create_address
Reserve TCP Address
Reserve a new TCP address for non-HTTP traffic. The hostname and port are assigned by ngrok and cannot be chosen. Useful for SSH, database connections, or other TCP services.
create_address
Reserve a new TCP address for non-HTTP traffic. The hostname and port are assigned by ngrok and cannot be chosen. Useful for SSH, database connections, or other TCP services.
get_domain
Retrieve details of a specific reserved domain by its ID. Returns the full domain configuration including certificate and DNS settings.
delete_ip_policy_rule
Remove a CIDR rule from an IP policy.
update_domain
Update an existing reserved domain's description, metadata, or certificate configuration.
create_certificate_authority
Upload a CA certificate for mutual TLS authentication. The CA will be used to verify client certificates presented during mTLS connections.
get_event_subscription
Retrieve details of a specific event subscription including its sources and destinations.
update_ip_policy
Update an IP policy's description or metadata.
create_ssh_certificate_authority
Create a new SSH certificate authority key pair for signing SSH host and user certificates.
list_ssh_certificate_authorities
List all SSH certificate authorities. SSH CAs are key pairs used to sign SSH host and user certificates.
create_event_subscription
Create an event subscription to capture audit or traffic events. Specify which event types to capture (sources) and where to send them (destination IDs). Create event destinations first using the "Create Event Destination" tool. Common audit event types: `api_key_created.v0`, `ip_policy_created.v0`, `ip_policy_updated.v0` Common traffic event types: `http_request_complete.v0`, `tcp_connection_closed.v0`
list_domains
List all reserved domains on your ngrok account. Reserved domains are hostnames you can listen for HTTP, HTTPS, or TLS traffic on. Supports pagination.
restart_tunnel_session
Restart an ngrok agent tunnel session. Uses exec() to restart the agent process. Not supported on Windows agents.
create_domain
Reserve a new domain (hostname) for receiving HTTP, HTTPS, or TLS traffic. You can use your own domain by creating a CNAME record. Optionally configure automatic TLS certificate management via Let's Encrypt or attach a custom certificate.
delete_api_key
Delete an API key. Requests using this key will no longer be authenticated.
list_ssh_credentials
List all SSH public keys registered for tunnel authentication. SSH credentials authorize SSH reverse tunnel connections.
create_event_destination
Create an event destination for publishing captured events. The target must be exactly one of: **kinesis**, **firehose**, **cloudwatch_logs**, **datadog**, or **azure_logs_ingestion**. Each target type has its own configuration format.
create_vault
Create a new vault to organize secrets. Secrets can then be stored within the vault.
update_api_key
Update an API key's description or metadata.
create_ip_policy
Create a new IP policy. After creating a policy, add CIDR rules to it using the "Add IP Policy Rule" tool, then apply the policy to restrict access to endpoints, API, agent connections, or the dashboard.
delete_certificate_authority
Delete a certificate authority. It must not be in use by any mTLS module.
delete_ip_policy
Delete an IP policy and all its associated rules.
get_tunnel
Retrieve details of a specific active tunnel, including its public URL, protocol, and where it forwards traffic.
list_tunnels
List all active tunnels. Tunnels are created by running ngrok agents and provide public endpoints to access your local services. This is a read-only listing.
list_event_destinations
List all event destinations. Destinations define where captured events are published (CloudWatch Logs, Kinesis, Firehose, Datadog, or Azure Logs Ingestion).
get_endpoint
Retrieve details of a specific endpoint by ID, including its traffic routing configuration and associated tunnel or domain.
get_credential
Retrieve details of a specific tunnel credential (authtoken) by ID.
list_secrets
List all secrets across all vaults. Secret values are not returned in the listing.
delete_domain
Release a reserved domain. The domain will no longer receive traffic and will become available for re-reservation.
get_api_key
Retrieve details of a specific API key. Note: the token value is only available at creation time.
delete_vault
Delete a vault and all secrets it contains.
create_secret
Create a new secret in a vault. Secrets store sensitive values used across your ngrok resources.
list_addresses
List all reserved TCP addresses. Reserved addresses provide stable TCP endpoints for non-HTTP services like SSH or databases. The hostname and port are assigned by ngrok.
update_credential
Update a tunnel credential's description, metadata, or ACL rules.
list_ip_policies
List all IP policies. IP policies are reusable groups of CIDR ranges with allow or deny actions that can restrict access to your API, agent connections, or endpoints.
delete_tls_certificate
Delete a TLS certificate. It must be detached from all domains first.
