SSH Credentials

Create SSH Credential

Create a new ssh_credential from an uploaded public SSH key. This ssh credential can be used to start new tunnels via ngrok's SSH gateway.

Request

POST /ssh_credentials

Example Request

curl \
-X POST \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"acl":["bind:1.tcp.ngrok.io:20002","bind:132.devices.company.com"],"description":"for device #132","public_key":"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com"}' \
https://api.ngrok.com/ssh_credentials

Parameters

Name	Type	Description
`description`	string	human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
`metadata`	string	arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
`acl`	List<string>	optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the `bind` rule. The `bind` rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule `bind:example.ngrok.io`. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of `bind:.example.com` which will allow `x.example.com`, `y.example.com`, `.example.com`, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of `bind:=example` which will allow `x=example`, `y=example`, etc. A rule of `''` is equivalent to no acl at all and will explicitly permit all actions.
`public_key`	string	the PEM-encoded public key of the SSH keypair that will be used to authenticate
`owner_id`	string	If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot.

Response

Returns a 201 response on success

Example Response

{
	"acl": ["bind:1.tcp.ngrok.io:20002", "bind:132.devices.company.com"],
	"created_at": "2024-06-14T06:03:58Z",
	"description": "for device #132",
	"id": "sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf",
	"owner_id": "usr_2hrGw33K0y2LziI8zHGX8ilMTYX",
	"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
	"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf"
}

Fields

Name	Type	Description
`id`	string	unique ssh credential resource identifier
`uri`	string	URI of the ssh credential API resource
`created_at`	string	timestamp when the ssh credential was created, RFC 3339 format
`description`	string	human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
`metadata`	string	arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
`public_key`	string	the PEM-encoded public key of the SSH keypair that will be used to authenticate
`acl`	List<string>	optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the `bind` rule. The `bind` rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule `bind:example.ngrok.io`. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of `bind:.example.com` which will allow `x.example.com`, `y.example.com`, `.example.com`, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of `bind:=example` which will allow `x=example`, `y=example`, etc. A rule of `''` is equivalent to no acl at all and will explicitly permit all actions.
`owner_id`	string	If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot.

Delete SSH Credential

Delete an ssh_credential by ID

Request

DELETE /ssh_credentials/{id}

Example Request

curl \
-X DELETE \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials/sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf

Response

Returns a 204 response with no body on success

Get SSH Credential

Get detailed information about an ssh_credential

Request

GET /ssh_credentials/{id}

Example Request

curl \
-X GET \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials/sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf

Response

Returns a 200 response on success

Example Response

{
	"acl": ["bind:1.tcp.ngrok.io:20002", "bind:132.devices.company.com"],
	"created_at": "2024-06-14T06:03:58Z",
	"description": "my dev machine",
	"id": "sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf",
	"metadata": "{\"hostname\": \"macbook.local\"}",
	"owner_id": "usr_2hrGw33K0y2LziI8zHGX8ilMTYX",
	"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
	"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf"
}

Fields

Name	Type	Description
`id`	string	unique ssh credential resource identifier
`uri`	string	URI of the ssh credential API resource
`created_at`	string	timestamp when the ssh credential was created, RFC 3339 format
`description`	string	human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
`metadata`	string	arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
`public_key`	string	the PEM-encoded public key of the SSH keypair that will be used to authenticate
`acl`	List<string>	optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the `bind` rule. The `bind` rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule `bind:example.ngrok.io`. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of `bind:.example.com` which will allow `x.example.com`, `y.example.com`, `.example.com`, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of `bind:=example` which will allow `x=example`, `y=example`, etc. A rule of `''` is equivalent to no acl at all and will explicitly permit all actions.
`owner_id`	string	If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot.

List SSH Credentials

List all ssh credentials on this account

Request

GET /ssh_credentials

Example Request

curl \
-X GET \
-H "Authorization: Bearer {API_KEY}" \
-H "Ngrok-Version: 2" \
https://api.ngrok.com/ssh_credentials

Response

Returns a 200 response on success

Example Response

{
	"next_page_uri": null,
	"ssh_credentials": [
		{
			"acl": ["bind:1.tcp.ngrok.io:20002", "bind:132.devices.company.com"],
			"created_at": "2024-06-14T06:03:58Z",
			"description": "for device #132",
			"id": "sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf",
			"owner_id": "usr_2hrGw33K0y2LziI8zHGX8ilMTYX",
			"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
			"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf"
		}
	],
	"uri": "https://api.ngrok.com/ssh_credentials"
}

Fields

Name	Type	Description
`ssh_credentials`	SSHCredential	the list of all ssh credentials on this account
`uri`	string	URI of the ssh credential list API resource
`next_page_uri`	string	URI of the next page, or null if there is no next page

SSHCredential fields

Name	Type	Description
`id`	string	unique ssh credential resource identifier
`uri`	string	URI of the ssh credential API resource
`created_at`	string	timestamp when the ssh credential was created, RFC 3339 format
`description`	string	human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
`metadata`	string	arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
`public_key`	string	the PEM-encoded public key of the SSH keypair that will be used to authenticate
`acl`	List<string>	optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the `bind` rule. The `bind` rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule `bind:example.ngrok.io`. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of `bind:.example.com` which will allow `x.example.com`, `y.example.com`, `.example.com`, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of `bind:=example` which will allow `x=example`, `y=example`, etc. A rule of `''` is equivalent to no acl at all and will explicitly permit all actions.
`owner_id`	string	If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot.

