Parameters
id string
description string human-readable description of what this reserved address will be used for
metadata string arbitrary user-defined machine-readable data of this reserved address. Optional, max 4096 bytes.
endpoint_configuration_id string ID of an endpoint configuration of type tcp that will be used to handle inbound traffic to this address
Response

Returns a 200 response on success

Example Response
{
  "id": "ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj",
  "uri": "https://api.ngrok.com/reserved_addrs/ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj",
  "created_at": "2020-10-22T08:23:27Z",
  "description": "SSH for device #001",
  "metadata": "{\"proto\": \"ssh\"}",
  "addr": "1.tcp.ngrok.io:20005",
  "region": "us",
  "endpoint_configuration": {
    "id": "ec_1jE2cC3SCN5t9NREDrfrKHGqoIm",
    "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2cC3SCN5t9NREDrfrKHGqoIm"
  }
}
Fields
id string unique reserved address resource identifier
uri string URI of the reserved address API resource
created_at string timestamp when the reserved address was created, RFC 3339 format
description string human-readable description of what this reserved address will be used for
metadata string arbitrary user-defined machine-readable data of this reserved address. Optional, max 4096 bytes.
addr string hostname:port of the reserved address that was assigned at creation time
region string reserve the address in this geographic ngrok datacenter. Optional, default is us. (au, eu, ap, us, jp, in, sa)
endpoint_configuration Ref object reference to the endpoint configuration that will be applied to traffic to this address
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Detach Endpoint Configuration from Reserved Address

Detach the endpoint configuration attached to a reserved address.

Request
DELETE/reserved_addrs/{id}/endpoint_configuration
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_addrs/ra_1jE2H6jQ3pWUjFKIyhe60hWeqZj/endpoint_configuration
Response

Returns a 204 response with no body on success

Create Reserved Domain

Create a new reserved domain.

Request
POST/reserved_domains
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"name":"myapp.mydomain.com","region":"us","certificate_id":"cert_1jE2cCun8MNOoQFecTJHFrsaSjy"}' \
https://api.ngrok.com/reserved_domains
Parameters
name string the domain name to reserve. It may be a full domain name like app.example.com. If the name does not contain a '.' it will reserve that subdomain on ngrok.io.
region string reserve the domain in this geographic ngrok datacenter. Optional, default is us. (au, eu, ap, us, jp, in, sa)
description string human-readable description of what this reserved domain will be used for
metadata string arbitrary user-defined machine-readable data of this reserved domain. Optional, max 4096 bytes.
http_endpoint_configuration_id string ID of an endpoint configuration of type http that will be used to handle inbound http traffic to this domain
https_endpoint_configuration_id string ID of an endpoint configuration of type https that will be used to handle inbound https traffic to this domain
certificate_id string ID of a user-uploaded TLS certificate to use for connections to targeting this domain. Optional, mutually exclusive with `certificate_management_policy`.
certificate_management_policy ReservedDomainCertPolicy configuration for automatic management of TLS certificates for this domain, or null if automatic management is disabled. Optional, mutually exclusive with `certificate_id`.
ReservedDomainCertPolicy parameters
authority string certificate authority to request certificates from. The only supported value is letsencrypt.
private_key_type string type of private key to use when requesting certificates. Defaults to rsa, can be either rsa or ecdsa.
Response

Returns a 200 response on success

Example Response
{
  "id": "rd_1jE2cJQ7pei38PTUIk4QUoMDxHA",
  "uri": "https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA",
  "created_at": "2020-10-22T08:23:27Z",
  "description": "",
  "metadata": "",
  "domain": "myapp.mydomain.com",
  "region": "us",
  "cname_target": "mipw9djn.cname.us.ngrok.io",
  "http_endpoint_configuration": null,
  "https_endpoint_configuration": null,
  "certificate": {
    "id": "cert_1jE2cCun8MNOoQFecTJHFrsaSjy",
    "uri": "https://api.ngrok.com/tls_certificates/cert_1jE2cCun8MNOoQFecTJHFrsaSjy"
  },
  "certificate_management_policy": null,
  "certificate_management_status": null
}
Fields
id string unique reserved domain resource identifier
uri string URI of the reserved domain API resource
created_at string timestamp when the reserved domain was created, RFC 3339 format
description string human-readable description of what this reserved domain will be used for
metadata string arbitrary user-defined machine-readable data of this reserved domain. Optional, max 4096 bytes.
domain string hostname of the reserved domain
region string reserve the domain in this geographic ngrok datacenter. Optional, default is us. (au, eu, ap, us, jp, in, sa)
cname_target string DNS CNAME target for a custom hostname, or null if the reserved domain is a subdomain of *.ngrok.io
http_endpoint_configuration Ref object referencing the endpoint configuration applied to http traffic on this domain
https_endpoint_configuration Ref object referencing the endpoint configuration applied to https traffic on this domain
certificate Ref object referencing the TLS certificate used for connections to this domain. This can be either a user-uploaded certificate, the most recently issued automatic one, or null otherwise.
certificate_management_policy ReservedDomainCertPolicy configuration for automatic management of TLS certificates for this domain, or null if automatic management is disabled
certificate_management_status ReservedDomainCertStatus status of the automatic certificate management for this domain, or null if automatic management is disabled
Ref fields
id string a resource identifier
uri string a uri for locating a resource
Ref fields
id string a resource identifier
uri string a uri for locating a resource
Ref fields
id string a resource identifier
uri string a uri for locating a resource
ReservedDomainCertPolicy fields
authority string certificate authority to request certificates from. The only supported value is letsencrypt.
private_key_type string type of private key to use when requesting certificates. Defaults to rsa, can be either rsa or ecdsa.
ReservedDomainCertStatus fields
renews_at string timestamp when the next renewal will be requested, RFC 3339 format
provisioning_job ReservedDomainCertJob status of the certificate provisioning job, or null if the certificiate isn't being provisioned or renewed
ReservedDomainCertJob fields
error_code string if present, an error code indicating why provisioning is failing. It may be either a temporary condition (INTERNAL_ERROR), or a permanent one the user must correct (DNS_ERROR).
msg string a message describing the current status or error
started_at string timestamp when the provisioning job started, RFC 3339 format
retries_at string timestamp when the provisioning job will be retried
ns_targets ReservedDomainCertNSTarget if present, indicates the dns nameservers that the user must configure to complete the provisioning process of a wildcard certificate
ReservedDomainCertNSTarget fields
zone string the zone that the nameservers need to be applied to
nameservers List<string> the nameservers the user must add

Delete Reserved Domain

Delete a reserved domain.

Request
DELETE/reserved_domains/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA
Response

Returns a 204 response with no body on success

Get Reserved Domain

Get the details of a reserved domain.

Request
GET/reserved_domains/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA
Response

Returns a 200 response on success

Example Response
{
  "id": "rd_1jE2cJQ7pei38PTUIk4QUoMDxHA",
  "uri": "https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA",
  "created_at": "2020-10-22T08:23:27Z",
  "description": "point-of-sale new york #302",
  "metadata": "{env: \"staging\", \"connector_id\":\"64698fcc-5f5c-4b63-910e-8669d04bd943\"}",
  "domain": "myapp.mydomain.com",
  "region": "us",
  "cname_target": "mipw9djn.cname.us.ngrok.io",
  "http_endpoint_configuration": {
    "id": "ec_1jE2cBthABBCADJopvpknPr7Lyr",
    "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2cBthABBCADJopvpknPr7Lyr"
  },
  "https_endpoint_configuration": {
    "id": "ec_1jE2cDpizqhlG5ZlSAdUgqwlbyU",
    "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2cDpizqhlG5ZlSAdUgqwlbyU"
  },
  "certificate": null,
  "certificate_management_policy": {
    "authority": "letsencrypt",
    "private_key_type": "ecdsa"
  },
  "certificate_management_status": null
}
Fields
id string unique reserved domain resource identifier
uri string URI of the reserved domain API resource
created_at string timestamp when the reserved domain was created, RFC 3339 format
description string human-readable description of what this reserved domain will be used for
metadata string arbitrary user-defined machine-readable data of this reserved domain. Optional, max 4096 bytes.
domain string hostname of the reserved domain
region string reserve the domain in this geographic ngrok datacenter. Optional, default is us. (au, eu, ap, us, jp, in, sa)
cname_target string DNS CNAME target for a custom hostname, or null if the reserved domain is a subdomain of *.ngrok.io
http_endpoint_configuration Ref object referencing the endpoint configuration applied to http traffic on this domain
https_endpoint_configuration Ref object referencing the endpoint configuration applied to https traffic on this domain
certificate Ref object referencing the TLS certificate used for connections to this domain. This can be either a user-uploaded certificate, the most recently issued automatic one, or null otherwise.
certificate_management_policy ReservedDomainCertPolicy configuration for automatic management of TLS certificates for this domain, or null if automatic management is disabled
certificate_management_status ReservedDomainCertStatus status of the automatic certificate management for this domain, or null if automatic management is disabled
Ref fields
id string a resource identifier
uri string a uri for locating a resource
Ref fields
id string a resource identifier
uri string a uri for locating a resource
Ref fields
id string a resource identifier
uri string a uri for locating a resource
ReservedDomainCertPolicy fields
authority string certificate authority to request certificates from. The only supported value is letsencrypt.
private_key_type string type of private key to use when requesting certificates. Defaults to rsa, can be either rsa or ecdsa.
ReservedDomainCertStatus fields
renews_at string timestamp when the next renewal will be requested, RFC 3339 format
provisioning_job ReservedDomainCertJob status of the certificate provisioning job, or null if the certificiate isn't being provisioned or renewed
ReservedDomainCertJob fields
error_code string if present, an error code indicating why provisioning is failing. It may be either a temporary condition (INTERNAL_ERROR), or a permanent one the user must correct (DNS_ERROR).
msg string a message describing the current status or error
started_at string timestamp when the provisioning job started, RFC 3339 format
retries_at string timestamp when the provisioning job will be retried
ns_targets ReservedDomainCertNSTarget if present, indicates the dns nameservers that the user must configure to complete the provisioning process of a wildcard certificate
ReservedDomainCertNSTarget fields
zone string the zone that the nameservers need to be applied to
nameservers List<string> the nameservers the user must add

List Reserved Domains

List all reserved domains on this account.

Request
GET/reserved_domains
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_domains
Response

Returns a 200 response on success

Example Response
{
  "reserved_domains": [
    {
      "id": "rd_1jE2cJQ7pei38PTUIk4QUoMDxHA",
      "uri": "https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA",
      "created_at": "2020-10-22T08:23:27Z",
      "description": "",
      "metadata": "",
      "domain": "myapp.mydomain.com",
      "region": "us",
      "cname_target": "mipw9djn.cname.us.ngrok.io",
      "http_endpoint_configuration": null,
      "https_endpoint_configuration": null,
      "certificate": {
        "id": "cert_1jE2cCun8MNOoQFecTJHFrsaSjy",
        "uri": "https://api.ngrok.com/tls_certificates/cert_1jE2cCun8MNOoQFecTJHFrsaSjy"
      },
      "certificate_management_policy": null,
      "certificate_management_status": null
    },
    {
      "id": "rd_1jE2cDxHCJtuvAS8nvvWHtNRSf3",
      "uri": "https://api.ngrok.com/reserved_domains/rd_1jE2cDxHCJtuvAS8nvvWHtNRSf3",
      "created_at": "2020-10-22T08:23:27Z",
      "description": "Device 0001 Dashboard",
      "metadata": "{\"service\": \"dashboard\"}",
      "domain": "manage-0001.app.example.com",
      "region": "us",
      "cname_target": "2lvpbkyn7.cname.us.ngrok.io",
      "http_endpoint_configuration": null,
      "https_endpoint_configuration": null,
      "certificate": null,
      "certificate_management_policy": null,
      "certificate_management_status": null
    }
  ],
  "uri": "https://api.ngrok.com/reserved_domains",
  "next_page_uri": null
}
Fields
reserved_domains ReservedDomain the list of all reserved domains on this account
uri string URI of the reserved domain list API resource
next_page_uri string URI of the next page, or null if there is no next page
ReservedDomain fields
id string unique reserved domain resource identifier
uri string URI of the reserved domain API resource
created_at string timestamp when the reserved domain was created, RFC 3339 format
description string human-readable description of what this reserved domain will be used for
metadata string arbitrary user-defined machine-readable data of this reserved domain. Optional, max 4096 bytes.
domain string hostname of the reserved domain
region string reserve the domain in this geographic ngrok datacenter. Optional, default is us. (au, eu, ap, us, jp, in, sa)
cname_target string DNS CNAME target for a custom hostname, or null if the reserved domain is a subdomain of *.ngrok.io
http_endpoint_configuration Ref object referencing the endpoint configuration applied to http traffic on this domain
https_endpoint_configuration Ref object referencing the endpoint configuration applied to https traffic on this domain
certificate Ref object referencing the TLS certificate used for connections to this domain. This can be either a user-uploaded certificate, the most recently issued automatic one, or null otherwise.
certificate_management_policy ReservedDomainCertPolicy configuration for automatic management of TLS certificates for this domain, or null if automatic management is disabled
certificate_management_status ReservedDomainCertStatus status of the automatic certificate management for this domain, or null if automatic management is disabled
Ref fields
id string a resource identifier
uri string a uri for locating a resource
Ref fields
id string a resource identifier
uri string a uri for locating a resource
Ref fields
id string a resource identifier
uri string a uri for locating a resource
ReservedDomainCertPolicy fields
authority string certificate authority to request certificates from. The only supported value is letsencrypt.
private_key_type string type of private key to use when requesting certificates. Defaults to rsa, can be either rsa or ecdsa.
ReservedDomainCertStatus fields
renews_at string timestamp when the next renewal will be requested, RFC 3339 format
provisioning_job ReservedDomainCertJob status of the certificate provisioning job, or null if the certificiate isn't being provisioned or renewed
ReservedDomainCertJob fields
error_code string if present, an error code indicating why provisioning is failing. It may be either a temporary condition (INTERNAL_ERROR), or a permanent one the user must correct (DNS_ERROR).
msg string a message describing the current status or error
started_at string timestamp when the provisioning job started, RFC 3339 format
retries_at string timestamp when the provisioning job will be retried
ns_targets ReservedDomainCertNSTarget if present, indicates the dns nameservers that the user must configure to complete the provisioning process of a wildcard certificate
ReservedDomainCertNSTarget fields
zone string the zone that the nameservers need to be applied to
nameservers List<string> the nameservers the user must add

Update Reserved Domain

Update the attributes of a reserved domain.