create_api_key
Create a new API key for authenticating with the ngrok API. **Important:** The token value is only returned once at creation time — save it immediately.
create_ssh_credential
Register an SSH public key for tunnel authentication. The key can optionally be restricted with ACL bind rules.
delete_address
Release a reserved TCP address. It will no longer receive traffic.
delete_ssh_certificate_authority
Delete an SSH certificate authority. Certificates signed by this CA will no longer be valid.
get_bot_user
Retrieve details of a specific bot user (service account) by ID.
delete_secret
Delete a secret from its vault.
delete_event_subscription
Delete an event subscription. Events will no longer be captured and published.
update_secret
Update a secret's name, value, description, or metadata.
get_address
Retrieve details of a specific reserved TCP address by its ID.
create_endpoint
Create a new cloud endpoint with a URL and optional traffic policy. Cloud endpoints allow you to route traffic without running an ngrok agent.
update_event_subscription
Update an event subscription's sources, destinations, description, or metadata.
list_event_subscriptions
List all event subscriptions. Event subscriptions capture audit and traffic events and publish them to configured destinations (CloudWatch, Kinesis, Firehose, Datadog, or Azure Logs).
create_credential
Create a new tunnel credential (authtoken) for ngrok agent authentication. **Important:** The token value is only returned at creation time. Optionally restrict the token with ACL bind rules.
list_tls_certificates
List all uploaded TLS certificates. TLS certificates can be attached to reserved domains to terminate TLS traffic.
list_endpoints
List all active endpoints. Endpoints define how traffic is routed to your services. Only active endpoints associated with a tunnel or backend are returned.
list_tunnel_sessions
List all active tunnel sessions. Sessions represent running ngrok agent or SSH reverse tunnel connections. Each session can include multiple tunnels.
update_vault
Update a vault's name, description, or metadata.
stop_tunnel_session
Stop an ngrok agent tunnel session. This will terminate all tunnels associated with the session.
create_ip_policy_rule
Add a CIDR rule to an IP policy. Each rule specifies a CIDR range and whether to allow or deny traffic from that range.
list_api_keys
List all API keys for your ngrok account. API keys authenticate requests to the ngrok REST API.
delete_endpoint
Delete a cloud endpoint. This will stop routing traffic to this endpoint.
upload_tls_certificate
Upload a TLS certificate and private key pair. The certificate must be PEM-encoded with the leaf certificate first. After upload, attach to a reserved domain.
delete_credential
Delete a tunnel credential. Agents using this authtoken will no longer be able to connect.
create_bot_user
Create a new bot user (service account) for programmatic API access. After creation, assign API keys or authtokens to the bot user.
update_address
Update the description or metadata of a reserved TCP address.
list_bot_users
List all bot users (service accounts). Bot users provide programmatic API access separate from human user accounts. API keys and authtokens can be assigned to bot users.
list_certificate_authorities
List all certificate authorities (CAs) used for mutual TLS (mTLS) authentication. CAs verify that client TLS certificates were signed by a trusted authority.
delete_ssh_credential
Delete an SSH credential. SSH connections using this key will no longer be authenticated.
update_bot_user
Update a bot user's name or active status.
update_endpoint
Update an existing endpoint's URL, traffic policy, description, metadata, or bindings.
get_ip_policy
Retrieve details of a specific IP policy by ID.
list_ip_policy_rules
List all IP policy rules across all policies. Rules are individual CIDR entries with allow or deny actions.
get_tls_certificate
Retrieve details of a specific TLS certificate including subject, validity, and issuer information.
delete_event_destination
Delete an event destination. It must not be referenced by any event subscription.
delete_bot_user
Delete a bot user. All API keys and authtokens owned by this bot user will be revoked.
list_credentials
List all tunnel credentials (authtokens). Authtokens authorize ngrok agents to connect to the ngrok service. ACL rules can restrict which domains, addresses, or labels each token can bind.
list_vaults
List all vaults. Vaults organize secrets used across your ngrok resources.
Manage ngrok's globally distributed gateway for secure application connectivity. Create and manage endpoints, tunnels, and traffic routing. Reserve custom domains and TCP addresses for exposing services. Manage TLS certificates, SSH credentials, and certificate authorities for secure connections. Configure IP policies to restrict access with allow/deny CIDR rules. Manage API keys, tunnel authtokens, and bot service accounts. Set up event subscriptions to export audit and traffic logs to destinations like AWS CloudWatch, Kinesis, Firehose, Azure Logs Ingestion, and Datadog. Manage secrets and vaults for sensitive configuration data.
Common questions about connecting Ngrok to AI agents with Metorial.