Basic Auth: Quick demos, dev sharing, internal tools
OAuth: Consumer-facing apps where users have Google/GitHub/etc. accounts
OIDC: Enterprise apps with a corporate identity provider
JWT: API-to-API authentication, machine-to-machine communication
Yes. Traffic Policy rules execute in order, so you can layer authentication with other actions like rate limiting or IP restrictions.
Auth actions work on HTTP/HTTPS endpoints. For TCP or TLS endpoints, use mTLS or IP restrictions instead.
Authentication happens in ngrok's cloud before traffic reaches your agent or upstream service. Invalid requests never touch your infrastructure.
Check the Traffic Inspector in your ngrok dashboard to see request details, including which policy rules matched and why requests were denied.
Jan 6, 2026: We updated this blog post with new instructions on adding various auth methods with Traffic Policy.
Not every app fits the standard auth model of user registration, login forms,
and password resets. Maybe you’re running a quick demo, working with a legacy
system you can’t modify, or just need to lock something down fast.
ngrok’s Traffic Policy system lets you
add authentication to any endpoint in minutes and without touching your
application code.
Let’s walk through how to use Traffic Policy for Basic Auth, OAuth, OpenID
Connect, and JWT validation.
What is Traffic Policy?
Traffic Policy is ngrok’s configuration language for managing traffic at our
cloud. You write rules in YAML that filter, validate, and route requests before
they reach your upstream service. Each rule has:
Expressions that match specific conditions (like checking a header or
email domain)
Actions that execute when conditions match (like denying access or
validating a JWT)
You can chain multiple rules together. For authentication, this means you can
validate tokens, restrict access by email domain, and add rate limiting all in
one policy file.
HTTP Basic Auth
The simplest form of authentication that visitors for a username and password
before granting access.
Create a YAML file (policy.yaml) with the following Traffic Policy rule:
Basic Auth is great for one-off demos or sharing local work with a co-worker.
For production, move to a more secure method.
OAuth 2.0
OAuth lets users authenticate with their existing credentials from providers
like Google, GitHub, or Microsoft. They don’t need to use a password, you don’t
have to manage them, and ngrok manages the provider infrastructure so you don’t
have to set one up yourself.
1on_http_request:⋯2 - actions:⋯3 - type: oauth⋯4 config:⋯5 provider: google
When a user accesses your endpoint, they’re redirected to Google to
authenticate, then back to your app. ngrok passes identity information as
headers:
1Ngrok-Auth-User-Email: user@example.com2Ngrok-Auth-User-Id: 1025286123459980489473Ngrok-Auth-User-Name: Jane Developer
To restrict access to specific email domains, add an expression that denies
requests authenticated with any email that does not end with
your-company.com:
Invalid tokens get rejected before hitting your backend. You can also combine
JWT validation with rate limiting keyed to the token for per-consumer limits.
For additional access control, you can also use IP
restrictions to
allowlist trusted sources or
mTLS for
certificate-based authentication on TLS endpoints.