Request
PATCH/reserved_domains/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"point-of-sale new york #302","metadata":"{env: \"staging\", \"connector_id\":\"64698fcc-5f5c-4b63-910e-8669d04bd943\"}","http_endpoint_configuration_id":"ec_1jE2cBthABBCADJopvpknPr7Lyr","https_endpoint_configuration_id":"ec_1jE2cDpizqhlG5ZlSAdUgqwlbyU","certificate_management_policy":{"authority":"letsencrypt"}}' \
https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA
Parameters
id string
description string human-readable description of what this reserved domain will be used for
metadata string arbitrary user-defined machine-readable data of this reserved domain. Optional, max 4096 bytes.
http_endpoint_configuration_id string ID of an endpoint configuration of type http that will be used to handle inbound http traffic to this domain
https_endpoint_configuration_id string ID of an endpoint configuration of type https that will be used to handle inbound https traffic to this domain
certificate_id string ID of a user-uploaded TLS certificate to use for connections to targeting this domain. Optional, mutually exclusive with `certificate_management_policy`.
certificate_management_policy ReservedDomainCertPolicy configuration for automatic management of TLS certificates for this domain, or null if automatic management is disabled. Optional, mutually exclusive with `certificate_id`.
ReservedDomainCertPolicy parameters
authority string certificate authority to request certificates from. The only supported value is letsencrypt.
private_key_type string type of private key to use when requesting certificates. Defaults to rsa, can be either rsa or ecdsa.
Response

Returns a 200 response on success

Example Response
{
  "id": "rd_1jE2cJQ7pei38PTUIk4QUoMDxHA",
  "uri": "https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA",
  "created_at": "2020-10-22T08:23:27Z",
  "description": "point-of-sale new york #302",
  "metadata": "{env: \"staging\", \"connector_id\":\"64698fcc-5f5c-4b63-910e-8669d04bd943\"}",
  "domain": "myapp.mydomain.com",
  "region": "us",
  "cname_target": "mipw9djn.cname.us.ngrok.io",
  "http_endpoint_configuration": {
    "id": "ec_1jE2cBthABBCADJopvpknPr7Lyr",
    "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2cBthABBCADJopvpknPr7Lyr"
  },
  "https_endpoint_configuration": {
    "id": "ec_1jE2cDpizqhlG5ZlSAdUgqwlbyU",
    "uri": "https://api.ngrok.com/endpoint_configurations/ec_1jE2cDpizqhlG5ZlSAdUgqwlbyU"
  },
  "certificate": null,
  "certificate_management_policy": {
    "authority": "letsencrypt",
    "private_key_type": "ecdsa"
  },
  "certificate_management_status": null
}
Fields
id string unique reserved domain resource identifier
uri string URI of the reserved domain API resource
created_at string timestamp when the reserved domain was created, RFC 3339 format
description string human-readable description of what this reserved domain will be used for
metadata string arbitrary user-defined machine-readable data of this reserved domain. Optional, max 4096 bytes.
domain string hostname of the reserved domain
region string reserve the domain in this geographic ngrok datacenter. Optional, default is us. (au, eu, ap, us, jp, in, sa)
cname_target string DNS CNAME target for a custom hostname, or null if the reserved domain is a subdomain of *.ngrok.io
http_endpoint_configuration Ref object referencing the endpoint configuration applied to http traffic on this domain
https_endpoint_configuration Ref object referencing the endpoint configuration applied to https traffic on this domain
certificate Ref object referencing the TLS certificate used for connections to this domain. This can be either a user-uploaded certificate, the most recently issued automatic one, or null otherwise.
certificate_management_policy ReservedDomainCertPolicy configuration for automatic management of TLS certificates for this domain, or null if automatic management is disabled
certificate_management_status ReservedDomainCertStatus status of the automatic certificate management for this domain, or null if automatic management is disabled
Ref fields
id string a resource identifier
uri string a uri for locating a resource
Ref fields
id string a resource identifier
uri string a uri for locating a resource
Ref fields
id string a resource identifier
uri string a uri for locating a resource
ReservedDomainCertPolicy fields
authority string certificate authority to request certificates from. The only supported value is letsencrypt.
private_key_type string type of private key to use when requesting certificates. Defaults to rsa, can be either rsa or ecdsa.
ReservedDomainCertStatus fields
renews_at string timestamp when the next renewal will be requested, RFC 3339 format
provisioning_job ReservedDomainCertJob status of the certificate provisioning job, or null if the certificiate isn't being provisioned or renewed
ReservedDomainCertJob fields
error_code string if present, an error code indicating why provisioning is failing. It may be either a temporary condition (INTERNAL_ERROR), or a permanent one the user must correct (DNS_ERROR).
msg string a message describing the current status or error
started_at string timestamp when the provisioning job started, RFC 3339 format
retries_at string timestamp when the provisioning job will be retried
ns_targets ReservedDomainCertNSTarget if present, indicates the dns nameservers that the user must configure to complete the provisioning process of a wildcard certificate
ReservedDomainCertNSTarget fields
zone string the zone that the nameservers need to be applied to
nameservers List<string> the nameservers the user must add

Detach Certificate Management Policy from Reserved Domain

Detach the certificate management policy attached to a reserved domain.

Request
DELETE/reserved_domains/{id}/certificate_management_policy
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA/certificate_management_policy
Response

Returns a 204 response with no body on success

Detach Certificate from Reserved Domain

Detach the certificate attached to a reserved domain.

Request
DELETE/reserved_domains/{id}/certificate
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA/certificate
Response

Returns a 204 response with no body on success

Detach HTTP Endpoint Configuration from Reserved Domain

Detach the http endpoint configuration attached to a reserved domain.

Request
DELETE/reserved_domains/{id}/http_endpoint_configuration
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA/http_endpoint_configuration
Response

Returns a 204 response with no body on success

Detach HTTPS Endpoint Configuration from Reserved Domain

Detach the https endpoint configuration attached to a reserved domain.

Request
DELETE/reserved_domains/{id}/https_endpoint_configuration
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/reserved_domains/rd_1jE2cJQ7pei38PTUIk4QUoMDxHA/https_endpoint_configuration
Response

Returns a 204 response with no body on success

Replace Response Headers Module

Request
PUT/endpoint_configurations/{id}/response_headers
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"add":{"Cache-Control":"no-cache, no-store","X-XSS-Protection":"1; mode=block"}}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/response_headers
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Response returned to the HTTP client
remove List<string> a list of header names that will be removed from the HTTP Response returned to the HTTP client
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "add": {
    "cache-control": "no-cache, no-store",
    "x-xss-protection": "1; mode=block"
  },
  "remove": []
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Response returned to the HTTP client
remove List<string> a list of header names that will be removed from the HTTP Response returned to the HTTP client

Get Response Headers Module

Request
GET/endpoint_configurations/{id}/response_headers
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/response_headers
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "add": {
    "cache-control": "no-cache, no-store",
    "x-xss-protection": "1; mode=block"
  },
  "remove": []
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
add Map<string, string> a map of header key to header value that will be injected into the HTTP Response returned to the HTTP client
remove List<string> a list of header names that will be removed from the HTTP Response returned to the HTTP client

Delete Response Headers Module

Request
DELETE/endpoint_configurations/{id}/response_headers
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/response_headers
Response

Returns a 204 response with no body on success

Replace SAML Module

Request
PUT/endpoint_configurations/{id}/saml
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"enabled":true,"idp_metadata":"\n\u003cEntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2020-09-14T12:53:23.691Z\" cacheDuration=\"PT1M\" entityID=\"http://127.0.0.1:12345/metadata\"\u003e\u003cIDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"\u003e\u003cNameIDFormat\u003eurn:oasis:names:tc:SAML:2.0:nameid-format:transient\u003c/NameIDFormat\u003e\u003cSingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://127.0.0.1:12345/sso\"\u003e\u003c/SingleSignOnService\u003e\u003cSingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://127.0.0.1:12345/sso\"\u003e\u003c/SingleSignOnService\u003e\u003c/IDPSSODescriptor\u003e\u003c/EntityDescriptor\u003e\n"}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/saml
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadata_url string The IdP's metadata URL which returns the XML IdP EntityDescriptor. The IdP's metadata URL specifies how to connect to the IdP as well as its public key which is then used to validate the signature on incoming SAML assertions to the ACS endpoint.
idp_metadata string The full XML IdP EntityDescriptor in bytes. This parameter is mutually exclusive with idp_metadata_url. It is recommended to use that parameter instead if the IdP exposes a metadata URL.
force_authn boolean If true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiated boolean If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groups List<string> If present, only users who are a member of one of the listed groups may access the target endpoint.
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "options_passthrough": false,
  "cookie_prefix": "",
  "inactivity_timeout": 0,
  "maximum_duration": 0,
  "idp_metadata_url": "",
  "idp_metadata": "\n\u003cEntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2020-09-14T12:53:23.691Z\" cacheDuration=\"PT1M\" entityID=\"http://127.0.0.1:12345/metadata\"\u003e\u003cIDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"\u003e\u003cNameIDFormat\u003eurn:oasis:names:tc:SAML:2.0:nameid-format:transient\u003c/NameIDFormat\u003e\u003cSingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://127.0.0.1:12345/sso\"\u003e\u003c/SingleSignOnService\u003e\u003cSingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://127.0.0.1:12345/sso\"\u003e\u003c/SingleSignOnService\u003e\u003c/IDPSSODescriptor\u003e\u003c/EntityDescriptor\u003e\n",
  "force_authn": false,
  "allow_idp_initiated": true,
  "authorized_groups": [],
  "entity_id": "https://idp.ngrok.com/saml/_1jE2ckVI6scnC63HXA7biyYzmgV",
  "assertion_consumer_service_url": "https://idp.ngrok.com/saml/_1jE2ckVI6scnC63HXA7biyYzmgV/acs",
  "single_logout_url": "https://idp.ngrok.com/saml/_1jE2ckVI6scnC63HXA7biyYzmgV/slo",
  "request_signing_certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBAgIRAJ7pvSdNiyCkjpzpP844nFcwDQYJKoZIhvcNAQELBQAw\nRjFEMEIGA1UECgw7aHR0cHM6Ly9pZHAubmdyb2suY29tLmxhbi9zYW1sL18xakUy\nY2tWSTZzY25DNjNIWEE3Yml5WXptZ1YwIBcNMjAxMDIyMDgyMzMyWhgPMjA1NTEw\nMTQwODIzMzJaMEYxRDBCBgNVBAoMO2h0dHBzOi8vaWRwLm5ncm9rLmNvbS5sYW4v\nc2FtbC9fMWpFMmNrVkk2c2NuQzYzSFhBN2JpeVl6bWdWMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEA3n446x5PM5TWa2pgcoEwbl/wEizrv4TCzaNgixhT\nCvhF+2zIqtQYuYS7k1GJ/DpoGnIJFlhfb6F9vNXIwkz9T2neztX8vJub1P10yGqp\nPtzeBjHFMmp4+IQxRuNrqi9vkKmWcR4dt+kOKKf/tiEBj+WaVkdFo6FjpNuYy5zp\n92N81rdDS8r8qVtp3tTOy0iyttbT/3huCjcUPVwqY9tIwntrc21TkUm2EGKTYQeY\nWVvFqEuFyzWrlUoUE3W3cNJG7TXQxIbMuaMaUh4L1oBG5qAVUhO6xFACLWhU2QFu\n7ha3zIIxc9Lyr9Q6uH4UqNCTvA09rsb3khDXW2YLJ1bArwIDAQABozUwMzAOBgNV\nHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAN\nBgkqhkiG9w0BAQsFAAOCAQEAUbnGYSNWnd2surBJTN6oxkQJyArVUoRi9RgY06F7\nD/01p2l5Rv/6n2AYitj3xTlBNxIRRAR/30sR8N73jaB82J6/aiLqYHzs9xENnjYC\n2e8QmQjllix859hwrm2ZaNqI3EyBdB3JdgQBzgbJZsigr9znOiX/Tc8B+nW1fzSz\ndUyr0sI7CrqgNjjWdzRAOgCuowcR8dtbr5qvLQlAg1S0JKuV/VKXIr5cpQ1RjojQ\nyL5wic3lHHQE2VmfRdYQplEj9RKP2XbP7AeSS3QD2aOtTsTEebmbo8Hxpjxyzr96\n/HDZvXTviF+bGWcA4wLBEEFQFvrxz3nn4X4TVwfk1jop7g==\n-----END CERTIFICATE-----\n",
  "metadata_url": "https://idp.ngrok.com/saml/_1jE2ckVI6scnC63HXA7biyYzmgV"
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadata_url string The IdP's metadata URL which returns the XML IdP EntityDescriptor. The IdP's metadata URL specifies how to connect to the IdP as well as its public key which is then used to validate the signature on incoming SAML assertions to the ACS endpoint.
idp_metadata string The full XML IdP EntityDescriptor in bytes. This parameter is mutually exclusive with idp_metadata_url. It is recommended to use that parameter instead if the IdP exposes a metadata URL.
force_authn boolean If true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiated boolean If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groups List<string> If present, only users who are a member of one of the listed groups may access the target endpoint.
entity_id string The SP Entity's unique ID. This always takes the form of a URL. In ngrok's implementation, this URL is the same as the metadata URL. This will need to be specified to the IdP as configuration.
assertion_consumer_service_url string The public URL of the SP's Assertion Consumer Service. This is where the IdP will redirect to during an authentication flow. This will need to be specified to the IdP as configuration.
single_logout_url string The public URL of the SP's Single Logout Service. This is where the IdP will redirect to during a single logout flow. This will optionally need to be specified to the IdP as configuration.
request_signing_certificate_pem string PEM-encoded x.509 certificate of the key pair that is used to sign all SAML requests that the ngrok SP makes to the IdP. Many IdPs do not support request signing verification, but we highly recommend specifying this in the IdP's configuration if it is supported.
metadata_url string A public URL where the SP's metadata is hosted. If an IdP supports dynamic configuration, this is the URL it can use to retrieve the SP metadata.

