Skip to main content

HTTP Variables

Action Result Variables

The following variables are made available for use in subsequent expressions and CEL interpolations after the action has run. Variable values will only apply to the last action execution, results are not concatenated.

Add Headers

  • actions.ngrok.add_headers.headers_addedobject

    Map of headers that were added by the action.

Compress Response

  • actions.ngrok.compress.already_compressedboolean

    Indicates whether the body was already compressed before the action was applied. Returns true if no further compression was performed.

  • actions.ngrok.compress.negotiated_algorithmstring

    The compression algorithm selected and applied by the action, based on the client's request and action configuration.

JWT Validation

  • actions.ngrok.jwt_validation.tokensarray of objects

    The list of JSON Web Tokens (JWTs) processed by the action.

  • actions.ngrok.jwt_validation.error.codestring

    A machine-readable code describing an error that occurred during the action's execution.

  • actions.ngrok.jwt_validation.error.messagestring

    A human-readable message providing details about an error that occurred during the action's execution.

Log

  • actions.ngrok.log.metadataobject

    A key-value map containing metadata that was logged during the action. Each key represents a metadata attribute, and the value provides its corresponding details.

Rate Limit

  • actions.ngrok.rate_limit.bucket_keystring

    The key used for bucketing requests. This is the key used to group and track requests in the rate-limiting process, ensuring that the same bucket is subject to the rate limit across multiple requests.

  • actions.ngrok.rate_limit.limitedboolean

    Indicates whether the request was limited by the rate limit. If true, the request was rate-limited based on the configured limits for the specified bucket.

  • actions.ngrok.rate_limit.error.codestring

    A machine-readable code describing an error that occurred during the action's execution.

  • actions.ngrok.rate_limit.error.messagestring

    A human-readable message providing details about an error that occurred during the action's execution.

Redirect

  • actions.ngrok.redirect.matchesarray of strings

    A list of elements that were matched during redirection. These represent the request components (e.g., path or query parameters) that triggered the action and resulted in the redirect.

  • actions.ngrok.redirect.urlstring

    The URL to which the traffic was redirected. This is the destination URL returned as part of the redirect response after the action was executed.

  • actions.ngrok.redirect.error.codestring

    A machine-readable code describing an error that occurred during the action's execution.

  • actions.ngrok.redirect.error.messagestring

    A human-readable message providing details about an error that occurred during the action's execution.

Remove Headers

  • actions.ngrok.remove_headers.headers_removedarray of strings

    A list of headers that were successfully removed by the action.

Restrict IPs

  • actions.ngrok.restrict_ips.actionstring

    The action taken for this request.

    • Possible values
    • allow - If the request was permitted.
    • deny - If the request was denied.

  • actions.ngrok.restrict_ips.matched_cidrstring

    The CIDR block that matched the incoming client's IP address. If no match was found, this value will be empty.

  • actions.ngrok.restrict_ips.error.codestring

    A machine-readable code describing an error that occurred during the action's execution.

  • actions.ngrok.restrict_ips.error.messagestring

    A human-readable message providing details about an error that occurred during the action's execution.

URL Rewrite

  • actions.ngrok.url_rewrite.matchesarray of strings

    List of elements that matched the URL before the rewrite action was applied. These can be specific parts of the URL, such as the domain, path, or query parameters, that were matched based on the action configuration.

  • actions.ngrok.url_rewrite.urlstring

    The final URL after the rewrite action has been applied. This is the new URL to which the original request is redirected after the specified modifications have been made.

  • actions.ngrok.url_rewrite.error.codestring

    A machine-readable code describing an error that occurred during the action's execution.

  • actions.ngrok.url_rewrite.error.messagestring

    A human-readable message providing details about an error that occurred during the action's execution.

Connection Variables

The following variables are available under the conn namespace:

NameTypeDescription
conn.bytes_inint64The number of bytes entering the endpoint from the client.
conn.bytes_outint64The number of bytes leaving an endpoint to the client.
conn.client_ipstringSource IP of the connection to the ngrok endpoint.
conn.client_portint32Source port of the connection to the ngrok endpoint.
conn.server_ipstringThe IP that this connection was established on.
conn.server_portint32The port that this connection was established on.
conn.server_regionstringThe ngrok PoP (Point of Presence) that this connection was established on and serviced through.
conn.ts.starttimestampTimestamp when the connection to ngrok was started.

conn.bytes_in

The number of bytes entering the endpoint from the client.

