Skip to main content


Users are members of your Account that may log into the dashboard, start agents, create endpoints and access the API.

  • Users have one or more Credentials that they use to authenticate with the ngrok service.
  • Users are not uniquely owned by an account. A User may be a member of more than one account.
  • Users are subject to Role Based Access Control that allows you to restrict what actions Users may take within the account.
  • Whenever a User takes an action within an account, the corresponding Event will attribute the event to the User by recording it as the Principal.

Dashboard Access

Users may log into the ngrok dashboard. You may configure your account to restrict how users authenticate to the dashboard. ngrok supports dashboard authentication via an email and password, an IdP like GitHub or Google or your own Single Sign-On IdP like Okta or Azure AD.

Users may log into your ngrok Account's dashboard. Normally, users enter an email and password to log into the ngrok dashboard but you may configure your ngrok account to require additional factors or require SSO.

Bot Users, by contrast, may not log into the dashboard.


Users may add an additional authentication factor to protect their ngrok logins. At the moment, MFA only supports TOTP as an additional factor.

You may configure your ngrok account to enforce that all users have MFA enabled.

Single Sign-On

Users may also log in with a federated IdP via single sign-on. Your ngrok account may be configured to require the use of single sign-on for all of your users to log in. Consult the Single Sign-On documentation for additional details on configuring it.

IP Restrictions

In addition to the normal authentication factors required to log into the ngrok dashboard, you may also configure your ngrok account to further restrict dashboard access to a set of IP CIDR blocks.

Dashboard IP Restrictions should always be used in a warning mode first to test that you won't accidentally lock yourself out of your account if you restrict access to IPs that you can't use.

IP Restrictions can be configured manually on the ngrok dashboard or programmatically via API with a type of dashboard.


Users own one or more credentials that enable them to start Agents and make API requests.

Credentials are assigned an owner when they are created and the owner cannot be changed. All Credentials have a Principal owner which is either a User or a Bot User.

Credentials are Authtokens, API Keys and SSH Public Keys.


You may 'disable' users in your account. When a User is disabled it cannot log into the dashboard, start an ngrok agent or make API requests. All of its Credentials remain but cannot be used. A User may be re-enabled at any time.

Users may disabled and enabled Administrators or Team Managers.


When a User is deleted from an account, all of its Credentials for that account are revoked and any agents using them will stop working. If you have an automated process or agent using ngrok, use a Bot User instead.

When you delete a User from your account, keep in mind that that the User itself is not deleted, it is only removed from the Account. It may continue to use and access other Accounts it is a member of.

Users may deleted by Administrators or Team Managers.


Provisioning is about how you add new users to your account. You may configure your ngrok account with your preferred provisioning method on your Account Settings page. By default, you provision new users by inviting them to join your Account with Invitations.

If you have configured SSO, you may also add users to your account via SCIM or JIT provisioning.


Invitations are the default user provisioning mechanism. You invite new users by email address. They must log in or sign up with that email address to accept the invitation. When you issue the invitation, if you are using RBAC you may also choose the permissions they will receive when they join the account by accepting the invitation.


If you have configured a federated SSO IdP on your account, you may configure Just-in-Time (JIT) provisioning. When JIT provisioning is enabled, if a user signs in with your configured IdP and they do not have a matching ngrok User, one will automatically be provisioned for them the first time they log in and it that user will be added as a member of your account.

Users who are JIT provisioned are always assigned a Read/Write Developer role and an Invite Team role.


If you have configured a federated SSO IdP on your account, you may configure SCIM provisioning. When SCIM provisioning is enabled, the IdP is responsible for making calls to ngrok's SCIM API

Users provisioned by SCIM are always assigned a Read/Write Developer role and an Invite Team role.

Users provisioned by SCIM are not permitted to change their name or email address because it is managed by the IdP.

Consult the SCIM documentation for additional details.