Get SAML Module

Request
GET/endpoint_configurations/{id}/saml
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/saml
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "options_passthrough": false,
  "cookie_prefix": "",
  "inactivity_timeout": 0,
  "maximum_duration": 0,
  "idp_metadata_url": "",
  "idp_metadata": "\n\u003cEntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2020-09-14T12:53:23.691Z\" cacheDuration=\"PT1M\" entityID=\"http://127.0.0.1:12345/metadata\"\u003e\u003cIDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"\u003e\u003cNameIDFormat\u003eurn:oasis:names:tc:SAML:2.0:nameid-format:transient\u003c/NameIDFormat\u003e\u003cSingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://127.0.0.1:12345/sso\"\u003e\u003c/SingleSignOnService\u003e\u003cSingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://127.0.0.1:12345/sso\"\u003e\u003c/SingleSignOnService\u003e\u003c/IDPSSODescriptor\u003e\u003c/EntityDescriptor\u003e\n",
  "force_authn": false,
  "allow_idp_initiated": true,
  "authorized_groups": [],
  "entity_id": "https://idp.ngrok.com/saml/_1jE2ckVI6scnC63HXA7biyYzmgV",
  "assertion_consumer_service_url": "https://idp.ngrok.com/saml/_1jE2ckVI6scnC63HXA7biyYzmgV/acs",
  "single_logout_url": "https://idp.ngrok.com/saml/_1jE2ckVI6scnC63HXA7biyYzmgV/slo",
  "request_signing_certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBAgIRAJ7pvSdNiyCkjpzpP844nFcwDQYJKoZIhvcNAQELBQAw\nRjFEMEIGA1UECgw7aHR0cHM6Ly9pZHAubmdyb2suY29tLmxhbi9zYW1sL18xakUy\nY2tWSTZzY25DNjNIWEE3Yml5WXptZ1YwIBcNMjAxMDIyMDgyMzMyWhgPMjA1NTEw\nMTQwODIzMzJaMEYxRDBCBgNVBAoMO2h0dHBzOi8vaWRwLm5ncm9rLmNvbS5sYW4v\nc2FtbC9fMWpFMmNrVkk2c2NuQzYzSFhBN2JpeVl6bWdWMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEA3n446x5PM5TWa2pgcoEwbl/wEizrv4TCzaNgixhT\nCvhF+2zIqtQYuYS7k1GJ/DpoGnIJFlhfb6F9vNXIwkz9T2neztX8vJub1P10yGqp\nPtzeBjHFMmp4+IQxRuNrqi9vkKmWcR4dt+kOKKf/tiEBj+WaVkdFo6FjpNuYy5zp\n92N81rdDS8r8qVtp3tTOy0iyttbT/3huCjcUPVwqY9tIwntrc21TkUm2EGKTYQeY\nWVvFqEuFyzWrlUoUE3W3cNJG7TXQxIbMuaMaUh4L1oBG5qAVUhO6xFACLWhU2QFu\n7ha3zIIxc9Lyr9Q6uH4UqNCTvA09rsb3khDXW2YLJ1bArwIDAQABozUwMzAOBgNV\nHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAN\nBgkqhkiG9w0BAQsFAAOCAQEAUbnGYSNWnd2surBJTN6oxkQJyArVUoRi9RgY06F7\nD/01p2l5Rv/6n2AYitj3xTlBNxIRRAR/30sR8N73jaB82J6/aiLqYHzs9xENnjYC\n2e8QmQjllix859hwrm2ZaNqI3EyBdB3JdgQBzgbJZsigr9znOiX/Tc8B+nW1fzSz\ndUyr0sI7CrqgNjjWdzRAOgCuowcR8dtbr5qvLQlAg1S0JKuV/VKXIr5cpQ1RjojQ\nyL5wic3lHHQE2VmfRdYQplEj9RKP2XbP7AeSS3QD2aOtTsTEebmbo8Hxpjxyzr96\n/HDZvXTviF+bGWcA4wLBEEFQFvrxz3nn4X4TVwfk1jop7g==\n-----END CERTIFICATE-----\n",
  "metadata_url": "https://idp.ngrok.com/saml/_1jE2ckVI6scnC63HXA7biyYzmgV"
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
options_passthrough boolean Do not enforce authentication on HTTP OPTIONS requests. necessary if you are supporting CORS.
cookie_prefix string the prefix of the session cookie that ngrok sets on the http client to cache authentication. default is 'ngrok.'
inactivity_timeout uint32 Integer number of seconds of inactivity after which if the user has not accessed the endpoint, their session will time out and they will be forced to reauthenticate.
maximum_duration uint32 Integer number of seconds of the maximum duration of an authenticated session. After this period is exceeded, a user must reauthenticate.
idp_metadata_url string The IdP's metadata URL which returns the XML IdP EntityDescriptor. The IdP's metadata URL specifies how to connect to the IdP as well as its public key which is then used to validate the signature on incoming SAML assertions to the ACS endpoint.
idp_metadata string The full XML IdP EntityDescriptor in bytes. This parameter is mutually exclusive with idp_metadata_url. It is recommended to use that parameter instead if the IdP exposes a metadata URL.
force_authn boolean If true, indicates that whenever we redirect a user to the IdP for authentication that the IdP must prompt the user for authentication credentials even if the user already has a valid session with the IdP.
allow_idp_initiated boolean If true, the IdP may initiate a login directly (e.g. the user does not need to visit the endpoint first and then be redirected). The IdP should set the RelayState parameter to the target URL of the resource they want the user to be redirected to after the SAML login assertion has been processed.
authorized_groups List<string> If present, only users who are a member of one of the listed groups may access the target endpoint.
entity_id string The SP Entity's unique ID. This always takes the form of a URL. In ngrok's implementation, this URL is the same as the metadata URL. This will need to be specified to the IdP as configuration.
assertion_consumer_service_url string The public URL of the SP's Assertion Consumer Service. This is where the IdP will redirect to during an authentication flow. This will need to be specified to the IdP as configuration.
single_logout_url string The public URL of the SP's Single Logout Service. This is where the IdP will redirect to during a single logout flow. This will optionally need to be specified to the IdP as configuration.
request_signing_certificate_pem string PEM-encoded x.509 certificate of the key pair that is used to sign all SAML requests that the ngrok SP makes to the IdP. Many IdPs do not support request signing verification, but we highly recommend specifying this in the IdP's configuration if it is supported.
metadata_url string A public URL where the SP's metadata is hosted. If an IdP supports dynamic configuration, this is the URL it can use to retrieve the SP metadata.

Delete SAML Module

Request
DELETE/endpoint_configurations/{id}/saml
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/saml
Response

Returns a 204 response with no body on success

Create SSH Certificate Authority

Create a new SSH Certificate Authority

Request
POST/ssh_certificate_authorities
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"Staging Environment Hosts","private_key_type":"ed25519"}' \
https://api.ngrok.com/ssh_certificate_authorities
Parameters
description string human-readable description of this SSH Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Certificate Authority. optional, max 4096 bytes.
private_key_type string the type of private key to generate. one of rsa, ecdsa, ed25519
elliptic_curve string the type of elliptic curve to use when creating an ECDSA key
key_size int64 the key size to use when creating an RSA key. one of 2048 or 4096
Response

Returns a 200 response on success

Example Response
{
  "id": "sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX",
  "uri": "https://api.ngrok.com/ssh_certificate_authorities/sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "Staging Environment Hosts",
  "metadata": "",
  "public_key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIhR0KNihoSZPjTPwtjpxwOdRyv4W+1eJIfickXRvB6t",
  "key_type": "ed25519"
}
Fields
id string unique identifier for this SSH Certificate Authority
uri string URI of the SSH Certificate Authority API resource
created_at string timestamp when the SSH Certificate Authority API resource was created, RFC 3339 format
description string human-readable description of this SSH Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Certificate Authority. optional, max 4096 bytes.
public_key string raw public key for this SSH Certificate Authority
key_type string the type of private key for this SSH Certificate Authority

Delete SSH Certificate Authority

Delete an SSH Certificate Authority

Request
DELETE/ssh_certificate_authorities/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_certificate_authorities/sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX
Response

Returns a 204 response with no body on success

Get SSH Certificate Authority

Get detailed information about an SSH Certficate Authority

Request
GET/ssh_certificate_authorities/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_certificate_authorities/sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX
Response

Returns a 200 response on success

Example Response
{
  "id": "sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX",
  "uri": "https://api.ngrok.com/ssh_certificate_authorities/sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "Staging Environment Hosts",
  "metadata": "{\"region\": \"us-east-1\"}",
  "public_key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIhR0KNihoSZPjTPwtjpxwOdRyv4W+1eJIfickXRvB6t",
  "key_type": "ed25519"
}
Fields
id string unique identifier for this SSH Certificate Authority
uri string URI of the SSH Certificate Authority API resource
created_at string timestamp when the SSH Certificate Authority API resource was created, RFC 3339 format
description string human-readable description of this SSH Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Certificate Authority. optional, max 4096 bytes.
public_key string raw public key for this SSH Certificate Authority
key_type string the type of private key for this SSH Certificate Authority

List SSH Certificate Authorities

List all SSH Certificate Authorities on this account

Request
GET/ssh_certificate_authorities
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_certificate_authorities
Response

Returns a 200 response on success

Example Response
{
  "ssh_certificate_authorities": [
    {
      "id": "sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX",
      "uri": "https://api.ngrok.com/ssh_certificate_authorities/sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX",
      "created_at": "2020-10-22T08:23:32Z",
      "description": "Staging Environment Hosts",
      "metadata": "",
      "public_key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIhR0KNihoSZPjTPwtjpxwOdRyv4W+1eJIfickXRvB6t",
      "key_type": "ed25519"
    }
  ],
  "uri": "https://api.ngrok.com/ssh_certificate_authorities",
  "next_page_uri": null
}
Fields
ssh_certificate_authorities SSHCertificateAuthority the list of all certificate authorities on this account
uri string URI of the certificates authorities list API resource
next_page_uri string URI of the next page, or null if there is no next page
SSHCertificateAuthority fields
id string unique identifier for this SSH Certificate Authority
uri string URI of the SSH Certificate Authority API resource
created_at string timestamp when the SSH Certificate Authority API resource was created, RFC 3339 format
description string human-readable description of this SSH Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Certificate Authority. optional, max 4096 bytes.
public_key string raw public key for this SSH Certificate Authority
key_type string the type of private key for this SSH Certificate Authority

Update SSH Certificate Authority

Update an SSH Certificate Authority

Request
PATCH/ssh_certificate_authorities/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"metadata":"{\"region\": \"us-east-1\"}"}' \
https://api.ngrok.com/ssh_certificate_authorities/sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX
Parameters
id string
description string human-readable description of this SSH Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Certificate Authority. optional, max 4096 bytes.
Response

Returns a 200 response on success

Example Response
{
  "id": "sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX",
  "uri": "https://api.ngrok.com/ssh_certificate_authorities/sshca_1jE2cqm1rp7Ck8nqgO0Ut4TShGX",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "Staging Environment Hosts",
  "metadata": "{\"region\": \"us-east-1\"}",
  "public_key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIhR0KNihoSZPjTPwtjpxwOdRyv4W+1eJIfickXRvB6t",
  "key_type": "ed25519"
}
Fields
id string unique identifier for this SSH Certificate Authority
uri string URI of the SSH Certificate Authority API resource
created_at string timestamp when the SSH Certificate Authority API resource was created, RFC 3339 format
description string human-readable description of this SSH Certificate Authority. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Certificate Authority. optional, max 4096 bytes.
public_key string raw public key for this SSH Certificate Authority
key_type string the type of private key for this SSH Certificate Authority

Create SSH Credential

Create a new ssh_credential from an uploaded public SSH key. This ssh credential can be used to start new tunnels via ngrok's SSH gateway.

Request
POST/ssh_credentials
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"for device #132","acl":["bind:1.tcp.ngrok.io:20002","bind:132.devices.company.com"],"public_key":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com"}' \
https://api.ngrok.com/ssh_credentials
Parameters
description string human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.
public_key string the PEM-encoded public key of the SSH keypair that will be used to authenticate
Response

Returns a 200 response on success

Example Response
{
  "id": "sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt",
  "uri": "https://api.ngrok.com/ssh_credentials/sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt",
  "created_at": "2020-10-22T08:23:30Z",
  "description": "for device #132",
  "metadata": "",
  "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
  "acl": [
    "bind:1.tcp.ngrok.io:20002",
    "bind:132.devices.company.com"
  ]
}
Fields
id string unique ssh credential resource identifier
uri string URI of the ssh credential API resource
created_at string timestamp when the ssh credential was created, RFC 3339 format
description string human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
public_key string the PEM-encoded public key of the SSH keypair that will be used to authenticate
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.

Delete SSH Credential

Delete an ssh_credential by ID

Request
DELETE/ssh_credentials/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials/sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt
Response

Returns a 204 response with no body on success

Get SSH Credential

Get detailed information about an ssh_credential

Request
GET/ssh_credentials/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials/sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt
Response

Returns a 200 response on success

Example Response
{
  "id": "sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt",
  "uri": "https://api.ngrok.com/ssh_credentials/sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt",
  "created_at": "2020-10-22T08:23:30Z",
  "description": "my dev machine",
  "metadata": "{\"hostname\": \"macbook.local\"}",
  "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
  "acl": [
    "bind:1.tcp.ngrok.io:20002",
    "bind:132.devices.company.com"
  ]
}
Fields
id string unique ssh credential resource identifier
uri string URI of the ssh credential API resource
created_at string timestamp when the ssh credential was created, RFC 3339 format
description string human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
public_key string the PEM-encoded public key of the SSH keypair that will be used to authenticate
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.

List SSH Credentials

List all ssh credentials on this account

Request
GET/ssh_credentials
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials
Response

Returns a 200 response on success

Example Response
{
  "ssh_credentials": [
    {
      "id": "sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt",
      "uri": "https://api.ngrok.com/ssh_credentials/sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt",
      "created_at": "2020-10-22T08:23:30Z",
      "description": "for device #132",
      "metadata": "",
      "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
      "acl": [
        "bind:1.tcp.ngrok.io:20002",
        "bind:132.devices.company.com"
      ]
    }
  ],
  "uri": "https://api.ngrok.com/ssh_credentials",
  "next_page_uri": null
}
Fields
ssh_credentials SSHCredential the list of all ssh credentials on this account
uri string URI of the ssh credential list API resource
next_page_uri string URI of the next page, or null if there is no next page
SSHCredential fields
id string unique ssh credential resource identifier
uri string URI of the ssh credential API resource
created_at string timestamp when the ssh credential was created, RFC 3339 format
description string human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
public_key string the PEM-encoded public key of the SSH keypair that will be used to authenticate
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.

Update SSH Credential

Update attributes of an ssh_credential by ID

Request
PATCH/ssh_credentials/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"my dev machine","metadata":"{\"hostname\": \"macbook.local\"}"}' \
https://api.ngrok.com/ssh_credentials/sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt
Parameters
id string
description string human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.
Response

Returns a 200 response on success

Example Response
{
  "id": "sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt",
  "uri": "https://api.ngrok.com/ssh_credentials/sshcr_1jE2cgjQpg0nKoSqus2v7ugbzUt",
  "created_at": "2020-10-22T08:23:30Z",
  "description": "my dev machine",
  "metadata": "{\"hostname\": \"macbook.local\"}",
  "public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
  "acl": [
    "bind:1.tcp.ngrok.io:20002",
    "bind:132.devices.company.com"
  ]
}
Fields
id string unique ssh credential resource identifier
uri string URI of the ssh credential API resource
created_at string timestamp when the ssh credential was created, RFC 3339 format
description string human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
public_key string the PEM-encoded public key of the SSH keypair that will be used to authenticate
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.

