Skip to main content

SSH Credentials


Create SSH Credential

Create a new ssh_credential from an uploaded public SSH key. This ssh credential can be used to start new tunnels via ngrok's SSH gateway.

Request

POST /ssh_credentials

Example Request

curl \
-X POST \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"for device #132","acl":["bind:1.tcp.ngrok.io:20002","bind:132.devices.company.com"],"public_key":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com"}' \
https://api.ngrok.com/ssh_credentials

Parameters

   
descriptionstringhuman-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadatastringarbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
aclList<string>optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example, y=example, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.
public_keystringthe PEM-encoded public key of the SSH keypair that will be used to authenticate
owner_idstringIf supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot.

Response

Returns a 201 response on success

Example Response

{
"id": "sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"created_at": "2023-07-31T23:17:39Z",
"description": "for device #132",
"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
"acl": [
"bind:1.tcp.ngrok.io:20002",
"bind:132.devices.company.com"
],
"owner_id": "usr_2TMGG635o87KDP13PBjUDx2rzJY"
}

Fields

   
idstringunique ssh credential resource identifier
uristringURI of the ssh credential API resource
created_atstringtimestamp when the ssh credential was created, RFC 3339 format
descriptionstringhuman-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadatastringarbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
public_keystringthe PEM-encoded public key of the SSH keypair that will be used to authenticate
aclList<string>optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example, y=example, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.
owner_idstringIf supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot.

Delete SSH Credential

Delete an ssh_credential by ID

Request

DELETE /ssh_credentials/{id}

Example Request

curl \
-X DELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o

Response

Returns a 204 response with no body on success

Get SSH Credential

Get detailed information about an ssh_credential

Request

GET /ssh_credentials/{id}

Example Request

curl \
-X GET \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o

Response

Returns a 200 response on success

Example Response

{
"id": "sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"created_at": "2023-07-31T23:17:39Z",
"description": "my dev machine",
"metadata": "{\"hostname\": \"macbook.local\"}",
"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
"acl": [
"bind:1.tcp.ngrok.io:20002",
"bind:132.devices.company.com"
],
"owner_id": "usr_2TMGG635o87KDP13PBjUDx2rzJY"
}

Fields

   
idstringunique ssh credential resource identifier
uristringURI of the ssh credential API resource
created_atstringtimestamp when the ssh credential was created, RFC 3339 format
descriptionstringhuman-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadatastringarbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
public_keystringthe PEM-encoded public key of the SSH keypair that will be used to authenticate
aclList<string>optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example, y=example, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.
owner_idstringIf supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot.

List SSH Credentials

List all ssh credentials on this account

Request

GET /ssh_credentials

Example Request

curl \
-X GET \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials

Response

Returns a 200 response on success

Example Response

{
"ssh_credentials": [
{
"id": "sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"created_at": "2023-07-31T23:17:39Z",
"description": "for device #132",
"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
"acl": [
"bind:1.tcp.ngrok.io:20002",
"bind:132.devices.company.com"
],
"owner_id": "usr_2TMGG635o87KDP13PBjUDx2rzJY"
}
],
"uri": "https://api.ngrok.com/ssh_credentials",
"next_page_uri": null
}

Fields

   
ssh_credentialsSSHCredentialthe list of all ssh credentials on this account
uristringURI of the ssh credential list API resource
next_page_uristringURI of the next page, or null if there is no next page

SSHCredential fields

   
idstringunique ssh credential resource identifier
uristringURI of the ssh credential API resource
created_atstringtimestamp when the ssh credential was created, RFC 3339 format
descriptionstringhuman-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadatastringarbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
public_keystringthe PEM-encoded public key of the SSH keypair that will be used to authenticate
aclList<string>optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example, y=example, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.
owner_idstringIf supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot.

Update SSH Credential

Update attributes of an ssh_credential by ID

Request

PATCH /ssh_credentials/{id}

Example Request

curl \
-X PATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"my dev machine","metadata":"{\"hostname\": \"macbook.local\"}"}' \
https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o

Parameters

   
idstring
descriptionstringhuman-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadatastringarbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
aclList<string>optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example, y=example, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.

Response

Returns a 200 response on success

Example Response

{
"id": "sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2TMGIwCp3Yt0fv5eirB7M8D0h7o",
"created_at": "2023-07-31T23:17:39Z",
"description": "my dev machine",
"metadata": "{\"hostname\": \"macbook.local\"}",
"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
"acl": [
"bind:1.tcp.ngrok.io:20002",
"bind:132.devices.company.com"
],
"owner_id": "usr_2TMGG635o87KDP13PBjUDx2rzJY"
}

Fields

   
idstringunique ssh credential resource identifier
uristringURI of the ssh credential API resource
created_atstringtimestamp when the ssh credential was created, RFC 3339 format
descriptionstringhuman-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
metadatastringarbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
public_keystringthe PEM-encoded public key of the SSH keypair that will be used to authenticate
aclList<string>optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the bind rule. The bind rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule bind:example.ngrok.io. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of bind:*.example.com which will allow x.example.com, y.example.com, *.example.com, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of bind:*=example which will allow x=example, y=example, etc. A rule of '*' is equivalent to no acl at all and will explicitly permit all actions.
owner_idstringIf supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot.