Skip to main content

Documentation Index

Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

ngrok provides multiple layers of security for your device fleet, from credential management to network-level access controls and compliance certifications.

Credential management

Each device or site gets its own authtoken scoped with ACL bindings. If one token is compromised, revoke it immediately without affecting the rest of your fleet: No physical access to the device is required for any of these operations.

IP restrictions

Limit access to your device endpoints to specific IP addresses or CIDR ranges using Traffic Policy. The following example demonstrates an agent config which allows traffic only from a specific IP:
ngrok.yml
endpoints:
  - name: device-api
    url: $YOUR_DOMAIN
    traffic_policy:
      on_http_request:
        - actions:
            - type: restrict-ips
              config:
                enforce: true
                allow:
                  - "203.0.113.0/24"
    upstream:
      url: 8080
      protocol: http1

Mutual TLS (mTLS)

For environments that require client certificate verification, ngrok supports mutual TLS. Only clients presenting a valid certificate can connect to your device endpoints. See the mTLS Termination documentation for configuration details.

Combining security controls

Layer multiple security controls on a single endpoint. For example, combine IP restrictions with OAuth authentication:
ngrok.yml
endpoints:
  - name: device-api
    url: $YOUR_DOMAIN
    traffic_policy:
      on_http_request:
        - actions:
            - type: restrict-ips
              config:
                enforce: true
                allow:
                  - "203.0.113.0/24"
            - type: oauth
              config:
                provider: google
    upstream:
      url: 8080
      protocol: http1
This example will work out of the box, but it uses ngrok’s managed OAuth application. This means you won’t be able to customize the provider’s authentication behavior. For full control, use your own OAuth application.

Compliance

ngrok maintains certifications and controls to help you pass your security review:
CertificationDetails
SOC 2 Type IIIndependently audited
HIPAA & BAABusiness Associate Agreements available
GDPREU data protection compliance
CCPACalifornia consumer privacy
EU-US DPFData Privacy Framework
Additional security features include RBAC, SSO & SCIM, audit logs, DDoS protection, and data residency options. Visit the ngrok Trust Center for details.

Where does traffic travel?

When a device connects, the ngrok agent opens an outbound TLS connection to the ngrok edge. Traffic from your cloud services or users flows through the ngrok edge and is forwarded to the device through this encrypted tunnel. By default, ngrok does not store or persist request bodies or response data. (The opt-in Traffic Inspector Full Capture mode does store request and response headers and bodies for debugging purposes.)
  • Encryption in transit: All traffic between the ngrok edge and the agent is encrypted with TLS.
  • Scoped access: Each endpoint exposes one specific service on the device—not the entire network behind it.
  • Data residency: Control where traffic is processed and is available using Region pinning, available on Pay-as-you-go plans and above.
Visit the ngrok Trust Center for audit reports, compliance documentation, and answers to security review questions.

Next steps

  • Traffic Policy: add authentication, rate limiting, and access control to your endpoints.
  • Fleet management: manage multi-tenancy and credentials at scale
  • Full walkthrough: see security controls in action in a detailed example scenario