> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Fleet Management

> Manage credentials, multi-tenancy, and observability across thousands of devices with ngrok.

ngrok is built for managing connectivity across large device fleets.
Every operation is available via API, so you can wire ngrok into your existing pipeline and manage your entire fleet programmatically.

## Centralized control

Run a single ngrok account and isolate each customer or site with:

* **Per-device auth tokens** scoped with [ACL bindings](/guides/site-to-site-connectivity/authtoken-acls) so each token can only create endpoints on its assigned domain
* **Wildcard domains** for unique URLs per site (e.g., `*.factory.example.com`)
* **[Service Users](/iam/service-users/)** to create authtokens independent of any user account

```bash theme={null}
# Create a Service User for a specific site
curl -X POST https://api.ngrok.com/bot_users \
  -H "Authorization: Bearer <NGROK_API_KEY>" \
  -H "Content-Type: application/json" \
  -H "Ngrok-Version: 2" \
  -d '{"name":"Factory 1 Service User"}'
```

Then create an authtoken for that Service User with an ACL binding that restricts it to endpoints on `factory1.example.com`.

## Credential management

Create, scope, rotate, and revoke authtokens from your cloud without physical access to devices:

* **Create** tokens via the [Authtokens API](/api-reference/credentials/)
* **Scope** tokens with ACL bindings to limit which endpoints they can create
* **Rotate** tokens by creating a new token and revoking the old one
* **Revoke** a compromised token immediately without affecting other devices

If one token is compromised, only that device or site is affected, not your entire fleet.

## On-demand tunnels

Fire up endpoints when you need them and wind them down when you don't.
On Pay-as-you-go plans, billing is per active endpoint hour—one where traffic is actually flowing—so you only pay when a device is in use.

Use the [ngrok API](/api/) or the [Agent API](/agent/api/) to manage tunnel lifecycle programmatically from your cloud.

## Observability

Publish tunnel status, connection events, and traffic metrics to your telemetry platform.
When a device drops, you'll know before anyone files a ticket.

* Use [Event Subscriptions](/obs/events/) to stream events to your logging infrastructure
* Monitor agent status and tunnel health via the [ngrok API](/api/)

## Next steps

* [Full walkthrough](/guides/device-gateway/agent): see multi-tenancy and credential management in action
* [Security](/guides/device-gateway/security): credential rotation, IP restrictions, and compliance
* [Python SDK guide](/guides/device-gateway/sdk): manage device connectivity programmatically with the SDK