# snippet
---
expressions:
  - conn.bytes_in > 1000

conn.bytes_out

The number of bytes leaving an endpoint to the client.

# snippet
---
expressions:
  - conn.bytes_out > 1000

conn.client_ip

Source IP of the connection to the ngrok endpoint.

# snippet
---
expressions:
  - conn.client_ip in ['::1', '127.0.0.1']

conn.client_port

Source port of the connection to the ngrok endpoint.

# snippet
---
expressions:
  - conn.client_port == 80

conn.server_ip

The IP that this connection was established on.

# snippet
---
expressions:
  - conn.server_ip == '192.168.1.1'

conn.server_port

The port that this connection was established on.

# snippet
---
expressions:
  - conn.server_port == 80

conn.server_region

The ngrok PoP (Point of Presence) that this connection was established on and serviced through.

# snippet
---
expressions:
  - conn.server_region == 'eu'

conn.ts.start

Timestamp when the connection to ngrok was started.

# snippet
---
expressions:
  - conn.ts.start > timestamp('2023-12-31T00:00:00Z')

Connection Geo Variables

The following variables are available under the conn.geo namespace:

NameTypeDescription
conn.geo.citystringThe name of the city, in EN, where the conn.client_ip is likely to originate.
conn.geo.countrystringThe name of the country, in EN, where the conn.client_ip is likely to originate.
conn.geo.country_codestringThe two-letter ISO country code where the conn.client_ip is likely to originate.
conn.geo.latitudestringThe approximate latitude where the conn.client_ip is likely to originate.
conn.geo.longitudestringThe approximate longitude where the conn.client_ip is likely to originate.
conn.geo.radiusstringThe radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate.
conn.geo.subdivisionstringThe name of the subdivision, in EN, where the conn.client_ip is likely to originate.

conn.geo.city

The name of the city, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - conn.geo.city == 'Strongsville'

conn.geo.country

The name of the country, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - conn.geo.country == 'United States'

conn.geo.country_code

The two-letter ISO country code where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - conn.geo.country_code != 'US'

conn.geo.latitude

The approximate latitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - double(conn.geo.latitude) >= 45.0

conn.geo.longitude

The approximate longitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - double(conn.geo.longitude) <= -93.0

conn.geo.radius

The radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - conn.geo.radius <= '5'

conn.geo.subdivision

The name of the subdivision, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - conn.geo.subdivision == 'California'

Connection TLS Variables

The following variables are available under the conn.tls namespace:

NameTypeDescription
conn.tls.cipher_suitestringThe cipher suite selected during the TLS handshake.
conn.tls.snistringThe hostname included in the ClientHello message via the SNI extension.
conn.tls.versionstringThe version of the TLS protocol used between the client and the ngrok edge.

conn.tls.cipher_suite

The cipher suite selected during the TLS handshake.

# snippet
---
expressions:
  - conn.tls.cipher_suite == 'TLS_AES_128_GCM_SHA256'

conn.tls.sni

The hostname included in the ClientHello message via the SNI extension.

# snippet
---
expressions:
  - conn.tls.sni == 'client.example.com'

conn.tls.version

The version of the TLS protocol used between the client and the ngrok edge.

# snippet
---
expressions:
  - conn.tls.version == '1.3'

Connection TLS Client Variables

The following variables are available under the conn.tls.client namespace:

