Skip to content

SOP 004: Configure Traffic Policy (Authentication) ​

Fresh
FieldValue
SOP IDSOP-004
Version1.0
StatusActive
Last Updated2026-02-13

Purpose ​

Add authentication and security policies to your ngrok endpoints using Traffic Policy.

Prerequisites ​

  • ngrok installed and authenticated (SOP 001, SOP 002)
  • A running local service

Procedure ​

Option A: Google OAuth via Config File ​

  1. Open the ngrok config file:
bash
ngrok config edit
  1. Add the following below your authtoken:
yaml
endpoints:
  - name: secure-app
    url: YOUR_DOMAIN
    traffic_policy:
      on_http_request:
        - actions:
          - type: oauth
            config:
              provider: google
    upstream:
      url: 8080
      protocol: http1
  1. Start the endpoint by name:
bash
ngrok start secure-app

Visitors must log in with a Google account before accessing your app.

Option B: Basic Auth via Policy File ​

  1. Create traffic-policy.yml:
yaml
on_http_request:
  - actions:
      - type: basic-auth
        config:
          credentials:
            - admin:secretpassword
            - user2:anotherpassword
  1. Start with the policy file:
bash
ngrok http 80 --traffic-policy-file traffic-policy.yml

Authtoken ACLs ​

Restrict what an agent can do at the token level:

ACL PatternDescription
bind:foo.ngrok.appOnly create endpoint on specific domain
bind:*.example.comOnly subdomains of example.com
bind:foo=barLabeled endpoint with specific label
bind:app=*Labeled endpoints with wildcard
bind:*Listen on all endpoints (default)

Configure ACLs when provisioning authtokens at dashboard.ngrok.com/authtokens.

Verification Checklist ​

  • [ ] Config file syntax is valid (ngrok config check)
  • [ ] Endpoint starts without errors
  • [ ] Authentication prompt appears when accessing the URL
  • [ ] Valid credentials grant access
  • [ ] Invalid credentials are rejected

Troubleshooting ​

IssueSolution
YAML syntax errorUse ngrok config check to validate
OAuth not redirectingEnsure traffic_policy indentation is correct
Basic auth not workingCheck credentials format is user:password
403 ForbiddenCheck ACL permissions on the authtoken

See Also ​

Built with VitePress + Claude RAG Chat