Create SSH Host Certificate

Create a new SSH Host Certificate

Request
POST/ssh_host_certificates
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"ssh_certificate_authority_id":"sshca_1jE2d1V4nKsN6ziVqBbjzZv8hcs","public_key":"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI3oSgxrOEJ+tIJ/n6VYtxQIFvynqlOHpfOAJ4x4OfmMYDkbf8dr6RAuUSf+ZC2HMCujta7EjZ9t+6v08Ue+Cgk= inconshreveable.com","principals":["inconshreveable.com","10.2.42.9"],"valid_until":"2021-01-20T08:23:33Z","description":"personal server"}' \
https://api.ngrok.com/ssh_host_certificates
Parameters
ssh_certificate_authority_id string the ssh certificate authority that is used to sign this ssh host certificate
public_key string a public key in OpenSSH Authorized Keys format that this certificate signs
principals List<string> the list of principals included in the ssh host certificate. This is the list of hostnames and/or IP addresses that are authorized to serve SSH traffic with this certificate. Dangerously, if no principals are specified, this certificate is considered valid for all hosts.
valid_after string The time when the host certificate becomes valid, in RFC 3339 format. Defaults to the current time if unspecified.
valid_until string The time when this host certificate becomes invalid, in RFC 3339 format. If unspecified, a default value of one year in the future will be used. The OpenSSH certificates RFC calls this valid_before.
description string human-readable description of this SSH Host Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Host Certificate. optional, max 4096 bytes.
Response

Returns a 200 response on success

Example Response
{
  "id": "shcrt_1jE2d0JkweY1puyESh22CVSGQ4d",
  "uri": "https://api.ngrok.com/ssh_host_certificates/shcrt_1jE2d0JkweY1puyESh22CVSGQ4d",
  "created_at": "2020-10-22T08:23:33Z",
  "description": "personal server",
  "metadata": "",
  "public_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI3oSgxrOEJ+tIJ/n6VYtxQIFvynqlOHpfOAJ4x4OfmMYDkbf8dr6RAuUSf+ZC2HMCujta7EjZ9t+6v08Ue+Cgk= inconshreveable.com",
  "key_type": "ecdsa",
  "ssh_certificate_authority_id": "sshca_1jE2d1V4nKsN6ziVqBbjzZv8hcs",
  "principals": [
    "inconshreveable.com",
    "10.2.42.9"
  ],
  "valid_after": "2020-10-22T08:23:33Z",
  "valid_until": "2021-01-20T08:23:33Z",
  "certificate": "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgfH7mQIUU66Wdwf85MAdBFllKZ6HCQFefUOuXjwacnrAAAAAIbmlzdHAyNTYAAABBBI3oSgxrOEJ+tIJ/n6VYtxQIFvynqlOHpfOAJ4x4OfmMYDkbf8dr6RAuUSf+ZC2HMCujta7EjZ9t+6v08Ue+CgkAAAAAAAAAAAAAAAIAAAAhc2hjcnRfMWpFMmQwSmt3ZVkxcHV5RVNoMjJDVlNHUTRkAAAAJAAAABNpbmNvbnNocmV2ZWFibGUuY29tAAAACTEwLjIuNDIuOQAAAABfkUGFAAAAAGAH6IUAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAINh+pPDo6XC72rA/SfUarvgWkBQaCTej6p1bSfqY9NATAAAAUwAAAAtzc2gtZWQyNTUxOQAAAECftXlg69qhKJkLCxidv5+AfWKdOGhxsTr1UbItX+ZmVlgp0S2I1A8jYyvpw9vvwh66yRYO5VyJJED/PA1f07kN shcrt_1jE2d0JkweY1puyESh22CVSGQ4d"
}
Fields
id string unique identifier for this SSH Host Certificate
uri string URI of the SSH Host Certificate API resource
created_at string timestamp when the SSH Host Certificate API resource was created, RFC 3339 format
description string human-readable description of this SSH Host Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Host Certificate. optional, max 4096 bytes.
public_key string a public key in OpenSSH Authorized Keys format that this certificate signs
key_type string the key type of the public_key, one of rsa, ecdsa or ed25519
ssh_certificate_authority_id string the ssh certificate authority that is used to sign this ssh host certificate
principals List<string> the list of principals included in the ssh host certificate. This is the list of hostnames and/or IP addresses that are authorized to serve SSH traffic with this certificate. Dangerously, if no principals are specified, this certificate is considered valid for all hosts.
valid_after string the time when the ssh host certificate becomes valid, in RFC 3339 format.
valid_until string the time after which the ssh host certificate becomes invalid, in RFC 3339 format. the OpenSSH certificates RFC calls this valid_before.
certificate string the signed SSH certificate in OpenSSH Authorized Keys format. this value should be placed in a -cert.pub certificate file on disk that should be referenced in your sshd_config configuration file with a HostCertificate directive

Delete SSH Host Certificate

Delete an SSH Host Certificate

Request
DELETE/ssh_host_certificates/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_host_certificates/shcrt_1jE2d0JkweY1puyESh22CVSGQ4d
Response

Returns a 204 response with no body on success

Get SSH Host Certificate

Get detailed information about an SSH Host Certficate

Request
GET/ssh_host_certificates/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_host_certificates/shcrt_1jE2d0JkweY1puyESh22CVSGQ4d
Response

Returns a 200 response on success

Example Response
{
  "id": "shcrt_1jE2d0JkweY1puyESh22CVSGQ4d",
  "uri": "https://api.ngrok.com/ssh_host_certificates/shcrt_1jE2d0JkweY1puyESh22CVSGQ4d",
  "created_at": "2020-10-22T08:23:33Z",
  "description": "personal server",
  "metadata": "{\"region\": \"us-west-2\"}",
  "public_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI3oSgxrOEJ+tIJ/n6VYtxQIFvynqlOHpfOAJ4x4OfmMYDkbf8dr6RAuUSf+ZC2HMCujta7EjZ9t+6v08Ue+Cgk= inconshreveable.com",
  "key_type": "ecdsa",
  "ssh_certificate_authority_id": "sshca_1jE2d1V4nKsN6ziVqBbjzZv8hcs",
  "principals": [
    "inconshreveable.com",
    "10.2.42.9"
  ],
  "valid_after": "2020-10-22T08:23:33Z",
  "valid_until": "2021-01-20T08:23:33Z",
  "certificate": "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgfH7mQIUU66Wdwf85MAdBFllKZ6HCQFefUOuXjwacnrAAAAAIbmlzdHAyNTYAAABBBI3oSgxrOEJ+tIJ/n6VYtxQIFvynqlOHpfOAJ4x4OfmMYDkbf8dr6RAuUSf+ZC2HMCujta7EjZ9t+6v08Ue+CgkAAAAAAAAAAAAAAAIAAAAhc2hjcnRfMWpFMmQwSmt3ZVkxcHV5RVNoMjJDVlNHUTRkAAAAJAAAABNpbmNvbnNocmV2ZWFibGUuY29tAAAACTEwLjIuNDIuOQAAAABfkUGFAAAAAGAH6IUAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAINh+pPDo6XC72rA/SfUarvgWkBQaCTej6p1bSfqY9NATAAAAUwAAAAtzc2gtZWQyNTUxOQAAAECftXlg69qhKJkLCxidv5+AfWKdOGhxsTr1UbItX+ZmVlgp0S2I1A8jYyvpw9vvwh66yRYO5VyJJED/PA1f07kN shcrt_1jE2d0JkweY1puyESh22CVSGQ4d"
}
Fields
id string unique identifier for this SSH Host Certificate
uri string URI of the SSH Host Certificate API resource
created_at string timestamp when the SSH Host Certificate API resource was created, RFC 3339 format
description string human-readable description of this SSH Host Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Host Certificate. optional, max 4096 bytes.
public_key string a public key in OpenSSH Authorized Keys format that this certificate signs
key_type string the key type of the public_key, one of rsa, ecdsa or ed25519
ssh_certificate_authority_id string the ssh certificate authority that is used to sign this ssh host certificate
principals List<string> the list of principals included in the ssh host certificate. This is the list of hostnames and/or IP addresses that are authorized to serve SSH traffic with this certificate. Dangerously, if no principals are specified, this certificate is considered valid for all hosts.
valid_after string the time when the ssh host certificate becomes valid, in RFC 3339 format.
valid_until string the time after which the ssh host certificate becomes invalid, in RFC 3339 format. the OpenSSH certificates RFC calls this valid_before.
certificate string the signed SSH certificate in OpenSSH Authorized Keys format. this value should be placed in a -cert.pub certificate file on disk that should be referenced in your sshd_config configuration file with a HostCertificate directive

List SSH Host Certificates

List all SSH Host Certificates issued on this account

Request
GET/ssh_host_certificates
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_host_certificates
Response

Returns a 200 response on success

Example Response
{
  "ssh_host_certificates": [
    {
      "id": "shcrt_1jE2d0JkweY1puyESh22CVSGQ4d",
      "uri": "https://api.ngrok.com/ssh_host_certificates/shcrt_1jE2d0JkweY1puyESh22CVSGQ4d",
      "created_at": "2020-10-22T08:23:33Z",
      "description": "personal server",
      "metadata": "",
      "public_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI3oSgxrOEJ+tIJ/n6VYtxQIFvynqlOHpfOAJ4x4OfmMYDkbf8dr6RAuUSf+ZC2HMCujta7EjZ9t+6v08Ue+Cgk= inconshreveable.com",
      "key_type": "ecdsa",
      "ssh_certificate_authority_id": "sshca_1jE2d1V4nKsN6ziVqBbjzZv8hcs",
      "principals": [
        "inconshreveable.com",
        "10.2.42.9"
      ],
      "valid_after": "2020-10-22T08:23:33Z",
      "valid_until": "2021-01-20T08:23:33Z",
      "certificate": "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgfH7mQIUU66Wdwf85MAdBFllKZ6HCQFefUOuXjwacnrAAAAAIbmlzdHAyNTYAAABBBI3oSgxrOEJ+tIJ/n6VYtxQIFvynqlOHpfOAJ4x4OfmMYDkbf8dr6RAuUSf+ZC2HMCujta7EjZ9t+6v08Ue+CgkAAAAAAAAAAAAAAAIAAAAhc2hjcnRfMWpFMmQwSmt3ZVkxcHV5RVNoMjJDVlNHUTRkAAAAJAAAABNpbmNvbnNocmV2ZWFibGUuY29tAAAACTEwLjIuNDIuOQAAAABfkUGFAAAAAGAH6IUAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAINh+pPDo6XC72rA/SfUarvgWkBQaCTej6p1bSfqY9NATAAAAUwAAAAtzc2gtZWQyNTUxOQAAAECftXlg69qhKJkLCxidv5+AfWKdOGhxsTr1UbItX+ZmVlgp0S2I1A8jYyvpw9vvwh66yRYO5VyJJED/PA1f07kN shcrt_1jE2d0JkweY1puyESh22CVSGQ4d"
    }
  ],
  "uri": "https://api.ngrok.com/ssh_host_certificates",
  "next_page_uri": null
}
Fields
ssh_host_certificates SSHHostCertificate the list of all ssh host certificates on this account
uri string URI of the ssh host certificates list API resource
next_page_uri string URI of the next page, or null if there is no next page
SSHHostCertificate fields
id string unique identifier for this SSH Host Certificate
uri string URI of the SSH Host Certificate API resource
created_at string timestamp when the SSH Host Certificate API resource was created, RFC 3339 format
description string human-readable description of this SSH Host Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Host Certificate. optional, max 4096 bytes.
public_key string a public key in OpenSSH Authorized Keys format that this certificate signs
key_type string the key type of the public_key, one of rsa, ecdsa or ed25519
ssh_certificate_authority_id string the ssh certificate authority that is used to sign this ssh host certificate
principals List<string> the list of principals included in the ssh host certificate. This is the list of hostnames and/or IP addresses that are authorized to serve SSH traffic with this certificate. Dangerously, if no principals are specified, this certificate is considered valid for all hosts.
valid_after string the time when the ssh host certificate becomes valid, in RFC 3339 format.
valid_until string the time after which the ssh host certificate becomes invalid, in RFC 3339 format. the OpenSSH certificates RFC calls this valid_before.
certificate string the signed SSH certificate in OpenSSH Authorized Keys format. this value should be placed in a -cert.pub certificate file on disk that should be referenced in your sshd_config configuration file with a HostCertificate directive

Update SSH Host Certificate

Update an SSH Host Certificate

Request
PATCH/ssh_host_certificates/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"metadata":"{\"region\": \"us-west-2\"}"}' \
https://api.ngrok.com/ssh_host_certificates/shcrt_1jE2d0JkweY1puyESh22CVSGQ4d
Parameters
id string
description string human-readable description of this SSH Host Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Host Certificate. optional, max 4096 bytes.
Response

Returns a 200 response on success

Example Response
{
  "id": "shcrt_1jE2d0JkweY1puyESh22CVSGQ4d",
  "uri": "https://api.ngrok.com/ssh_host_certificates/shcrt_1jE2d0JkweY1puyESh22CVSGQ4d",
  "created_at": "2020-10-22T08:23:33Z",
  "description": "personal server",
  "metadata": "{\"region\": \"us-west-2\"}",
  "public_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI3oSgxrOEJ+tIJ/n6VYtxQIFvynqlOHpfOAJ4x4OfmMYDkbf8dr6RAuUSf+ZC2HMCujta7EjZ9t+6v08Ue+Cgk= inconshreveable.com",
  "key_type": "ecdsa",
  "ssh_certificate_authority_id": "sshca_1jE2d1V4nKsN6ziVqBbjzZv8hcs",
  "principals": [
    "inconshreveable.com",
    "10.2.42.9"
  ],
  "valid_after": "2020-10-22T08:23:33Z",
  "valid_until": "2021-01-20T08:23:33Z",
  "certificate": "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgfH7mQIUU66Wdwf85MAdBFllKZ6HCQFefUOuXjwacnrAAAAAIbmlzdHAyNTYAAABBBI3oSgxrOEJ+tIJ/n6VYtxQIFvynqlOHpfOAJ4x4OfmMYDkbf8dr6RAuUSf+ZC2HMCujta7EjZ9t+6v08Ue+CgkAAAAAAAAAAAAAAAIAAAAhc2hjcnRfMWpFMmQwSmt3ZVkxcHV5RVNoMjJDVlNHUTRkAAAAJAAAABNpbmNvbnNocmV2ZWFibGUuY29tAAAACTEwLjIuNDIuOQAAAABfkUGFAAAAAGAH6IUAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAINh+pPDo6XC72rA/SfUarvgWkBQaCTej6p1bSfqY9NATAAAAUwAAAAtzc2gtZWQyNTUxOQAAAECftXlg69qhKJkLCxidv5+AfWKdOGhxsTr1UbItX+ZmVlgp0S2I1A8jYyvpw9vvwh66yRYO5VyJJED/PA1f07kN shcrt_1jE2d0JkweY1puyESh22CVSGQ4d"
}
Fields
id string unique identifier for this SSH Host Certificate
uri string URI of the SSH Host Certificate API resource
created_at string timestamp when the SSH Host Certificate API resource was created, RFC 3339 format
description string human-readable description of this SSH Host Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH Host Certificate. optional, max 4096 bytes.
public_key string a public key in OpenSSH Authorized Keys format that this certificate signs
key_type string the key type of the public_key, one of rsa, ecdsa or ed25519
ssh_certificate_authority_id string the ssh certificate authority that is used to sign this ssh host certificate
principals List<string> the list of principals included in the ssh host certificate. This is the list of hostnames and/or IP addresses that are authorized to serve SSH traffic with this certificate. Dangerously, if no principals are specified, this certificate is considered valid for all hosts.
valid_after string the time when the ssh host certificate becomes valid, in RFC 3339 format.
valid_until string the time after which the ssh host certificate becomes invalid, in RFC 3339 format. the OpenSSH certificates RFC calls this valid_before.
certificate string the signed SSH certificate in OpenSSH Authorized Keys format. this value should be placed in a -cert.pub certificate file on disk that should be referenced in your sshd_config configuration file with a HostCertificate directive

Create SSH User Certificate

Create a new SSH User Certificate

Request
POST/ssh_user_certificates
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"ssh_certificate_authority_id":"sshca_1jE2czEdrMPXYxaCv0Xgg3FqvHA","public_key":"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK58lFzmWlDimDtBz78wVT4oauA8PjY0CiXTCEIsBNC6UwOJvZ0jdSaYNhDaa7dRV84DfBb/gKzqlXC7cVMZjl0= alan@work-laptop","principals":["ec2-user","root"],"valid_until":"2021-01-20T08:23:33Z","description":"temporary access to staging machine"}' \
https://api.ngrok.com/ssh_user_certificates
Parameters
ssh_certificate_authority_id string the ssh certificate authority that is used to sign this ssh user certificate
public_key string a public key in OpenSSH Authorized Keys format that this certificate signs
principals List<string> the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizinig the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.
critical_options Map<string, string> A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See the OpenSSH certificate protocol spec for additional details.
extensions Map<string, string> A map of extensions included in the certificate. Extensions are additional metadata that can be interpreted by the SSH server for any purpose. These can be used to permit or deny the ability to open a terminal, do port forwarding, x11 forwarding, and more. If unspecified, the certificate will include limited permissions with the following extension map: {"permit-pty": "", "permit-user-rc": ""} OpenSSH understands a number of predefined extensions. See the OpenSSH certificate protocol spec for additional details.
valid_after string The time when the user certificate becomes valid, in RFC 3339 format. Defaults to the current time if unspecified.
valid_until string The time when this host certificate becomes invalid, in RFC 3339 format. If unspecified, a default value of 24 hours will be used. The OpenSSH certificates RFC calls this valid_before.
description string human-readable description of this SSH User Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH User Certificate. optional, max 4096 bytes.
Response