NameTypeDescription
conn.tls.client.extensions[]ExtensionAdditional information added to the certificate.
conn.tls.client.extensions[i].idstringThe identifier (OID) that specifies the type of extension.
conn.tls.client.extensions[i].criticalboolTrue if the extension is critical.
conn.tls.client.extensions[i].value[]byteThe data for the extension.
conn.tls.client.issuerstringThe issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.client.issuer.common_namestringCommon name of the issuing authority, usually the domain name.
conn.tls.client.issuer.country[]stringCountry name(s) where the issuing authority is located.
conn.tls.client.issuer.locality[]stringLocality or city of the issuing authority.
conn.tls.client.issuer.organization[]stringName(s) of the organization that issued the certificate.
conn.tls.client.issuer.organizational_unit[]stringDivision of the organization responsible for the certificate.
conn.tls.client.issuer.postal_code[]stringPostal code of the issuing authority.
conn.tls.client.issuer.province[]stringProvince or state of the issuing authority.
conn.tls.client.issuer.street_address[]stringStreet address of the issuing authority.
conn.tls.client.sanstringSubject alternative names of the client certificate.
conn.tls.client.san.dns_names[]stringDNS names in the subject alternative names.
conn.tls.client.san.email_addresses[]stringEmail addresses in the subject alternative names.
conn.tls.client.san.ip_addresses[]stringIP addresses in the subject alternative names.
conn.tls.client.san.uris[]stringURIs in the subject alternative names.
conn.tls.client.serial_numberstringUnique identifier for the certificate.
conn.tls.client.signature_algorithmstringAlgorithm used to sign the certificate.
conn.tls.client.subjectstringThe entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.client.subject.common_namestringCommon name of the subject, usually the domain name.
conn.tls.client.subject.country[]stringCountry name(s) where the subject of the certificate is located.
conn.tls.client.subject.locality[]stringLocality or city where the subject is located.
conn.tls.client.subject.organization[]stringName(s) of the organization to which the subject belongs.
conn.tls.client.subject.organizational_unit[]stringDivision of the organization to which the subject belongs.
conn.tls.client.subject.postal_code[]stringPostal code where the subject is located.
conn.tls.client.subject.province[]stringProvince or state where the subject is located.
conn.tls.client.subject.street_address[]stringStreet address where the subject is located.
conn.tls.client.validity.not_aftertimestampExpiration date and time when the certificate is no longer valid.
conn.tls.client.validity.not_beforetimestampStart date and time when the certificate becomes valid.

conn.tls.client.extensions

Additional information added to the certificate.

# snippet
---
expressions:
  - size(conn.tls.client.extensions) > 0

conn.tls.client.extensions[i].id

The identifier (OID) that specifies the type of extension.

# snippet
---
expressions:
  - conn.tls.client.extensions[0].id == '2.5.29.15'

conn.tls.client.extensions[i].critical

True if the extension is critical.

# snippet
---
expressions:
  - conn.tls.client.extensions[0].critical

conn.tls.client.extensions[i].value

The data for the extension.

# snippet
---
expressions:
  - "conn.tls.client.extensions[0].value == b'\x03\x02\x05 '"

conn.tls.client.issuer

The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
  - conn.tls.client.issuer == 'CN=E1,O=Let's Encrypt,C=US'

conn.tls.client.issuer.common_name

Common name of the issuing authority, usually the domain name.

# snippet
---
expressions:
  - conn.tls.client.issuer.common_name == 'exampleca.com'

conn.tls.client.issuer.country

Country name(s) where the issuing authority is located.

# snippet
---
expressions:
  - conn.tls.client.issuer.country == ['US']

conn.tls.client.issuer.locality

Locality or city of the issuing authority.

# snippet
---
expressions:
  - conn.tls.client.issuer.locality == ['Mountain View']

conn.tls.client.issuer.organization

Name(s) of the organization that issued the certificate.

# snippet
---
expressions:
  - conn.tls.client.issuer.organization == ['Example CA']

conn.tls.client.issuer.organizational_unit

Division of the organization responsible for the certificate.

# snippet
---
expressions:
  - conn.tls.client.issuer.organizational_unit == ['Certification Authority
    Division']

conn.tls.client.issuer.postal_code

Postal code of the issuing authority.

# snippet
---
expressions:
  - conn.tls.client.issuer.postal_code == ['94043']

conn.tls.client.issuer.province

Province or state of the issuing authority.

# snippet
---
expressions:
  - conn.tls.client.issuer.province == ['California']

conn.tls.client.issuer.street_address

Street address of the issuing authority.

# snippet
---
expressions:
  - conn.tls.client.issuer.street_address == ['1234 Encryption Way']

conn.tls.client.san

Subject alternative names of the client certificate.

# snippet
---
expressions:
  - conn.tls.client.san == 'DNS:www.example.com, DNS:example.com, IP
    Address:192.168.1.1'

conn.tls.client.san.dns_names

DNS names in the subject alternative names.

# snippet
---
expressions:
  - conn.tls.client.san.dns_names == ['www.example.com', 'example.com']

conn.tls.client.san.email_addresses

Email addresses in the subject alternative names.

# snippet
---
expressions:
  - conn.tls.client.san.email_addresses == ['ngrok-email1@example.com',
    'ngrok-email2@example.com']

conn.tls.client.san.ip_addresses

IP addresses in the subject alternative names.

# snippet
---
expressions:
  - conn.tls.client.san.ip_addresses == ['192.168.1.1']

conn.tls.client.san.uris

URIs in the subject alternative names.

# snippet
---
expressions:
  - conn.tls.client.san.uris == ['https://example.com/example']

conn.tls.client.serial_number

Unique identifier for the certificate.

