SSH Credentials
Create SSH Credential
Create a new ssh_credential from an uploaded public SSH key. This ssh credential can be used to start new tunnels via ngrok's SSH gateway.
Request
POST /ssh_credentials
Example Request
curl \
-X POST \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"for device #132","acl":["bind:1.tcp.ngrok.io:20002","bind:132.devices.company.com"],"public_key":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com"}' \
https://api.ngrok.com/ssh_credentials
Parameters
description | string | human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes. |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
public_key | string | the PEM-encoded public key of the SSH keypair that will be used to authenticate |
owner_id | string | If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot. |
Response
Returns a 201 response on success
Example Response
{
"id": "sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"created_at": "2023-07-31T23:17:39Z",
"description": "for device #132",
"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
"acl": [
"bind:1.tcp.ngrok.io:20002",
"bind:132.devices.company.com"
],
"owner_id": "usr_2TMGG635o87KDP13PBjUDx2rzJY"
}
Fields
id | string | unique ssh credential resource identifier |
uri | string | URI of the ssh credential API resource |
created_at | string | timestamp when the ssh credential was created, RFC 3339 format |
description | string | human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes. |
public_key | string | the PEM-encoded public key of the SSH keypair that will be used to authenticate |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
owner_id | string | If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot. |
Delete SSH Credential
Delete an ssh_credential by ID
Request
DELETE /ssh_credentials/{id}
Example Request
curl \
-X DELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o
Response
Returns a 204 response with no body on success
Get SSH Credential
Get detailed information about an ssh_credential
Request
GET /ssh_credentials/{id}
Example Request
curl \
-X GET \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o
Response
Returns a 200 response on success
Example Response
{
"id": "sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"created_at": "2023-07-31T23:17:39Z",
"description": "my dev machine",
"metadata": "{\"hostname\": \"macbook.local\"}",
"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
"acl": [
"bind:1.tcp.ngrok.io:20002",
"bind:132.devices.company.com"
],
"owner_id": "usr_2TMGG635o87KDP13PBjUDx2rzJY"
}
Fields
id | string | unique ssh credential resource identifier |
uri | string | URI of the ssh credential API resource |
created_at | string | timestamp when the ssh credential was created, RFC 3339 format |
description | string | human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes. |
public_key | string | the PEM-encoded public key of the SSH keypair that will be used to authenticate |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
owner_id | string | If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot. |
List SSH Credentials
List all ssh credentials on this account
Request
GET /ssh_credentials
Example Request
curl \
-X GET \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials
Response
Returns a 200 response on success
Example Response
{
"ssh_credentials": [
{
"id": "sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"created_at": "2023-07-31T23:17:39Z",
"description": "for device #132",
"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
"acl": [
"bind:1.tcp.ngrok.io:20002",
"bind:132.devices.company.com"
],
"owner_id": "usr_2TMGG635o87KDP13PBjUDx2rzJY"
}
],
"uri": "https://api.ngrok.com/ssh_credentials",
"next_page_uri": null
}
Fields
ssh_credentials | SSHCredential | the list of all ssh credentials on this account |
uri | string | URI of the ssh credential list API resource |
next_page_uri | string | URI of the next page, or null if there is no next page |
SSHCredential fields
id | string | unique ssh credential resource identifier |
uri | string | URI of the ssh credential API resource |
created_at | string | timestamp when the ssh credential was created, RFC 3339 format |
description | string | human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes. |
public_key | string | the PEM-encoded public key of the SSH keypair that will be used to authenticate |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
owner_id | string | If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot. |
Update SSH Credential
Update attributes of an ssh_credential by ID
Request
PATCH /ssh_credentials/{id}
Example Request
curl \
-X PATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"my dev machine","metadata":"{\"hostname\": \"macbook.local\"}"}' \
https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o
Parameters
id | string | |
description | string | human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes. |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
Response
Returns a 200 response on success
Example Response
{
"id": "sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"created_at": "2023-07-31T23:17:39Z",
"description": "my dev machine",
"metadata": "{\"hostname\": \"macbook.local\"}",
"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
"acl": [
"bind:1.tcp.ngrok.io:20002",
"bind:132.devices.company.com"
],
"owner_id": "usr_2TMGG635o87KDP13PBjUDx2rzJY"
}
Fields
id | string | unique ssh credential resource identifier |
uri | string | URI of the ssh credential API resource |
created_at | string | timestamp when the ssh credential was created, RFC 3339 format |
description | string | human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes. |
metadata | string | arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes. |
public_key | string | the PEM-encoded public key of the SSH keypair that will be used to authenticate |
acl | List<string> | optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io . Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com , y.example.com , *.example.com , etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example , y=example , etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions. |
owner_id | string | If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot. |