Update SSH Credential

Update attributes of an ssh_credential by ID

Request

PATCH /ssh_credentials/{id}

Example Request

curl \
-X PATCH \
-H "Authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
-H "Ngrok-Version: 2" \
-d '{"description":"my dev machine","metadata":"{\"hostname\": \"macbook.local\"}"}' \
https://api.ngrok.com/ssh_credentials/sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf

Parameters

Name	Type	Description
`id`	string
`description`	string	human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
`metadata`	string	arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
`acl`	List<string>	optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the `bind` rule. The `bind` rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule `bind:example.ngrok.io`. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of `bind:.example.com` which will allow `x.example.com`, `y.example.com`, `.example.com`, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of `bind:=example` which will allow `x=example`, `y=example`, etc. A rule of `''` is equivalent to no acl at all and will explicitly permit all actions.

Response

Returns a 200 response on success

Example Response

{
	"acl": ["bind:1.tcp.ngrok.io:20002", "bind:132.devices.company.com"],
	"created_at": "2024-06-14T06:03:58Z",
	"description": "my dev machine",
	"id": "sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf",
	"metadata": "{\"hostname\": \"macbook.local\"}",
	"owner_id": "usr_2hrGw33K0y2LziI8zHGX8ilMTYX",
	"public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmGS49FkSODAcKhn3+/47DW2zEn19BZvzRQ8RZjL3v6hCIX2qXfsFK35EGxNI0wV23H4xXC2gVRPHKU71YnCb50tad3yMBTM6+2yfGsEDasEH/anmBLclChKvuGiT547RskZlpbAbdq3GvbzmY+R/2EBRMOiObpc8XmSzKAd05j28kqN0+rZO65SWId0MXdvJdSCSAnuRqBNd/aXKlu8hBPDcgwbT2lMkuR+ApoBS2FLRBOiQyt2Ol0T7Uuf7lTLlazpGB3uTw5zFYUNXkuuI6cAP8QYuY1Bne/hNrG8t3Aw9a1yc2C4Fz1hJ/4OMRxTQ8SUQf+Rmxs8DryMlMFJ8r device132@example.com",
	"uri": "https://api.ngrok.com/ssh_credentials/sshcr_2hrGyfDpShu1QrXMsl7ptL73QAf"
}

Fields

Name	Type	Description
`id`	string	unique ssh credential resource identifier
`uri`	string	URI of the ssh credential API resource
`created_at`	string	timestamp when the ssh credential was created, RFC 3339 format
`description`	string	human-readable description of who or what will use the ssh credential to authenticate. Optional, max 255 bytes.
`metadata`	string	arbitrary user-defined machine-readable data of this ssh credential. Optional, max 4096 bytes.
`public_key`	string	the PEM-encoded public key of the SSH keypair that will be used to authenticate
`acl`	List<string>	optional list of ACL rules. If unspecified, the credential will have no restrictions. The only allowed ACL rule at this time is the `bind` rule. The `bind` rule allows the caller to restrict what domains, addresses, and labels the token is allowed to bind. For example, to allow the token to open a tunnel on example.ngrok.io your ACL would include the rule `bind:example.ngrok.io`. Bind rules for domains may specify a leading wildcard to match multiple domains with a common suffix. For example, you may specify a rule of `bind:.example.com` which will allow `x.example.com`, `y.example.com`, `.example.com`, etc. Bind rules for labels may specify a wildcard key and/or value to match multiple labels. For example, you may specify a rule of `bind:=example` which will allow `x=example`, `y=example`, etc. A rule of `''` is equivalent to no acl at all and will explicitly permit all actions.
`owner_id`	string	If supplied at credential creation, ownership will be assigned to the specified User or Bot. Only admins may specify an owner other than themselves. Defaults to the authenticated User or Bot.

SSH Credentials

Create SSH Credential​

Request​

Example Request​

Parameters​

Response​

Example Response​

Fields​

Delete SSH Credential​

Request​

Example Request​

Response​

Get SSH Credential​

Request​

Example Request​

Response​

Example Response​

Fields​

List SSH Credentials​

Request​

Example Request​

Response​

Example Response​

Fields​

SSHCredential fields​

Update SSH Credential​

Request​

Example Request​

Parameters​

Response​

Example Response​

Fields​

Create SSH Credential

Request

Example Request

Parameters

Response

Example Response

Fields

Delete SSH Credential

Request

Example Request

Response

Get SSH Credential

Request

Example Request

Response

Example Response

Fields

List SSH Credentials

Request

Example Request

Response

Example Response

Fields

SSHCredential fields

Update SSH Credential

Request

Example Request

Parameters

Response

Example Response

Fields