# snippet
---
expressions:
  - conn.tls.client.serial_number == 'b53017e79d4a5208b314a55d3574e0a8'

conn.tls.client.signature_algorithm

Algorithm used to sign the certificate.

# snippet
---
expressions:
  - conn.tls.client.signature_algorithm == 'SHA256-RSA'

conn.tls.client.subject

The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
  - conn.tls.client.subject == 'CN=www.example.com'

conn.tls.client.subject.common_name

Common name of the subject, usually the domain name.

# snippet
---
expressions:
  - conn.tls.client.subject.common_name == 'www.example.com'

conn.tls.client.subject.country

Country name(s) where the subject of the certificate is located.

# snippet
---
expressions:
  - conn.tls.client.subject.country == ['US']

conn.tls.client.subject.locality

Locality or city where the subject is located.

# snippet
---
expressions:
  - conn.tls.client.subject.locality == ['Mountain View']

conn.tls.client.subject.organization

Name(s) of the organization to which the subject belongs.

# snippet
---
expressions:
  - conn.tls.client.subject.organization == ['Example Corp']

conn.tls.client.subject.organizational_unit

Division of the organization to which the subject belongs.

# snippet
---
expressions:
  - conn.tls.client.subject.organizational_unit == ['Web Services']

conn.tls.client.subject.postal_code

Postal code where the subject is located.

# snippet
---
expressions:
  - conn.tls.client.subject.postal_code == ['94043']

conn.tls.client.subject.province

Province or state where the subject is located.

# snippet
---
expressions:
  - conn.tls.client.subject.province == ['California']

conn.tls.client.subject.street_address

Street address where the subject is located.

# snippet
---
expressions:
  - conn.tls.client.subject.street_address == ['1234 Secure Blvd']

conn.tls.client.validity.not_after

Expiration date and time when the certificate is no longer valid.

# snippet
---
expressions:
  - conn.tls.client.validity.not_after == timestamp('2023-01-01T00:00:00Z')

conn.tls.client.validity.not_before

Start date and time when the certificate becomes valid.

# snippet
---
expressions:
  - conn.tls.client.validity.not_before == timestamp('2020-01-01T00:00:00Z')

Connection TLS Server Variables

The following variables are available under the conn.tls.server namespace:

NameTypeDescription
conn.tls.server.extensions[]ExtensionAdditional information added to the certificate.
conn.tls.server.extensions[i].idstringThe identifier that specifies the type of extension.
conn.tls.server.extensions[i].criticalboolTrue if the extension is critical.
conn.tls.server.extensions[i].value[]byteThe data for the extension.
conn.tls.server.issuerstringThe issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.server.issuer.common_namestringCommon name of the issuing authority, usually the domain name.
conn.tls.server.issuer.country[]stringCountry name(s) where the issuing authority is located.
conn.tls.server.issuer.locality[]stringLocality or city of the issuing authority.
conn.tls.server.issuer.organization[]stringName(s) of the organization that issued the certificate.
conn.tls.server.issuer.organizational_unit[]stringDivision of the organization responsible for the certificate.
conn.tls.server.issuer.postal_code[]stringPostal code of the issuing authority.
conn.tls.server.issuer.province[]stringProvince or state of the issuing authority.
conn.tls.server.issuer.street_address[]stringStreet address of the issuing authority.
conn.tls.server.sanstringSubject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.dns_names[]stringDNS names in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.email_addresses[]stringEmail addresses in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.ip_addresses[]stringIP addresses in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.uris[]stringURIs in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.serial_numberstringUnique identifier for the certificate.
conn.tls.server.signature_algorithmstringAlgorithm used to sign the certificate.
conn.tls.server.subjectstringThe entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.server.subject.common_namestringCommon name of the subject, usually the domain name.
conn.tls.server.subject.country[]stringCountry name(s) where the subject of the certificate is located.
conn.tls.server.subject.locality[]stringLocality or city where the subject is located.
conn.tls.server.subject.organization[]stringName(s) of the organization to which the subject belongs.
conn.tls.server.subject.organizational_unit[]stringDivision of the organization to which the subject belongs.
conn.tls.server.subject.postal_code[]stringPostal code where the subject is located.
conn.tls.server.subject.province[]stringProvince or state where the subject is located.
conn.tls.server.subject.street_address[]stringStreet address where the subject is located.
conn.tls.server.validity.not_aftertimestampExpiration date and time when the certificate is no longer valid.
conn.tls.server.validity.not_beforetimestampStart date and time when the certificate becomes valid.

conn.tls.server.extensions

Additional information added to the certificate.