Returns a 200 response on success

Example Response
{
  "id": "sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI",
  "uri": "https://api.ngrok.com/ssh_user_certificates/sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI",
  "created_at": "2020-10-22T08:23:33Z",
  "description": "temporary access to staging machine",
  "metadata": "",
  "public_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK58lFzmWlDimDtBz78wVT4oauA8PjY0CiXTCEIsBNC6UwOJvZ0jdSaYNhDaa7dRV84DfBb/gKzqlXC7cVMZjl0= alan@work-laptop",
  "key_type": "ecdsa",
  "ssh_certificate_authority_id": "sshca_1jE2czEdrMPXYxaCv0Xgg3FqvHA",
  "principals": [
    "ec2-user",
    "root"
  ],
  "critical_options": {},
  "extensions": {
    "permit-pty": "",
    "permit-user-rc": ""
  },
  "valid_after": "2020-10-22T08:23:33Z",
  "valid_until": "2021-01-20T08:23:33Z",
  "certificate": "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgiMCJnbmifvBJeGS4e1ZIUdH3cwoLELRTrnxGfZxILdUAAAAIbmlzdHAyNTYAAABBBK58lFzmWlDimDtBz78wVT4oauA8PjY0CiXTCEIsBNC6UwOJvZ0jdSaYNhDaa7dRV84DfBb/gKzqlXC7cVMZjl0AAAAAAAAAAAAAAAEAAAAhc3VjcnRfMWpFMmQwNnFNZW5Rdk5WOFNwWWpXVXNnZHJJAAAAFAAAAAhlYzItdXNlcgAAAARyb290AAAAAF+RQYUAAAAAYAfohQAAAAAAAAAoAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIALsnVk/XfXLwYODiCoY6ITyixec6Jj/GYw1IEvHaNd2AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDuxky261kTxSnUJHLtZaMprnSdkHQ/hx1UZD0jfGkGerpkOgKxpM0IuLwBlNqKtfgoOaGJkg605w93lz1fEl8M sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI"
}
Fields
id string unique identifier for this SSH User Certificate
uri string URI of the SSH User Certificate API resource
created_at string timestamp when the SSH User Certificate API resource was created, RFC 3339 format
description string human-readable description of this SSH User Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH User Certificate. optional, max 4096 bytes.
public_key string a public key in OpenSSH Authorized Keys format that this certificate signs
key_type string the key type of the public_key, one of rsa, ecdsa or ed25519
ssh_certificate_authority_id string the ssh certificate authority that is used to sign this ssh user certificate
principals List<string> the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizinig the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.
critical_options Map<string, string> A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See the OpenSSH certificate protocol spec for additional details.
extensions Map<string, string> A map of extensions included in the certificate. Extensions are additional metadata that can be interpreted by the SSH server for any purpose. These can be used to permit or deny the ability to open a terminal, do port forwarding, x11 forwarding, and more. If unspecified, the certificate will include limited permissions with the following extension map: {"permit-pty": "", "permit-user-rc": ""} OpenSSH understands a number of predefined extensions. See the OpenSSH certificate protocol spec for additional details.
valid_after string the time when the ssh host certificate becomes valid, in RFC 3339 format.
valid_until string the time after which the ssh host certificate becomes invalid, in RFC 3339 format. the OpenSSH certificates RFC calls this valid_before.
certificate string the signed SSH certificate in OpenSSH Authorized Keys Format. this value should be placed in a -cert.pub certificate file on disk that should be referenced in your sshd_config configuration file with a HostCertificate directive

Delete SSH User Certificate

Delete an SSH User Certificate

Request
DELETE/ssh_user_certificates/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_user_certificates/sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI
Response

Returns a 204 response with no body on success

Get SSH User Certificate

Get detailed information about an SSH User Certficate

Request
GET/ssh_user_certificates/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_user_certificates/sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI
Response

Returns a 200 response on success

Example Response
{
  "id": "sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI",
  "uri": "https://api.ngrok.com/ssh_user_certificates/sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI",
  "created_at": "2020-10-22T08:23:33Z",
  "description": "temporary access to staging machine for alan",
  "metadata": "{\"user_email\": \"alan@example.com\"}",
  "public_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK58lFzmWlDimDtBz78wVT4oauA8PjY0CiXTCEIsBNC6UwOJvZ0jdSaYNhDaa7dRV84DfBb/gKzqlXC7cVMZjl0= alan@work-laptop",
  "key_type": "ecdsa",
  "ssh_certificate_authority_id": "sshca_1jE2czEdrMPXYxaCv0Xgg3FqvHA",
  "principals": [
    "ec2-user",
    "root"
  ],
  "critical_options": {},
  "extensions": {
    "permit-pty": "",
    "permit-user-rc": ""
  },
  "valid_after": "2020-10-22T08:23:33Z",
  "valid_until": "2021-01-20T08:23:33Z",
  "certificate": "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgiMCJnbmifvBJeGS4e1ZIUdH3cwoLELRTrnxGfZxILdUAAAAIbmlzdHAyNTYAAABBBK58lFzmWlDimDtBz78wVT4oauA8PjY0CiXTCEIsBNC6UwOJvZ0jdSaYNhDaa7dRV84DfBb/gKzqlXC7cVMZjl0AAAAAAAAAAAAAAAEAAAAhc3VjcnRfMWpFMmQwNnFNZW5Rdk5WOFNwWWpXVXNnZHJJAAAAFAAAAAhlYzItdXNlcgAAAARyb290AAAAAF+RQYUAAAAAYAfohQAAAAAAAAAoAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIALsnVk/XfXLwYODiCoY6ITyixec6Jj/GYw1IEvHaNd2AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDuxky261kTxSnUJHLtZaMprnSdkHQ/hx1UZD0jfGkGerpkOgKxpM0IuLwBlNqKtfgoOaGJkg605w93lz1fEl8M sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI"
}
Fields
id string unique identifier for this SSH User Certificate
uri string URI of the SSH User Certificate API resource
created_at string timestamp when the SSH User Certificate API resource was created, RFC 3339 format
description string human-readable description of this SSH User Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH User Certificate. optional, max 4096 bytes.
public_key string a public key in OpenSSH Authorized Keys format that this certificate signs
key_type string the key type of the public_key, one of rsa, ecdsa or ed25519
ssh_certificate_authority_id string the ssh certificate authority that is used to sign this ssh user certificate
principals List<string> the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizinig the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.
critical_options Map<string, string> A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See the OpenSSH certificate protocol spec for additional details.
extensions Map<string, string> A map of extensions included in the certificate. Extensions are additional metadata that can be interpreted by the SSH server for any purpose. These can be used to permit or deny the ability to open a terminal, do port forwarding, x11 forwarding, and more. If unspecified, the certificate will include limited permissions with the following extension map: {"permit-pty": "", "permit-user-rc": ""} OpenSSH understands a number of predefined extensions. See the OpenSSH certificate protocol spec for additional details.
valid_after string the time when the ssh host certificate becomes valid, in RFC 3339 format.
valid_until string the time after which the ssh host certificate becomes invalid, in RFC 3339 format. the OpenSSH certificates RFC calls this valid_before.
certificate string the signed SSH certificate in OpenSSH Authorized Keys Format. this value should be placed in a -cert.pub certificate file on disk that should be referenced in your sshd_config configuration file with a HostCertificate directive

List SSH User Certificates

List all SSH User Certificates issued on this account

Request
GET/ssh_user_certificates
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_user_certificates
Response

Returns a 200 response on success

Example Response
{
  "ssh_user_certificates": [
    {
      "id": "sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI",
      "uri": "https://api.ngrok.com/ssh_user_certificates/sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI",
      "created_at": "2020-10-22T08:23:33Z",
      "description": "temporary access to staging machine",
      "metadata": "",
      "public_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK58lFzmWlDimDtBz78wVT4oauA8PjY0CiXTCEIsBNC6UwOJvZ0jdSaYNhDaa7dRV84DfBb/gKzqlXC7cVMZjl0= alan@work-laptop",
      "key_type": "ecdsa",
      "ssh_certificate_authority_id": "sshca_1jE2czEdrMPXYxaCv0Xgg3FqvHA",
      "principals": [
        "ec2-user",
        "root"
      ],
      "critical_options": {},
      "extensions": {
        "permit-pty": "",
        "permit-user-rc": ""
      },
      "valid_after": "2020-10-22T08:23:33Z",
      "valid_until": "2021-01-20T08:23:33Z",
      "certificate": "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgiMCJnbmifvBJeGS4e1ZIUdH3cwoLELRTrnxGfZxILdUAAAAIbmlzdHAyNTYAAABBBK58lFzmWlDimDtBz78wVT4oauA8PjY0CiXTCEIsBNC6UwOJvZ0jdSaYNhDaa7dRV84DfBb/gKzqlXC7cVMZjl0AAAAAAAAAAAAAAAEAAAAhc3VjcnRfMWpFMmQwNnFNZW5Rdk5WOFNwWWpXVXNnZHJJAAAAFAAAAAhlYzItdXNlcgAAAARyb290AAAAAF+RQYUAAAAAYAfohQAAAAAAAAAoAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIALsnVk/XfXLwYODiCoY6ITyixec6Jj/GYw1IEvHaNd2AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDuxky261kTxSnUJHLtZaMprnSdkHQ/hx1UZD0jfGkGerpkOgKxpM0IuLwBlNqKtfgoOaGJkg605w93lz1fEl8M sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI"
    }
  ],
  "uri": "https://api.ngrok.com/ssh_user_certificates",
  "next_page_uri": null
}
Fields
ssh_user_certificates SSHUserCertificate the list of all ssh user certificates on this account
uri string URI of the ssh user certificates list API resource
next_page_uri string URI of the next page, or null if there is no next page
SSHUserCertificate fields
id string unique identifier for this SSH User Certificate
uri string URI of the SSH User Certificate API resource
created_at string timestamp when the SSH User Certificate API resource was created, RFC 3339 format
description string human-readable description of this SSH User Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH User Certificate. optional, max 4096 bytes.
public_key string a public key in OpenSSH Authorized Keys format that this certificate signs
key_type string the key type of the public_key, one of rsa, ecdsa or ed25519
ssh_certificate_authority_id string the ssh certificate authority that is used to sign this ssh user certificate
principals List<string> the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizinig the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.
critical_options Map<string, string> A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See the OpenSSH certificate protocol spec for additional details.
extensions Map<string, string> A map of extensions included in the certificate. Extensions are additional metadata that can be interpreted by the SSH server for any purpose. These can be used to permit or deny the ability to open a terminal, do port forwarding, x11 forwarding, and more. If unspecified, the certificate will include limited permissions with the following extension map: {"permit-pty": "", "permit-user-rc": ""} OpenSSH understands a number of predefined extensions. See the OpenSSH certificate protocol spec for additional details.
valid_after string the time when the ssh host certificate becomes valid, in RFC 3339 format.
valid_until string the time after which the ssh host certificate becomes invalid, in RFC 3339 format. the OpenSSH certificates RFC calls this valid_before.
certificate string the signed SSH certificate in OpenSSH Authorized Keys Format. this value should be placed in a -cert.pub certificate file on disk that should be referenced in your sshd_config configuration file with a HostCertificate directive

Update SSH User Certificate

Update an SSH User Certificate

Request
PATCH/ssh_user_certificates/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"temporary access to staging machine for alan","metadata":"{\"user_email\": \"alan@example.com\"}"}' \
https://api.ngrok.com/ssh_user_certificates/sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI
Parameters
id string
description string human-readable description of this SSH User Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH User Certificate. optional, max 4096 bytes.
Response

Returns a 200 response on success

Example Response
{
  "id": "sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI",
  "uri": "https://api.ngrok.com/ssh_user_certificates/sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI",
  "created_at": "2020-10-22T08:23:33Z",
  "description": "temporary access to staging machine for alan",
  "metadata": "{\"user_email\": \"alan@example.com\"}",
  "public_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK58lFzmWlDimDtBz78wVT4oauA8PjY0CiXTCEIsBNC6UwOJvZ0jdSaYNhDaa7dRV84DfBb/gKzqlXC7cVMZjl0= alan@work-laptop",
  "key_type": "ecdsa",
  "ssh_certificate_authority_id": "sshca_1jE2czEdrMPXYxaCv0Xgg3FqvHA",
  "principals": [
    "ec2-user",
    "root"
  ],
  "critical_options": {},
  "extensions": {
    "permit-pty": "",
    "permit-user-rc": ""
  },
  "valid_after": "2020-10-22T08:23:33Z",
  "valid_until": "2021-01-20T08:23:33Z",
  "certificate": "ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgiMCJnbmifvBJeGS4e1ZIUdH3cwoLELRTrnxGfZxILdUAAAAIbmlzdHAyNTYAAABBBK58lFzmWlDimDtBz78wVT4oauA8PjY0CiXTCEIsBNC6UwOJvZ0jdSaYNhDaa7dRV84DfBb/gKzqlXC7cVMZjl0AAAAAAAAAAAAAAAEAAAAhc3VjcnRfMWpFMmQwNnFNZW5Rdk5WOFNwWWpXVXNnZHJJAAAAFAAAAAhlYzItdXNlcgAAAARyb290AAAAAF+RQYUAAAAAYAfohQAAAAAAAAAoAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIALsnVk/XfXLwYODiCoY6ITyixec6Jj/GYw1IEvHaNd2AAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDuxky261kTxSnUJHLtZaMprnSdkHQ/hx1UZD0jfGkGerpkOgKxpM0IuLwBlNqKtfgoOaGJkg605w93lz1fEl8M sucrt_1jE2d06qMenQvNV8SpYjWUsgdrI"
}
Fields
id string unique identifier for this SSH User Certificate
uri string URI of the SSH User Certificate API resource
created_at string timestamp when the SSH User Certificate API resource was created, RFC 3339 format
description string human-readable description of this SSH User Certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this SSH User Certificate. optional, max 4096 bytes.
public_key string a public key in OpenSSH Authorized Keys format that this certificate signs
key_type string the key type of the public_key, one of rsa, ecdsa or ed25519
ssh_certificate_authority_id string the ssh certificate authority that is used to sign this ssh user certificate
principals List<string> the list of principals included in the ssh user certificate. This is the list of usernames that the certificate holder may sign in as on a machine authorizinig the signing certificate authority. Dangerously, if no principals are specified, this certificate may be used to log in as any user.
critical_options Map<string, string> A map of critical options included in the certificate. Only two critical options are currently defined by OpenSSH: force-command and source-address. See the OpenSSH certificate protocol spec for additional details.
extensions Map<string, string> A map of extensions included in the certificate. Extensions are additional metadata that can be interpreted by the SSH server for any purpose. These can be used to permit or deny the ability to open a terminal, do port forwarding, x11 forwarding, and more. If unspecified, the certificate will include limited permissions with the following extension map: {"permit-pty": "", "permit-user-rc": ""} OpenSSH understands a number of predefined extensions. See the OpenSSH certificate protocol spec for additional details.
valid_after string the time when the ssh host certificate becomes valid, in RFC 3339 format.
valid_until string the time after which the ssh host certificate becomes invalid, in RFC 3339 format. the OpenSSH certificates RFC calls this valid_before.
certificate string the signed SSH certificate in OpenSSH Authorized Keys Format. this value should be placed in a -cert.pub certificate file on disk that should be referenced in your sshd_config configuration file with a HostCertificate directive

