> ## Documentation Index > Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Create > Create a new tunnel authtoken credential. This authtoken credential can be used to start a new tunnel session. The response to this API call is the only time the generated token is available. If you need it for future use, you must save it securely yourself. ## OpenAPI ````yaml https://raw.githubusercontent.com/ngrok/ngrok-openapi/refs/heads/main/ngrok.yaml post /credentials openapi: 3.0.0 info: title: ngrok OpenAPI version: 1.0.0 servers: - url: https://api.ngrok.com security: - authentication: [] paths: /credentials: post: tags: - Credentials summary: Create description: > Create a new tunnel authtoken credential. This authtoken credential can be used to start a new tunnel session. The response to this API call is the only time the generated token is available. If you need it for future use, you must save it securely yourself. operationId: CredentialsCreate parameters: - $ref: '#/components/parameters/ngrokVersion' requestBody: content: application/json: schema: $ref: '#/components/schemas/CredentialCreate' responses: '201': description: > Create a new tunnel authtoken credential. This authtoken credential can be used to start a new tunnel session. The response to this API call is the only time the generated token is available. If you need it for future use, you must save it securely yourself. content: application/json: schema: $ref: '#/components/schemas/Credential' components: parameters: ngrokVersion: name: ngrok-version in: header required: true schema: type: integer default: 2 schemas: CredentialCreate: type: object properties: description: description: > human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes. type: string metadata: description: > arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes. type: string acl: description: > optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the `bind` rule. The `bind` rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule `bind:example.ngrok.io`. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of `bind:*.example.com` which will allow `x.example.com`, `y.example.com`, `*.example.com`, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of `bind:*=example` which will allow `x=example`, `y=example`, etc. A rule of `'*'` is equivalent to no acl at all and will explicitly permit all actions. type: array items: type: string owner_id: description: > If supplied at credential creation, ownership will be assigned to the specified User or Service User. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Service User. Accepts one of: User ID, User email, or SCIM User ID. type: string Credential: type: object properties: id: description: | unique tunnel credential resource identifier type: string uri: description: | URI of the tunnel credential API resource type: string created_at: description: | timestamp when the tunnel credential was created, RFC 3339 format type: string description: description: > human-readable description of who or what will use the credential to authenticate. Optional, max 255 bytes. type: string metadata: description: > arbitrary user-defined machine-readable data of this credential. Optional, max 4096 bytes. type: string token: description: > the credential's authtoken that can be used to authenticate an ngrok agent. **This value is only available one time, on the API response from credential creation, otherwise it is null.** type: string acl: description: > optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the `bind` rule. The `bind` rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule `bind:example.ngrok.io`. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of `bind:*.example.com` which will allow `x.example.com`, `y.example.com`, `*.example.com`, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of `bind:*=example` which will allow `x=example`, `y=example`, etc. A rule of `'*'` is equivalent to no acl at all and will explicitly permit all actions. type: array items: type: string owner_id: description: > If supplied at credential creation, ownership will be assigned to the specified User or Service User. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Service User. Accepts one of: User ID, User email, or SCIM User ID. type: string securitySchemes: authentication: type: http scheme: bearer ````