# snippet
---
expressions:
  - size(conn.tls.server.extensions) > 0

conn.tls.server.extensions[i].id

The identifier that specifies the type of extension.

# snippet
---
expressions:
  - conn.tls.server.extensions[0].id == '2.5.29.15'

conn.tls.server.extensions[i].critical

True if the extension is critical.

# snippet
---
expressions:
  - conn.tls.server.extensions[0].critical

conn.tls.server.extensions[i].value

The data for the extension.

# snippet
---
expressions:
  - "conn.tls.server.extensions[0].value == b'\x03\x02\x05 '"

conn.tls.server.issuer

The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
  - conn.tls.server.issuer == 'CN=E1,O=Let's Encrypt,C=US'

conn.tls.server.issuer.common_name

Common name of the issuing authority, usually the domain name.

# snippet
---
expressions:
  - conn.tls.server.issuer.common_name == 'exampleca.com'

conn.tls.server.issuer.country

Country name(s) where the issuing authority is located.

# snippet
---
expressions:
  - conn.tls.server.issuer.country == ['US']

conn.tls.server.issuer.locality

Locality or city of the issuing authority.

# snippet
---
expressions:
  - conn.tls.server.issuer.locality == ['Mountain View']

conn.tls.server.issuer.organization

Name(s) of the organization that issued the certificate.

# snippet
---
expressions:
  - conn.tls.server.issuer.organization == ['Example CA']

conn.tls.server.issuer.organizational_unit

Division of the organization responsible for the certificate.

# snippet
---
expressions:
  - conn.tls.server.issuer.organizational_unit == ['Certification Authority
    Division']

conn.tls.server.issuer.postal_code

Postal code of the issuing authority.

# snippet
---
expressions:
  - conn.tls.server.issuer.postal_code == ['94043']

conn.tls.server.issuer.province

Province or state of the issuing authority.

# snippet
---
expressions:
  - conn.tls.server.issuer.province == ['California']

conn.tls.server.issuer.street_address

Street address of the issuing authority.

# snippet
---
expressions:
  - conn.tls.server.issuer.street_address == ['1234 Encryption Way']

conn.tls.server.san

Subject alternative names of the server certificate of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
  - conn.tls.server.san == 'DNS:www.example.com, DNS:example.com, IP
    Address:192.168.1.1'

conn.tls.server.san.dns_names

DNS names in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
  - conn.tls.server.san.dns_names == ['ngrok-dns.com', 'ngrok-dns2.com']

conn.tls.server.san.email_addresses

Email addresses in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
  - conn.tls.server.san.email_addresses == ['ngrok-email1@example.com',
    'ngrok-email2@example.com']

conn.tls.server.san.ip_addresses

IP addresses in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
  - conn.tls.server.san.ip_addresses == ['192.168.1.1']

conn.tls.server.san.uris

URIs in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
  - conn.tls.server.san.uris == ['https://example.com/example']

conn.tls.server.serial_number

Unique identifier for the certificate.

# snippet
---
expressions:
  - conn.tls.server.serial_number == 'b53017e79d4a5208b314a55d3574e0a8'

conn.tls.server.signature_algorithm

Algorithm used to sign the certificate.

# snippet
---
expressions:
  - conn.tls.server.signature_algorithm == 'SHA256-RSA'

conn.tls.server.subject

The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
  - conn.tls.server.subject == 'CN=www.example.com'

conn.tls.server.subject.common_name

Common name of the subject, usually the domain name.

# snippet
---
expressions:
  - conn.tls.server.subject.common_name == 'ngrok-server.example.com'

conn.tls.server.subject.country

Country name(s) where the subject of the certificate is located.

# snippet
---
expressions:
  - conn.tls.server.subject.country == ['US']

conn.tls.server.subject.locality

Locality or city where the subject is located.

# snippet
---
expressions:
  - conn.tls.server.subject.locality == ['Mountain View']

conn.tls.server.subject.organization

Name(s) of the organization to which the subject belongs.

# snippet
---
expressions:
  - conn.tls.server.subject.organization == ['Example Corp']

conn.tls.server.subject.organizational_unit

Division of the organization to which the subject belongs.

# snippet
---
expressions:
  - conn.tls.server.subject.organizational_unit == ['Web Services']

conn.tls.server.subject.postal_code

Postal code where the subject is located.