Create TLS Certificate

Upload a new TLS certificate

Request
POST/tls_certificates
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"certificate_pem":"-----BEGIN CERTIFICATE-----\nMIIDDTCCAfWgAwIBAgIUBUunDdA4gjgtEbZA8w9Ljhvl3bEwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjAwMzI0MTgxODE5WhcNMjAw\nNDIzMTgxODE5WjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAPKVkkKYNl3d9cqrz4tIFlwsohED5W4y1dcBixy4\nGANFFnw43nc2wPyKwYXumJqJIFrcW/NkUZL07bd+dou6mT6Gh/zbaTW91IkREPXL\n7b3KfVu4XkFosVXpWs0U6o4GrZ81CLiKBWI+H03x/ij5OSiJ1l71pqLeTJLOydAR\nAl8kpp7axeHU4UbDrAZkW5SnuZTjIKwVg0UNsBg1yNfUOu1Uah3BYaqPgQitC0Yg\nLW+NUGu/T91bkD7tLsVInkQXeQGdXBAqOycfJ7wj8OlIpyuXjTnGFA0izVmbQw5f\nrQnZ0geGyhLamvz9Gcd7mIlD/+/AEN9Lht82tAOzKG98/O8CAwEAAaNTMFEwHQYD\nVR0OBBYEFKv6RsvEC6T+zCtJZwB0FCR1sEkhMB8GA1UdIwQYMBaAFKv6RsvEC6T+\nzCtJZwB0FCR1sEkhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nAC5fBrouinespo5+9AipjhY/HOKTg+OCnppFnSnqeU1eXZZJ0oakdHTpTNxtbQP9\ntOJTA2f3KWvmpNDMohEQXZz8wHDkdbrIXJKVp6zs1pEp+0BIjA4y9mSywa5xuyk0\noGeChRgGqp2JujDyPCb7LEaKKQEEdMqy73QG+jEAh14+wKixlAf1nATBdeCUvssK\n2x1uZMyqjJFB5y/5EdnWQzD4WJkrsCkxsZHVMN1d+dqf2sf3dTRV8fzsFGOG17NS\n6u2n9iGcFdBA82XN8yeLIWhy1t3GWutG1sdxENbFRRXea+iUqzDsmRtkaBma2GLQ\nd6JTpFbsCtwDjP23UEi7SZo=\n-----END CERTIFICATE-----","private_key_pem":"-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDylZJCmDZd3fXK\nq8+LSBZcLKIRA+VuMtXXAYscuBgDRRZ8ON53NsD8isGF7piaiSBa3FvzZFGS9O23\nfnaLupk+hof822k1vdSJERD1y+29yn1buF5BaLFV6VrNFOqOBq2fNQi4igViPh9N\n8f4o+TkoidZe9aai3kySzsnQEQJfJKae2sXh1OFGw6wGZFuUp7mU4yCsFYNFDbAY\nNcjX1DrtVGodwWGqj4EIrQtGIC1vjVBrv0/dW5A+7S7FSJ5EF3kBnVwQKjsnHye8\nI/DpSKcrl405xhQNIs1Zm0MOX60J2dIHhsoS2pr8/RnHe5iJQ//vwBDfS4bfNrQD\nsyhvfPzvAgMBAAECggEBALLv7YE98exvi5zB+0fMFuJK8gkHDLequ93q/4hhqyTO\nU3WyJTdepiAi4fk/NEXZnIopPZJdj2aNUMQnfp43OE7MwYac+hBwRFQOyKnmkSmM\nMcf0SWKKLTUn+piIMzQsbOmhHxuwg6QiGslOFaJ3o9fpRL2rCg3dWDJ6Ypcd1NgE\nK0uy7gg+DwIpU6MeG6lA+HbxbGi+yd2x88Gjn9dGr7FZK34RUDooH60BCX9P8N9X\nT+n10MzzX7ZQOsLfe8FKc1/X8AybI5SYm1GMyfKD4QBt6JG4HKAjPHzBzcIpfN3d\n7BM11Imkrz7LcbUG+F23NVsi6n5IIGT1WqwCRIH2PpECgYEA/SJ5Ra4d0hUS5RYB\nzABquM3sp7JsKxCn7O5PqNLB4TgH9dXtWFhaFVB6juMGyHbvktVH0j4lps/Te0rk\nVU2zU1XxvCTFhtcCYUtNk0cRw6LH8feKiorXHdDRB33t0c47QSD/6AGOjBtxqD7B\n3ZxyR3P+7RdQopLLRFN+FHAnmzsCgYEA9VSGZDFSK+fbg4CgwkWdzuHrAXaUEv0U\novqqWd/yXB9wauEvRHnOrSgW6hFZQiatJOXx0KnalJQzohz/SLGO0MqGtwQbYWVT\nWiJgjUbNeiPEHBeUA6U55lVQr26kQSUWdXEtRbDz+hqV1K+6tTEMzaSPmJiHNgki\nlNMO2gqGQd0CgYBJ268qx5zn2UJEGWG41j5NYbg1TfgFsLxugzI2/heX0TNxZVP1\nPQI7ydmYq2ElSJ6qZxSnoX5255i7FqT8xskV/bOkw83mhAGrxb8Cw+/I90wDq8h+\nl/ggOPdkijfDybq8TBae6SVgd/l3r6f9M1KcypmNMApVBSPN8daNvBOyVQKBgQDo\nsj2utyFrx8Xsm4rf+kxOuPbBMooM4MQ8OmpuSP6G5sMofWLqHmcs0sO5TK9PEYRV\nZU3ST+ml2FSJRdvWRaRi4laZLWoTHZrL+aN/HVM0sMwIoUyhkIy0ruOTIuzlZZpB\n1xHL8qXX6nOHgw8jYdz1CUuyv6owVMXaR77kjer+eQKBgByYZlR/eNTzlot0SdFl\nIbgQ9bV7VLIo+vKzOXE3trfzRJMgUosLTp+5wdSVSW/VBdYZ7Ir3n0bbpY/dGinI\nVShxPbChhCZnhvG2lEEiekI44m5jHSA6hhtRdt/CrhL65Rw2SE5lMEe8htg1UGus\nwzLHWHBl72FjbjdhvEgrq60W\n-----END PRIVATE KEY-----"}' \
https://api.ngrok.com/tls_certificates
Parameters
description string human-readable description of this TLS certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this TLS certificate. optional, max 4096 bytes.
certificate_pem string chain of PEM-encoded certificates, leaf first. See Certificate Bundles.
private_key_pem string private key for the TLS certificate, PEM-encoded. See Private Keys.
Response

Returns a 200 response on success

Example Response
{
  "id": "cert_1jE2cp8ENRRpzJrB71WnUD8YDrq",
  "uri": "https://api.ngrok.com/tls_certificates/cert_1jE2cp8ENRRpzJrB71WnUD8YDrq",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "",
  "metadata": "",
  "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIDDTCCAfWgAwIBAgIUBUunDdA4gjgtEbZA8w9Ljhvl3bEwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjAwMzI0MTgxODE5WhcNMjAw\nNDIzMTgxODE5WjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAPKVkkKYNl3d9cqrz4tIFlwsohED5W4y1dcBixy4\nGANFFnw43nc2wPyKwYXumJqJIFrcW/NkUZL07bd+dou6mT6Gh/zbaTW91IkREPXL\n7b3KfVu4XkFosVXpWs0U6o4GrZ81CLiKBWI+H03x/ij5OSiJ1l71pqLeTJLOydAR\nAl8kpp7axeHU4UbDrAZkW5SnuZTjIKwVg0UNsBg1yNfUOu1Uah3BYaqPgQitC0Yg\nLW+NUGu/T91bkD7tLsVInkQXeQGdXBAqOycfJ7wj8OlIpyuXjTnGFA0izVmbQw5f\nrQnZ0geGyhLamvz9Gcd7mIlD/+/AEN9Lht82tAOzKG98/O8CAwEAAaNTMFEwHQYD\nVR0OBBYEFKv6RsvEC6T+zCtJZwB0FCR1sEkhMB8GA1UdIwQYMBaAFKv6RsvEC6T+\nzCtJZwB0FCR1sEkhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nAC5fBrouinespo5+9AipjhY/HOKTg+OCnppFnSnqeU1eXZZJ0oakdHTpTNxtbQP9\ntOJTA2f3KWvmpNDMohEQXZz8wHDkdbrIXJKVp6zs1pEp+0BIjA4y9mSywa5xuyk0\noGeChRgGqp2JujDyPCb7LEaKKQEEdMqy73QG+jEAh14+wKixlAf1nATBdeCUvssK\n2x1uZMyqjJFB5y/5EdnWQzD4WJkrsCkxsZHVMN1d+dqf2sf3dTRV8fzsFGOG17NS\n6u2n9iGcFdBA82XN8yeLIWhy1t3GWutG1sdxENbFRRXea+iUqzDsmRtkaBma2GLQ\nd6JTpFbsCtwDjP23UEi7SZo=\n-----END CERTIFICATE-----\n",
  "subject_common_name": "example.com",
  "subject_alternative_names": {
    "dns_names": [],
    "ips": []
  },
  "issued_at": null,
  "not_before": "2020-03-24T18:18:19Z",
  "not_after": "2020-04-23T18:18:19Z",
  "key_usages": [],
  "extended_key_usages": [],
  "private_key_type": "rsa",
  "issuer_common_name": "example.com",
  "serial_number": "054ba70dd03882382d11b640f30f4b8e1be5ddb1",
  "subject_organization": "",
  "subject_organizational_unit": "",
  "subject_locality": "",
  "subject_province": "",
  "subject_country": ""
}
Fields
id string unique identifier for this TLS certificate
uri string URI of the TLS certificate API resource
created_at string timestamp when the TLS certificate was created, RFC 3339 format
description string human-readable description of this TLS certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this TLS certificate. optional, max 4096 bytes.
certificate_pem string chain of PEM-encoded certificates, leaf first. See Certificate Bundles.
subject_common_name string subject common name from the leaf of this TLS certificate
subject_alternative_names TLSCertificateSANs subject alternative names (SANs) from the leaf of this TLS certificate
issued_at string timestamp (in RFC 3339 format) when this TLS certificate was issued automatically, or null if this certificate was user-uploaded
not_before string timestamp when this TLS certificate becomes valid, RFC 3339 format
not_after string timestamp when this TLS certificate becomes invalid, RFC 3339 format
key_usages List<string> set of actions the private key of this TLS certificate can be used for
extended_key_usages List<string> extended set of actions the private key of this TLS certificate can be used for
private_key_type string type of the private key of this TLS certificate. One of rsa, ecdsa, or ed25519.
issuer_common_name string issuer common name from the leaf of this TLS certificate
serial_number string serial number of the leaf of this TLS certificate
subject_organization string subject organization from the leaf of this TLS certificate
subject_organizational_unit string subject organizational unit from the leaf of this TLS certificate
subject_locality string subject locality from the leaf of this TLS certificate
subject_province string subject province from the leaf of this TLS certificate
subject_country string subject country from the leaf of this TLS certificate
TLSCertificateSANs fields
dns_names List<string> set of additional domains (including wildcards) this TLS certificate is valid for
ips List<string> set of IP addresses this TLS certificate is also valid for

Delete TLS Certificate

Delete a TLS certificate

Request
DELETE/tls_certificates/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/tls_certificates/cert_1jE2cp8ENRRpzJrB71WnUD8YDrq
Response

Returns a 204 response with no body on success

Get TLS Certificate

Get detailed information about a TLS certificate

Request
GET/tls_certificates/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/tls_certificates/cert_1jE2cp8ENRRpzJrB71WnUD8YDrq
Response

Returns a 200 response on success

Example Response
{
  "id": "cert_1jE2cp8ENRRpzJrB71WnUD8YDrq",
  "uri": "https://api.ngrok.com/tls_certificates/cert_1jE2cp8ENRRpzJrB71WnUD8YDrq",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "",
  "metadata": "{\"example\": true}",
  "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIDDTCCAfWgAwIBAgIUBUunDdA4gjgtEbZA8w9Ljhvl3bEwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjAwMzI0MTgxODE5WhcNMjAw\nNDIzMTgxODE5WjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAPKVkkKYNl3d9cqrz4tIFlwsohED5W4y1dcBixy4\nGANFFnw43nc2wPyKwYXumJqJIFrcW/NkUZL07bd+dou6mT6Gh/zbaTW91IkREPXL\n7b3KfVu4XkFosVXpWs0U6o4GrZ81CLiKBWI+H03x/ij5OSiJ1l71pqLeTJLOydAR\nAl8kpp7axeHU4UbDrAZkW5SnuZTjIKwVg0UNsBg1yNfUOu1Uah3BYaqPgQitC0Yg\nLW+NUGu/T91bkD7tLsVInkQXeQGdXBAqOycfJ7wj8OlIpyuXjTnGFA0izVmbQw5f\nrQnZ0geGyhLamvz9Gcd7mIlD/+/AEN9Lht82tAOzKG98/O8CAwEAAaNTMFEwHQYD\nVR0OBBYEFKv6RsvEC6T+zCtJZwB0FCR1sEkhMB8GA1UdIwQYMBaAFKv6RsvEC6T+\nzCtJZwB0FCR1sEkhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nAC5fBrouinespo5+9AipjhY/HOKTg+OCnppFnSnqeU1eXZZJ0oakdHTpTNxtbQP9\ntOJTA2f3KWvmpNDMohEQXZz8wHDkdbrIXJKVp6zs1pEp+0BIjA4y9mSywa5xuyk0\noGeChRgGqp2JujDyPCb7LEaKKQEEdMqy73QG+jEAh14+wKixlAf1nATBdeCUvssK\n2x1uZMyqjJFB5y/5EdnWQzD4WJkrsCkxsZHVMN1d+dqf2sf3dTRV8fzsFGOG17NS\n6u2n9iGcFdBA82XN8yeLIWhy1t3GWutG1sdxENbFRRXea+iUqzDsmRtkaBma2GLQ\nd6JTpFbsCtwDjP23UEi7SZo=\n-----END CERTIFICATE-----\n",
  "subject_common_name": "example.com",
  "subject_alternative_names": {
    "dns_names": [],
    "ips": []
  },
  "issued_at": null,
  "not_before": "2020-03-24T18:18:19Z",
  "not_after": "2020-04-23T18:18:19Z",
  "key_usages": [],
  "extended_key_usages": [],
  "private_key_type": "rsa",
  "issuer_common_name": "example.com",
  "serial_number": "054ba70dd03882382d11b640f30f4b8e1be5ddb1",
  "subject_organization": "",
  "subject_organizational_unit": "",
  "subject_locality": "",
  "subject_province": "",
  "subject_country": ""
}
Fields
id string unique identifier for this TLS certificate
uri string URI of the TLS certificate API resource
created_at string timestamp when the TLS certificate was created, RFC 3339 format
description string human-readable description of this TLS certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this TLS certificate. optional, max 4096 bytes.
certificate_pem string chain of PEM-encoded certificates, leaf first. See Certificate Bundles.
subject_common_name string subject common name from the leaf of this TLS certificate
subject_alternative_names TLSCertificateSANs subject alternative names (SANs) from the leaf of this TLS certificate
issued_at string timestamp (in RFC 3339 format) when this TLS certificate was issued automatically, or null if this certificate was user-uploaded
not_before string timestamp when this TLS certificate becomes valid, RFC 3339 format
not_after string timestamp when this TLS certificate becomes invalid, RFC 3339 format
key_usages List<string> set of actions the private key of this TLS certificate can be used for
extended_key_usages List<string> extended set of actions the private key of this TLS certificate can be used for
private_key_type string type of the private key of this TLS certificate. One of rsa, ecdsa, or ed25519.
issuer_common_name string issuer common name from the leaf of this TLS certificate
serial_number string serial number of the leaf of this TLS certificate
subject_organization string subject organization from the leaf of this TLS certificate
subject_organizational_unit string subject organizational unit from the leaf of this TLS certificate
subject_locality string subject locality from the leaf of this TLS certificate
subject_province string subject province from the leaf of this TLS certificate
subject_country string subject country from the leaf of this TLS certificate
TLSCertificateSANs fields
dns_names List<string> set of additional domains (including wildcards) this TLS certificate is valid for
ips List<string> set of IP addresses this TLS certificate is also valid for

