> ## Documentation Index
> Fetch the complete documentation index at: https://ngrok.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authtoken ACLs

> Restrict what endpoints an agent can create using authtoken ACLs.

The ngrok agent authenticates with an authtoken.
[Your authtoken is available on the ngrok dashboard](https://dashboard.ngrok.com/get-started/your-authtoken).
Add your authtoken to the ngrok agent with the following command:

```bash theme={null}
ngrok config add-authtoken <TOKEN>
```

This command updates the `authtoken` property in your [ngrok configuration file](/agent/config).

Use a separate authtoken for each agent you configure. You can [provision additional authtokens on your ngrok dashboard](https://dashboard.ngrok.com/authtokens) or [via API](/agent/config/v3/#authtoken). Separate authtokens isolate the security risk
if an authtoken is compromised. It also allows you to configure
ACLs on a per agent basis.

When you provision a new authtoken, the full token is only displayed once. As a security
feature, ngrok does not store a recoverable representation of the token.

## Authtoken ACLs

Authtoken ACLs restrict what actions an ngrok agent connecting with that
authtoken is allowed to take. You may define multiple ACLs. Authtokens with no
ACLs may take all actions. The following ACLs are supported:

| Example              | Description                                                                |
| -------------------- | -------------------------------------------------------------------------- |
| `bind:foo.ngrok.app` | The agent may only create an endpoint on `foo.ngrok.app`                   |
| `bind:*.example.com` | The agent may only create endpoints on subdomains of `example.com`         |
| `bind:foo=bar`       | The agent may create a labeled endpoint with the label `foo=bar`           |
| `bind:app=*`         | The agent may create labeled endpoints with labels like `app=x` or `app=y` |
| `bind:*`             | The agent may listen on all endpoints                                      |

For more details on authtokens, API keys, and other agent configuration, see the [ngrok Agent documentation](/agent/).