# snippet
---
expressions:
  - conn.tls.server.subject.postal_code == ['94043']

conn.tls.server.subject.province

Province or state where the subject is located.

# snippet
---
expressions:
  - conn.tls.server.subject.province == ['California']

conn.tls.server.subject.street_address

Street address where the subject is located.

# snippet
---
expressions:
  - conn.tls.server.subject.street_address == ['1234 Secure Blvd']

conn.tls.server.validity.not_after

Expiration date and time when the certificate is no longer valid.

# snippet
---
expressions:
  - conn.tls.server.validity.not_after > timestamp('2023-01-01T00:00:00Z')

conn.tls.server.validity.not_before

Start date and time when the certificate becomes valid.

# snippet
---
expressions:
  - conn.tls.server.validity.not_before < timestamp('2020-01-01T00:00:00Z')

Endpoint Variables

The following variables are available under the endpoint namespace:

NameTypeDescription
endpoint.addrstringThe address for this endpoint.
endpoint.hoststringThe hostname for this endpoint.
endpoint.idstringThe endpoint that serviced this connection.
endpoint.portint32The port for this endpoint.
endpoint.protocolstringThe protocol for this endpoint. Current supported values are http, https, tcp, and tls.
endpoint.urlstringThe url for this endpoint.

endpoint.addr

The address for this endpoint.

# snippet
---
expressions:
  - endpoint.addr == 'my-subdomain.ngrok.app:443'

endpoint.host

The hostname for this endpoint.

# snippet
---
expressions:
  - endpoint.host == 'my-subdomain.ngrok.app'

endpoint.id

The id for this endpoint.

# snippet
---
expressions:
  - endpoint.id == 'ep_2iL8LRbQilSCKYjaslRoqBwJcfT'

endpoint.port

The port for this endpoint.

# snippet
---
expressions:
  - endpoint.port == 443

endpoint.protocol

The protocol for this endpoint. Current supported values are http, https, tcp, and tls.

# snippet
---
expressions:
  - endpoint.protocol == 'https'

endpoint.url

The url for this endpoint.

# snippet
---
expressions:
  - endpoint.url == 'https://my-subdomain.ngrok.app'

Request Variables

The following variables are available under the req namespace:

NameTypeDescription
req.content_encodinglist[string]The encodings set in the Content-Encoding header for this request.
req.content_lengthint64The content length of the body in bytes. This may not be present if the request does not contain a body or if the client does not specify a content length because they are streaming the body.
req.content_typestringThe media type set in the Content-Type header for this request.
req.content_type.parametersmap[string]stringThe parameters set in the Content-Type header for this request.
req.content_type.rawstringThe value of the Content-Type header for this request.
req.cookiesmap[string][]cookieThe HTTP cookie objects included in this request. If there are multiple cookies with the same name, they will be ordered as specified in the Cookie header.
req.cookies[k][i].namestringThe name of the cookie.
req.cookies[k][i].valuestringThe value of the cookie.
req.headersmap[string][]stringThe request headers parsed as a map of lower-case names to values.
req.hoststringThe value of the host header field for this request.
req.locationstringThe value of the Location header for this request.
req.methodstringThe method for this request.
req.trailersmap[string][]stringThe request trailers parsed as a map of lower-case names to values.
req.ts.body_receivedtimestampThe timestamp when ngrok received the body of the request. This may not be present if the request does not contain a body.
req.ts.header_receivedtimestampThe timestamp when ngrok received the header of the request.
req.urlstringThe normalized full URL for this request.
req.url.authoritystringThe authority portion of the URL.
req.url.hoststringThe hostname portion of the host for this request.
req.url.pathstringThe path for this request including the leading forward slash.
req.url.portint32The port portion of the URL. This may not be present if the URL does not explicitly specify a port.
req.url.querystringThe full query string for this request excluding the leading question mark.
req.url.query_paramsmap[string][]stringThe request query string parsed as a map of names to values.
req.url.rawstringThe un-normalized full URL for this request.
req.url.raw_pathstringThe un-normalized path including the leading slash for this request.
req.url.schemestringThe scheme for this request.
req.url.uristringThe URI (path and query) portion of the URL.
req.url.user_passwordstringThe user:password portion of the URL.
req.user_agentstringThe value of the User-Agent header for this request.
req.versionstringThe HTTP version for this request.

req.content_encoding

The encoding set in the Content-Encoding header for this request.