List TLS Certificates

List all TLS certificates on this account

Request
GET/tls_certificates
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/tls_certificates
Response

Returns a 200 response on success

Example Response
{
  "tls_certificates": [
    {
      "id": "cert_1jE2cCun8MNOoQFecTJHFrsaSjy",
      "uri": "https://api.ngrok.com/tls_certificates/cert_1jE2cCun8MNOoQFecTJHFrsaSjy",
      "created_at": "2020-10-22T08:23:27Z",
      "description": "",
      "metadata": "",
      "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIDDTCCAfWgAwIBAgIUBUunDdA4gjgtEbZA8w9Ljhvl3bEwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjAwMzI0MTgxODE5WhcNMjAw\nNDIzMTgxODE5WjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAPKVkkKYNl3d9cqrz4tIFlwsohED5W4y1dcBixy4\nGANFFnw43nc2wPyKwYXumJqJIFrcW/NkUZL07bd+dou6mT6Gh/zbaTW91IkREPXL\n7b3KfVu4XkFosVXpWs0U6o4GrZ81CLiKBWI+H03x/ij5OSiJ1l71pqLeTJLOydAR\nAl8kpp7axeHU4UbDrAZkW5SnuZTjIKwVg0UNsBg1yNfUOu1Uah3BYaqPgQitC0Yg\nLW+NUGu/T91bkD7tLsVInkQXeQGdXBAqOycfJ7wj8OlIpyuXjTnGFA0izVmbQw5f\nrQnZ0geGyhLamvz9Gcd7mIlD/+/AEN9Lht82tAOzKG98/O8CAwEAAaNTMFEwHQYD\nVR0OBBYEFKv6RsvEC6T+zCtJZwB0FCR1sEkhMB8GA1UdIwQYMBaAFKv6RsvEC6T+\nzCtJZwB0FCR1sEkhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nAC5fBrouinespo5+9AipjhY/HOKTg+OCnppFnSnqeU1eXZZJ0oakdHTpTNxtbQP9\ntOJTA2f3KWvmpNDMohEQXZz8wHDkdbrIXJKVp6zs1pEp+0BIjA4y9mSywa5xuyk0\noGeChRgGqp2JujDyPCb7LEaKKQEEdMqy73QG+jEAh14+wKixlAf1nATBdeCUvssK\n2x1uZMyqjJFB5y/5EdnWQzD4WJkrsCkxsZHVMN1d+dqf2sf3dTRV8fzsFGOG17NS\n6u2n9iGcFdBA82XN8yeLIWhy1t3GWutG1sdxENbFRRXea+iUqzDsmRtkaBma2GLQ\nd6JTpFbsCtwDjP23UEi7SZo=\n-----END CERTIFICATE-----\n",
      "subject_common_name": "example.com",
      "subject_alternative_names": {
        "dns_names": [],
        "ips": []
      },
      "issued_at": null,
      "not_before": "2020-03-24T18:18:19Z",
      "not_after": "2020-04-23T18:18:19Z",
      "key_usages": [],
      "extended_key_usages": [],
      "private_key_type": "rsa",
      "issuer_common_name": "example.com",
      "serial_number": "054ba70dd03882382d11b640f30f4b8e1be5ddb1",
      "subject_organization": "",
      "subject_organizational_unit": "",
      "subject_locality": "",
      "subject_province": "",
      "subject_country": ""
    },
    {
      "id": "cert_1jE2cp8ENRRpzJrB71WnUD8YDrq",
      "uri": "https://api.ngrok.com/tls_certificates/cert_1jE2cp8ENRRpzJrB71WnUD8YDrq",
      "created_at": "2020-10-22T08:23:32Z",
      "description": "",
      "metadata": "",
      "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIDDTCCAfWgAwIBAgIUBUunDdA4gjgtEbZA8w9Ljhvl3bEwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjAwMzI0MTgxODE5WhcNMjAw\nNDIzMTgxODE5WjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAPKVkkKYNl3d9cqrz4tIFlwsohED5W4y1dcBixy4\nGANFFnw43nc2wPyKwYXumJqJIFrcW/NkUZL07bd+dou6mT6Gh/zbaTW91IkREPXL\n7b3KfVu4XkFosVXpWs0U6o4GrZ81CLiKBWI+H03x/ij5OSiJ1l71pqLeTJLOydAR\nAl8kpp7axeHU4UbDrAZkW5SnuZTjIKwVg0UNsBg1yNfUOu1Uah3BYaqPgQitC0Yg\nLW+NUGu/T91bkD7tLsVInkQXeQGdXBAqOycfJ7wj8OlIpyuXjTnGFA0izVmbQw5f\nrQnZ0geGyhLamvz9Gcd7mIlD/+/AEN9Lht82tAOzKG98/O8CAwEAAaNTMFEwHQYD\nVR0OBBYEFKv6RsvEC6T+zCtJZwB0FCR1sEkhMB8GA1UdIwQYMBaAFKv6RsvEC6T+\nzCtJZwB0FCR1sEkhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nAC5fBrouinespo5+9AipjhY/HOKTg+OCnppFnSnqeU1eXZZJ0oakdHTpTNxtbQP9\ntOJTA2f3KWvmpNDMohEQXZz8wHDkdbrIXJKVp6zs1pEp+0BIjA4y9mSywa5xuyk0\noGeChRgGqp2JujDyPCb7LEaKKQEEdMqy73QG+jEAh14+wKixlAf1nATBdeCUvssK\n2x1uZMyqjJFB5y/5EdnWQzD4WJkrsCkxsZHVMN1d+dqf2sf3dTRV8fzsFGOG17NS\n6u2n9iGcFdBA82XN8yeLIWhy1t3GWutG1sdxENbFRRXea+iUqzDsmRtkaBma2GLQ\nd6JTpFbsCtwDjP23UEi7SZo=\n-----END CERTIFICATE-----\n",
      "subject_common_name": "example.com",
      "subject_alternative_names": {
        "dns_names": [],
        "ips": []
      },
      "issued_at": null,
      "not_before": "2020-03-24T18:18:19Z",
      "not_after": "2020-04-23T18:18:19Z",
      "key_usages": [],
      "extended_key_usages": [],
      "private_key_type": "rsa",
      "issuer_common_name": "example.com",
      "serial_number": "054ba70dd03882382d11b640f30f4b8e1be5ddb1",
      "subject_organization": "",
      "subject_organizational_unit": "",
      "subject_locality": "",
      "subject_province": "",
      "subject_country": ""
    }
  ],
  "uri": "https://api.ngrok.com/tls_certificates",
  "next_page_uri": null
}
Fields
tls_certificates TLSCertificate the list of all TLS certificates on this account
uri string URI of the TLS certificates list API resource
next_page_uri string URI of the next page, or null if there is no next page
TLSCertificate fields
id string unique identifier for this TLS certificate
uri string URI of the TLS certificate API resource
created_at string timestamp when the TLS certificate was created, RFC 3339 format
description string human-readable description of this TLS certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this TLS certificate. optional, max 4096 bytes.
certificate_pem string chain of PEM-encoded certificates, leaf first. See Certificate Bundles.
subject_common_name string subject common name from the leaf of this TLS certificate
subject_alternative_names TLSCertificateSANs subject alternative names (SANs) from the leaf of this TLS certificate
issued_at string timestamp (in RFC 3339 format) when this TLS certificate was issued automatically, or null if this certificate was user-uploaded
not_before string timestamp when this TLS certificate becomes valid, RFC 3339 format
not_after string timestamp when this TLS certificate becomes invalid, RFC 3339 format
key_usages List<string> set of actions the private key of this TLS certificate can be used for
extended_key_usages List<string> extended set of actions the private key of this TLS certificate can be used for
private_key_type string type of the private key of this TLS certificate. One of rsa, ecdsa, or ed25519.
issuer_common_name string issuer common name from the leaf of this TLS certificate
serial_number string serial number of the leaf of this TLS certificate
subject_organization string subject organization from the leaf of this TLS certificate
subject_organizational_unit string subject organizational unit from the leaf of this TLS certificate
subject_locality string subject locality from the leaf of this TLS certificate
subject_province string subject province from the leaf of this TLS certificate
subject_country string subject country from the leaf of this TLS certificate
TLSCertificateSANs fields
dns_names List<string> set of additional domains (including wildcards) this TLS certificate is valid for
ips List<string> set of IP addresses this TLS certificate is also valid for

Update TLS Certificate

Update attributes of a TLS Certificate by ID

Request
PATCH/tls_certificates/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"metadata":"{\"example\": true}"}' \
https://api.ngrok.com/tls_certificates/cert_1jE2cp8ENRRpzJrB71WnUD8YDrq
Parameters
id string
description string human-readable description of this TLS certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this TLS certificate. optional, max 4096 bytes.
Response

Returns a 200 response on success

Example Response
{
  "id": "cert_1jE2cp8ENRRpzJrB71WnUD8YDrq",
  "uri": "https://api.ngrok.com/tls_certificates/cert_1jE2cp8ENRRpzJrB71WnUD8YDrq",
  "created_at": "2020-10-22T08:23:32Z",
  "description": "",
  "metadata": "{\"example\": true}",
  "certificate_pem": "-----BEGIN CERTIFICATE-----\nMIIDDTCCAfWgAwIBAgIUBUunDdA4gjgtEbZA8w9Ljhvl3bEwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjAwMzI0MTgxODE5WhcNMjAw\nNDIzMTgxODE5WjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAPKVkkKYNl3d9cqrz4tIFlwsohED5W4y1dcBixy4\nGANFFnw43nc2wPyKwYXumJqJIFrcW/NkUZL07bd+dou6mT6Gh/zbaTW91IkREPXL\n7b3KfVu4XkFosVXpWs0U6o4GrZ81CLiKBWI+H03x/ij5OSiJ1l71pqLeTJLOydAR\nAl8kpp7axeHU4UbDrAZkW5SnuZTjIKwVg0UNsBg1yNfUOu1Uah3BYaqPgQitC0Yg\nLW+NUGu/T91bkD7tLsVInkQXeQGdXBAqOycfJ7wj8OlIpyuXjTnGFA0izVmbQw5f\nrQnZ0geGyhLamvz9Gcd7mIlD/+/AEN9Lht82tAOzKG98/O8CAwEAAaNTMFEwHQYD\nVR0OBBYEFKv6RsvEC6T+zCtJZwB0FCR1sEkhMB8GA1UdIwQYMBaAFKv6RsvEC6T+\nzCtJZwB0FCR1sEkhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB\nAC5fBrouinespo5+9AipjhY/HOKTg+OCnppFnSnqeU1eXZZJ0oakdHTpTNxtbQP9\ntOJTA2f3KWvmpNDMohEQXZz8wHDkdbrIXJKVp6zs1pEp+0BIjA4y9mSywa5xuyk0\noGeChRgGqp2JujDyPCb7LEaKKQEEdMqy73QG+jEAh14+wKixlAf1nATBdeCUvssK\n2x1uZMyqjJFB5y/5EdnWQzD4WJkrsCkxsZHVMN1d+dqf2sf3dTRV8fzsFGOG17NS\n6u2n9iGcFdBA82XN8yeLIWhy1t3GWutG1sdxENbFRRXea+iUqzDsmRtkaBma2GLQ\nd6JTpFbsCtwDjP23UEi7SZo=\n-----END CERTIFICATE-----\n",
  "subject_common_name": "example.com",
  "subject_alternative_names": {
    "dns_names": [],
    "ips": []
  },
  "issued_at": null,
  "not_before": "2020-03-24T18:18:19Z",
  "not_after": "2020-04-23T18:18:19Z",
  "key_usages": [],
  "extended_key_usages": [],
  "private_key_type": "rsa",
  "issuer_common_name": "example.com",
  "serial_number": "054ba70dd03882382d11b640f30f4b8e1be5ddb1",
  "subject_organization": "",
  "subject_organizational_unit": "",
  "subject_locality": "",
  "subject_province": "",
  "subject_country": ""
}
Fields
id string unique identifier for this TLS certificate
uri string URI of the TLS certificate API resource
created_at string timestamp when the TLS certificate was created, RFC 3339 format
description string human-readable description of this TLS certificate. optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this TLS certificate. optional, max 4096 bytes.
certificate_pem string chain of PEM-encoded certificates, leaf first. See Certificate Bundles.
subject_common_name string subject common name from the leaf of this TLS certificate
subject_alternative_names TLSCertificateSANs subject alternative names (SANs) from the leaf of this TLS certificate
issued_at string timestamp (in RFC 3339 format) when this TLS certificate was issued automatically, or null if this certificate was user-uploaded
not_before string timestamp when this TLS certificate becomes valid, RFC 3339 format
not_after string timestamp when this TLS certificate becomes invalid, RFC 3339 format
key_usages List<string> set of actions the private key of this TLS certificate can be used for
extended_key_usages List<string> extended set of actions the private key of this TLS certificate can be used for
private_key_type string type of the private key of this TLS certificate. One of rsa, ecdsa, or ed25519.
issuer_common_name string issuer common name from the leaf of this TLS certificate
serial_number string serial number of the leaf of this TLS certificate
subject_organization string subject organization from the leaf of this TLS certificate
subject_organizational_unit string subject organizational unit from the leaf of this TLS certificate
subject_locality string subject locality from the leaf of this TLS certificate
subject_province string subject province from the leaf of this TLS certificate
subject_country string subject country from the leaf of this TLS certificate
TLSCertificateSANs fields
dns_names List<string> set of additional domains (including wildcards) this TLS certificate is valid for
ips List<string> set of IP addresses this TLS certificate is also valid for

Replace TLS Termination Module

Request
PUT/endpoint_configurations/{id}/tls_termination
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"terminate_at":"edge","min_version":"1.2"}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/tls_termination
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
terminate_at string edge if the ngrok edge should terminate TLS traffic, upstream if TLS traffic should be passed through to the upstream ngrok agent / application server for termination. if upstream is chosen, most other modules will be disallowed because they rely on the ngrok edge being able to access the underlying traffic.
min_version string The minimum TLS version used for termination and advertised to the client during the TLS handshake. if unspecified, ngrok will choose an industry-safe default. This value must be null if terminate_at is set to upstream.
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "terminate_at": "edge",
  "min_version": "1.2"
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
terminate_at string edge if the ngrok edge should terminate TLS traffic, upstream if TLS traffic should be passed through to the upstream ngrok agent / application server for termination. if upstream is chosen, most other modules will be disallowed because they rely on the ngrok edge being able to access the underlying traffic.
min_version string The minimum TLS version used for termination and advertised to the client during the TLS handshake. if unspecified, ngrok will choose an industry-safe default. This value must be null if terminate_at is set to upstream.

