Skip to main content
Traffic Policy gives you powerful options for adding authentication to your endpoints—without touching your application code. Whether you need a quick login prompt for a demo, OAuth for production apps, or JWT validation for APIs, ngrok has you covered.
For a deeper dive into authentication concepts and when to use each method, see the Authentication with ngrok blog post.

Authentication and access control methods


Basic Auth

HTTP Basic Auth is the simplest form of authentication—it prompts visitors for a username and password with zero setup. Use it for one-off demos or sharing local development work.
See the basic-auth action docs for more information.

OAuth

OAuth lets you leverage existing identity providers like Google, GitHub, or Microsoft for authentication. Users sign in with their existing accounts—no password management required. ngrok supports these OAuth providers out of the box with managed applications:
  • Google
  • GitHub
  • GitLab
  • LinkedIn
  • Microsoft
  • Twitch

Simple OAuth setup

Restrict access by email domain

Use expressions to restrict access based on email domain, allowing only users from specific organizations.
For more OAuth examples—including session controls, multiple email domains, custom OAuth apps, and login/logout flows—see the oauth action docs and the OAuth protection guide.

OpenID Connect (OIDC)

OIDC connects to managed corporate identity providers like Okta, Azure AD, or any OIDC-compliant IdP. This gives you fine-grained control over authentication while leveraging your existing identity infrastructure.

Basic OIDC setup

Pass identity tokens to your service

Forward the OIDC identity token to your upstream service via headers for further authorization logic.
See the openid-connect action docs for more information.

JWT validation

For APIs, JWT validation lets you verify tokens without managing user sessions. Combine it with rate limiting for robust API protection.

Basic JWT validation

JWT validation with rate limiting

Combine authentication with key-based rate limiting for complete API protection.
See the jwt-validation action docs and the Auth0 integration guide for more information.

IP restrictions

Restrict access to specific IP addresses or CIDR ranges. Use this for network-level access control, such as allowing only office IPs or blocking known bad actors.
You can also combine IP restrictions with other authentication methods. See the IP restrictions + Basic Auth example for a pattern that allows users to authenticate with one method OR another. See the restrict-ips action docs for more information.

Mutual TLS (mTLS)

Mutual TLS requires clients to present a valid certificate, enabling strong machine-to-machine authentication. Use this for zero-trust architectures or when you need to verify client identity at the transport layer. mTLS is configured at the endpoint level rather than through Traffic Policy actions. See the Mutual TLS documentation for setup instructions. Once mTLS is enabled, you can use Traffic Policy to make routing or access decisions based on client certificate details. See the routing by client certificate example.

Enforce authentication

Use Traffic Policy to require authentication or apply different rate limits based on authentication status.

Reject unauthenticated requests

For APIs that require authentication, immediately reject requests that don’t include an Authorization header.

Tiered rate limits

Create different rate limits based on authentication status—unauthenticated users get a lower limit while authenticated users get higher capacity.