# snippet
---
expressions:
  - req.content_encoding[0] == 'br'

req.content_length

The content length of the body in bytes. This may not be present if the request does not contain a body or if the client does not specify a content length because they are streaming the body.

# snippet
---
expressions:
  - req.content_length > 10000000

req.content_type

The media type set in the Content-Type header for this request.

# snippet
---
expressions:
  - req.content_type == 'application/json'

req.content_type.parameters

The parameters set in the Content-Type header for this request.

# snippet
---
expressions:
  - req.content_type.parameters['charset'] == 'utf-8'

req.content_type.raw

The value of the Content-Type header for this request.

# snippet
---
expressions:
  - req.content_type.raw == 'application/json; charset=utf-8'

req.cookies

The HTTP cookie objects included in this request. If there are multiple cookies with the same name, they will be ordered as specified in the Cookie header.

# snippet
---
expressions:
  - size(req.cookies) > 0

req.cookies[k][i].name

The name of the cookie.

# snippet
---
expressions:
  - req.cookies['sessionId'][0].name == 'sessionId'

req.cookies[k][i].value

The value of the cookie.

# snippet
---
expressions:
  - req.cookies['sessionId'][0].value > 'value'

req.headers

The request headers parsed as a map of lower-case names to values.

# snippet
---
expressions:
  - "'Fizz' in req.headers['baz']"

req.host

The value of the host header field value for this request.

# snippet
---
expressions:
  - req.host == 'nba.com'

req.location

The value of the Location header for this request.

# snippet
---
expressions:
  - req.location == '/index.html'

req.method

The method for this request.

# snippet
---
expressions:
  - req.method == 'POST' || req.method == 'PUT'

req.trailers

The request trailers parsed as a map of lower-case names to values.

# snippet
---
expressions:
  - "'Fizz' in req.trailers['baz']"

req.ts.body_received

The timestamp when ngrok received the body of the request. This may not be present if the request does not contain a body.

# snippet
---
expressions:
  - req.ts.body_received > timestamp('2023-12-31T00:00:00Z')

req.ts.header_received

The timestamp when ngrok received the header of the request.

# snippet
---
expressions:
  - req.ts.header_received > timestamp('2023-12-31T00:00:00Z')

req.url

The normalized full URL for this request.

# snippet
---
expressions:
  - req.url == 'https://nba.com/')

req.url.authority

The authority portion of the URL.

# snippet
---
expressions:
  - req.url.authority == 'user:password@nba.com'

req.url.host

The hostname portion of the host for this request.

# snippet
---
expressions:
  - req.url.host == 'nba.com'

req.url.path

The path for this request including the leading forward slash.

# snippet
---
expressions:
  - req.url.path.startsWith('/foo')

req.url.port

The port portion of the URL. This may not be present if the URL does not explicitly specify a port.

# snippet
---
expressions:
  - req.url.port == 443

req.url.query

The full query string for this request excluding the leading question mark.

# snippet
---
expressions:
  - req.url.query == 'number=23&name=jordan'

req.url.query_params

The request query string parsed as a map of names to values.

# snippet
---
expressions:
  - "'bar' in req.url.query_params['foo']"

req.url.raw

The un-normalized full URL for this request.

# snippet
---
expressions:
  - req.url.raw.includes('/foo')

req.url.raw_path

The un-normalized path including the leading slash for this request.

# snippet
---
expressions:
  - req.url.raw_path.startsWith('/foo')

req.url.scheme

The scheme for this request.

# snippet
---
expressions:
  - req.url.scheme == 'https'

req.url.uri

The URI (path and query) portion of the URL.

# snippet
---
expressions:
  - req.url.uri.contains('/api/players?number=23&name=jordan')

req.url.user_password

The user:password portion of the URL.

# snippet
---
expressions:
  - req.url.user_password == 'user:password'

req.user_agent

The value of the User-Agent header for this request.

# snippet
---
expressions:
  - req.user_agent.contains('curl')

req.version

The HTTP version for this request.