Get TLS Termination Module

Request
GET/endpoint_configurations/{id}/tls_termination
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/tls_termination
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "terminate_at": "edge",
  "min_version": "1.2"
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
terminate_at string edge if the ngrok edge should terminate TLS traffic, upstream if TLS traffic should be passed through to the upstream ngrok agent / application server for termination. if upstream is chosen, most other modules will be disallowed because they rely on the ngrok edge being able to access the underlying traffic.
min_version string The minimum TLS version used for termination and advertised to the client during the TLS handshake. if unspecified, ngrok will choose an industry-safe default. This value must be null if terminate_at is set to upstream.

Delete TLS Termination Module

Request
DELETE/endpoint_configurations/{id}/tls_termination
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/tls_termination
Response

Returns a 204 response with no body on success

Create Tunnel Credential

Create a new tunnel authtoken credential. This authtoken credential can be used to start a new tunnel session. The response to this API call is the only time the generated token is available. If you need it for future use, you must save it securely yourself.

Request
POST/credentials
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"development cred for alan@example.com"}' \
https://api.ngrok.com/credentials
Parameters
description string human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes.
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.
Response

Returns a 200 response on success

Example Response
{
  "id": "cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX",
  "uri": "https://api.ngrok.com/credentials/cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX",
  "created_at": "2020-10-22T08:23:27Z",
  "description": "development cred for alan@example.com",
  "metadata": "",
  "token": "1jE2cJ9jKlGOMp1uVRxCM7wCNcX_5yfmq1xzNHJt5BaGhNDEH",
  "acl": []
}
Fields
id string unique tunnel credential resource identifier
uri string URI of the tunnel credential API resource
created_at string timestamp when the tunnel credential was created, RFC 3339 format
description string human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes.
token string the credential's authtoken that can be used to authenticate an ngrok client. This value is only available one time, on the API response from credential creation, otherwise it is null.
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.

Delete Tunnel Credential

Delete a tunnel authtoken credential by ID

Request
DELETE/credentials/{id}
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/credentials/cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX
Response

Returns a 204 response with no body on success

Get Tunnel Credential

Get detailed information about a tunnel authtoken credential

Request
GET/credentials/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/credentials/cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX
Response

Returns a 200 response on success

Example Response
{
  "id": "cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX",
  "uri": "https://api.ngrok.com/credentials/cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX",
  "created_at": "2020-10-22T08:23:27Z",
  "description": "device alpha-2",
  "metadata": "{\"device_id\": \"d5111ba7-0cc5-4ba3-8398-e6c79e4e89c2\"}",
  "token": null,
  "acl": []
}
Fields
id string unique tunnel credential resource identifier
uri string URI of the tunnel credential API resource
created_at string timestamp when the tunnel credential was created, RFC 3339 format
description string human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes.
token string the credential's authtoken that can be used to authenticate an ngrok client. This value is only available one time, on the API response from credential creation, otherwise it is null.
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.

List Tunnel Credentials

List all tunnel authtoken credentials on this account

Request
GET/credentials
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/credentials
Response

Returns a 200 response on success

Example Response
{
  "credentials": [
    {
      "id": "cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX",
      "uri": "https://api.ngrok.com/credentials/cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX",
      "created_at": "2020-10-22T08:23:27Z",
      "description": "development cred for alan@example.com",
      "metadata": "",
      "token": null,
      "acl": []
    },
    {
      "id": "cr_1jE2cGR2kLy9D72mR3Du8YQVdJ4",
      "uri": "https://api.ngrok.com/credentials/cr_1jE2cGR2kLy9D72mR3Du8YQVdJ4",
      "created_at": "2020-10-22T08:23:27Z",
      "description": "for device #132",
      "metadata": "",
      "token": null,
      "acl": [
        "bind:1.tcp.ngrok.io:20002",
        "bind:132.devices.company.com"
      ]
    },
    {
      "id": "cr_1jE2c6SVj28kRL5WWHDjEPT772F",
      "uri": "https://api.ngrok.com/credentials/cr_1jE2c6SVj28kRL5WWHDjEPT772F",
      "created_at": "2020-10-22T08:23:26Z",
      "description": "credential for \"api-examples-d19b978dd5284977@example.com\"",
      "metadata": "",
      "token": "1jE2c6SVj28kRL5WWHDjEPT772F_75HXRmpPEsnmcaeS5tdnx",
      "acl": []
    }
  ],
  "uri": "https://api.ngrok.com/credentials",
  "next_page_uri": null
}
Fields
credentials Credential the list of all tunnel credentials on this account
uri string URI of the tunnel credential list API resource
next_page_uri string URI of the next page, or null if there is no next page
Credential fields
id string unique tunnel credential resource identifier
uri string URI of the tunnel credential API resource
created_at string timestamp when the tunnel credential was created, RFC 3339 format
description string human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes.
token string the credential's authtoken that can be used to authenticate an ngrok client. This value is only available one time, on the API response from credential creation, otherwise it is null.
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.

Update Tunnel Credential

Update attributes of an tunnel authtoken credential by ID

Request
PATCH/credentials/{id}
Example Request
curl \
-XPATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"device alpha-2","metadata":"{\"device_id\": \"d5111ba7-0cc5-4ba3-8398-e6c79e4e89c2\"}"}' \
https://api.ngrok.com/credentials/cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX
Parameters
id string
description string human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes.
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.
Response

Returns a 200 response on success

Example Response
{
  "id": "cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX",
  "uri": "https://api.ngrok.com/credentials/cr_1jE2cJ9jKlGOMp1uVRxCM7wCNcX",
  "created_at": "2020-10-22T08:23:27Z",
  "description": "device alpha-2",
  "metadata": "{\"device_id\": \"d5111ba7-0cc5-4ba3-8398-e6c79e4e89c2\"}",
  "token": null,
  "acl": []
}
Fields
id string unique tunnel credential resource identifier
uri string URI of the tunnel credential API resource
created_at string timestamp when the tunnel credential was created, RFC 3339 format
description string human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes.
metadata string arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes.
token string the credential's authtoken that can be used to authenticate an ngrok client. This value is only available one time, on the API response from credential creation, otherwise it is null.
acl List<string> optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains and addresses the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.

List Tunnel Sessions

List all online tunnel sessions running on this account.

Request
GET/tunnel_sessions
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/tunnel_sessions
Response

Returns a 200 response on success

Example Response
{
  "tunnel_sessions": [
    {
      "agent_version": "",
      "credential": {
        "id": "cr_1jE2cLiBXlBbNrcL1jbMuCAmSLF",
        "uri": "https://api.ngrok.com/credentials/cr_1jE2cLiBXlBbNrcL1jbMuCAmSLF"
      },
      "id": "ts_1jE2cLWsmldiuD54ZqaZ900Pcdj",
      "ip": "10.42.0.52",
      "metadata": "",
      "os": "linux",
      "region": "us",
      "started_at": "2020-10-22T08:23:28Z",
      "transport": "ngrok/2",
      "uri": "https://api.ngrok.com/tunnel_sessions/ts_1jE2cLWsmldiuD54ZqaZ900Pcdj"
    }
  ],
  "uri": "https://api.ngrok.com/tunnel_sessions",
  "next_page_uri": null
}
Fields
tunnel_sessions TunnelSession list of all tunnel sessions on this account
uri string URI to the API resource of the tunnel session list
next_page_uri string URI of the next page, or null if there is no next page
TunnelSession fields
agent_version string version of the ngrok agent that started this ngrok tunnel session
credential Ref reference to the tunnel credential or ssh credential used by the ngrok agent to start this tunnel session
id string unique tunnel session resource identifier
ip string source ip address of the tunnel session
metadata string arbitrary user-defined data specified in the metadata property in the ngrok configuration file. See the metadata configuration option
os string operating system of the host the ngrok agent is running on
region string the ngrok region identifier in which this tunnel session was started
started_at string time when the tunnel session first connected to the ngrok servers
transport string the transport protocol used to start the tunnel session. Either ngrok/v2 or ssh
uri string URI to the API resource of the tunnel session
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Get Tunnel Session

Get the detailed status of a tunnel session by ID

Request
GET/tunnel_sessions/{id}
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/tunnel_sessions/ts_1jE2cWONhFtpb3UQysjjdlyHAz3
Response

Returns a 200 response on success

Example Response
{
  "agent_version": "",
  "credential": {
    "id": "cr_1jE2cTuTZ0ysvOMHq8haYzsFAEZ",
    "uri": "https://api.ngrok.com/credentials/cr_1jE2cTuTZ0ysvOMHq8haYzsFAEZ"
  },
  "id": "ts_1jE2cWONhFtpb3UQysjjdlyHAz3",
  "ip": "10.42.0.52",
  "metadata": "",
  "os": "linux",
  "region": "us",
  "started_at": "2020-10-22T08:23:29Z",
  "transport": "ngrok/2",
  "uri": "https://api.ngrok.com/tunnel_sessions/ts_1jE2cWONhFtpb3UQysjjdlyHAz3"
}
Fields
agent_version string version of the ngrok agent that started this ngrok tunnel session
credential Ref reference to the tunnel credential or ssh credential used by the ngrok agent to start this tunnel session
id string unique tunnel session resource identifier
ip string source ip address of the tunnel session
metadata string arbitrary user-defined data specified in the metadata property in the ngrok configuration file. See the metadata configuration option
os string operating system of the host the ngrok agent is running on
region string the ngrok region identifier in which this tunnel session was started
started_at string time when the tunnel session first connected to the ngrok servers
transport string the transport protocol used to start the tunnel session. Either ngrok/v2 or ssh
uri string URI to the API resource of the tunnel session
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Restart Tunnel Agent

Issues a command instructing the ngrok agent to restart. The agent restarts itself by calling exec() on platforms that support it. This operation is notably not supported on Windows. When an agent restarts, it reconnects with a new tunnel session ID.

Request
POST/tunnel_sessions/{id}/restart
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{}' \
https://api.ngrok.com/tunnel_sessions/foo/restart
Parameters
id string a resource identifier
Response

Returns a 204 response with no body on success

Stop Tunnel Agent

Issues a command instructing the ngrok agent that started this tunnel session to exit.

Request
POST/tunnel_sessions/{id}/stop
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{}' \
https://api.ngrok.com/tunnel_sessions/foo/stop
Parameters
id string a resource identifier
Response

Returns a 204 response with no body on success

Update Tunnel Agent

Issues a command instructing the ngrok agent to update itself to the latest version. After this call completes successfully, the ngrok agent will be in the update process. A caller should wait some amount of time to allow the update to complete (at least 10 seconds) before making a call to the Restart endpoint to request that the agent restart itself to start using the new code. This call will never update an ngrok agent to a new major version which could cause breaking compatibility issues. If you wish to update to a new major version, that must be done manually. Still, please be aware that updating your ngrok agent could break your integration. This call will fail in any of the following circumstances: there is no update available the ngrok agent's configuration disabled update checks the agent is currently in process of updating the agent has already successfully updated but has not yet been restarted

Request
POST/tunnel_sessions/{id}/update
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{}' \
https://api.ngrok.com/tunnel_sessions/foo/update
Parameters
id string
Response

Returns a 204 response with no body on success

List Tunnels

List all online tunnels currently running on the account.

Request
GET/tunnels
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/tunnels
Response

Returns a 200 response on success

Example Response
{
  "tunnels": [
    {
      "id": "tn_1jE2cDLCYtfiU72di1jyyXeOrWa",
      "public_url": "http://a1dfe8693530.ngrok.io",
      "started_at": "2020-10-22T08:23:27Z",
      "metadata": "",
      "proto": "http",
      "region": "us",
      "tunnel_session": {
        "id": "ts_1jE2cHdJHHLHwVeafG8FuGrN0vP",
        "uri": "https://api.ngrok.com/tunnel_sessions/ts_1jE2cHdJHHLHwVeafG8FuGrN0vP"
      }
    },
    {
      "id": "tn_1jE2cGhZppC0CMx4xOFBVhxDsEs",
      "public_url": "https://a1dfe8693530.ngrok.io",
      "started_at": "2020-10-22T08:23:27Z",
      "metadata": "",
      "proto": "https",
      "region": "us",
      "tunnel_session": {
        "id": "ts_1jE2cHdJHHLHwVeafG8FuGrN0vP",
        "uri": "https://api.ngrok.com/tunnel_sessions/ts_1jE2cHdJHHLHwVeafG8FuGrN0vP"
      }
    }
  ],
  "uri": "https://api.ngrok.com/tunnels",
  "next_page_uri": null
}
Fields
tunnels Tunnel the list of all online tunnels on this account
uri string URI of the tunnels list API resource
next_page_uri string URI of the next page, or null if there is no next page
Tunnel fields
id string unique tunnel resource identifier
public_url string URL of the tunnel's public endpoint
started_at string timestamp when the tunnel was initiated in RFC 3339 format
metadata string user-supplied metadata for the tunnel defined in the ngrok configuration file. See the tunnel metadata configuration option In API version 0, this value was instead pulled from the top-level metadata configuration option.
proto string tunnel protocol. one of http, https, tcp or tls
region string identifier of tune region where the tunnel is running
tunnel_session Ref reference object pointing to the tunnel session on which this tunnel was started
Ref fields
id string a resource identifier
uri string a uri for locating a resource

Replace Webhook Validation Module

Request
PUT/endpoint_configurations/{id}/webhook_validation
Example Request
curl \
-XPUT \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"provider":"TWILIO","secret":"secret_token"}' \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/webhook_validation
Parameters
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider string a string indicating which webhook provider will be sending webhooks to this endpoint. Value must be one of the supported providers: SLACK, SNS, STRIPE, GITHUB, TWILIO, SHOPIFY, GITLAB, INTERCOM.
secret string a string secret used to validate requests from the given provider. All providers except AWS SNS require a secret
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "provider": "TWILIO",
  "secret": "secret_token"
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider string a string indicating which webhook provider will be sending webhooks to this endpoint. Value must be one of the supported providers: SLACK, SNS, STRIPE, GITHUB, TWILIO, SHOPIFY, GITLAB, INTERCOM.
secret string a string secret used to validate requests from the given provider. All providers except AWS SNS require a secret

Get Webhook Validation Module

Request
GET/endpoint_configurations/{id}/webhook_validation
Example Request
curl \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/webhook_validation
Response

Returns a 200 response on success

Example Response
{
  "enabled": true,
  "provider": "TWILIO",
  "secret": "secret_token"
}
Fields
enabled boolean true if the module will be applied to traffic, false to disable. default true if unspecified
provider string a string indicating which webhook provider will be sending webhooks to this endpoint. Value must be one of the supported providers: SLACK, SNS, STRIPE, GITHUB, TWILIO, SHOPIFY, GITLAB, INTERCOM.
secret string a string secret used to validate requests from the given provider. All providers except AWS SNS require a secret

Delete Webhook Validation Module

Request
DELETE/endpoint_configurations/{id}/webhook_validation
Example Request
curl \
-XDELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/endpoint_configurations/ec_1jE2ckVI6scnC63HXA7biyYzmgV/webhook_validation
Response

Returns a 204 response with no body on success