# snippet
---
expressions:
  - req.version == 'HTTP/2.0

Response Variables

The following variables are available under the res namespace:

NameTypeDescription
res.content_encodinglist[string]The encoding set in the Content-Encoding header for this response.
res.content_lengthint64The length of the content associated with the response.
res.content_typestringThe media type set in the Content-Type header for this response.
res.content_type.parametersmap[string]stringThe parameters set in the Content-Type header for this response.
res.content_type.rawstringThe Content-Type header for this response as a string.
res.cookiesmap[string][]cookieThe HTTP cookie objects included in this response. If there are multiple cookies with the same name, they will be ordered by path length, with longest path first.
res.cookies[k][i].domainstringThe value of the Domain attribute of the cookie.
res.cookies[k][i].expirestimestampThe value of the Expires attribute of the cookie.
res.cookies[k][i].http_onlybooleanThe value of the HttpOnly attribute of the cookie.
res.cookies[k][i].max_agedurationThe value of the MaxAge attribute of the cookie.
res.cookies[k][i].namestringThe name of the cookie.
res.cookies[k][i].pathstringThe value of the Path attribute of the cookie.
res.cookies[k][i].same_sitestringThe value of the SameSite attribute of the cookie.
res.cookies[k][i].securebooleanThe value of the Secure attribute of the cookie.
res.cookies[k][i].unparsed_attributesmap[string]stringAny non-standard attributes of the cookie parsed as a map of names to values .
res.cookies[k][i].valuestringThe value of the cookie.
res.headersmap[string][]stringThe response headers parsed as a map of lower-case names to values.
res.locationstringThe Location header value of this response.
res.status_codeint32The status code of this response.
res.trailersmap[string][]stringThe response trailers parsed as a map of lower-case names to values.

res.content_encoding

The encoding set in the Content-Encoding header for this response.

# snippet
---
expressions:
  - res.content_encoding[0] == 'br'

res.content_length

The length of the content associated with the response.

# snippet
---
expressions:
  - res.content_length != 0

res.content_type

The media type set in the Content-Type header for this response.

# snippet
---
expressions:
  - res.content_type == 'application/json'

res.content_type.parameters

The parameters set in the Content-Type header for this response.

# snippet
---
expressions:
  - res.content_type.parameters['charset'] == 'utf-8'

res.content_type.raw

The Content-Type header for this response as a string.

# snippet
---
expressions:
  - res.content_type.raw == 'application/json; charset=utf-8'

res.cookies

The HTTP cookie objects included in this response. If there are multiple cookies with the same name, they will be ordered by path length, with longest path first.

# snippet
---
expressions:
  - size(res.cookies) > 0

res.cookies[k][i].domain

The value of the Domain attribute of the cookie.

# snippet
---
expressions:
  - res.cookies['sessionId'][0].domain == 'nba.com'

res.cookies[k][i].expires

The value of the Expires attribute of the cookie.

# snippet
---
expressions:
  - res.cookies['sessionId'][0].expires > timestamp(time.now)

res.cookies[k][i].http_only

The value of the HttpOnly attribute of the cookie.

# snippet
---
expressions:
  - res.cookies['sessionId'][0].http_only

res.cookies[k][i].max_age

The value of the MaxAge attribute of the cookie.

# snippet
---
expressions:
  - res.cookies['sessionId'][0].max_age > duration('24h')

res.cookies[k][i].name

The name of the cookie.

# snippet
---
expressions:
  - res.cookies['sessionId'][0].name == 'sessionId'

res.cookies[k][i].path

The value of the Path attribute of the cookie.

# snippet
---
expressions:
  - res.cookies['sessionId'][0].path == '/

res.cookies[k][i].same_site

The value of the SameSite attribute of the cookie.

# snippet
---
expressions:
  - res.cookies['sessionId'][0].same_site

res.cookies[k][i].secure

The value of the Secure attribute of the cookie.

# snippet
---
expressions:
  - res.cookies['sessionId'][0].secure

res.cookies[k][i].unparsed_attributes

Any non-standard attributes of the cookie parsed as a map of names to values.

# snippet
---
expressions:
  - size(res.cookies['sessionId'][0].unparsed_attributes) > 0

res.cookies[k][i].value

The value of the cookie.

# snippet
---
expressions:
  - res.cookies['sessionId'][0].value > 'value'

res.headers

The response headers parsed as a map of lower-case names to values.

# snippet
---
expressions:
  - "'Fizz' in res.headers['baz']"

res.location

The location header value of the response.

# snippet
---
expressions:
  - res.location == '/index.html'

res.status_code

The status code of this response.

# snippet
---
expressions:
  - res.status_code >= 300

res.trailers

The response trailers parsed as a map of lower-case names to values.

# snippet
---
expressions:
  - "'fizz' in res.trailers['baz']"

Time variables

The following variables are available under the time namespace:

NameTypeDescription
time.nowstringThe current UTC time in RFC3339 format.

time.now

The current UTC time in RFC3339 format.

# snippet
---
expressions:
  - conn.ts.end < timestamp(time.now)