Join ngrok’s founder & CEO on Jan. 15, 2025 for demos of what we shipped in this year… and a peek into our 2025 technical roadmap. →

Traffic Policy

Flexible traffic rules, simple configuration

Manage traffic with our simple, flexible, and idiomatic traffic policy engine.

Use Common Expression Language (CEL) with JSON or YAML to define rules that match incoming or outgoing traffic based on attributes like URL path, headers, and other request or response properties. Apply pre-built actions such as URL rewrite, JWT validation, rate limiting, and more.

Sign up for freeTechnical documentation
JWT validation
Secure services with JWT validation

Validate that each request contains an unexpired, encrypted JWT signed by a trusted source and destined for your upstream service.

Provide a URL to your JSON Web Key Set (JWKS), and ngrok will use it to validate requests before they ever hit your upstream service.

This example validates JWTs found in requests to https://example.ngrok.com against the specified Auth0 JWKS before forwarding them to your upstream service.

Explore JWT validation
Rate limit traffic
Control traffic, ensure fairness

Set limits to restrict traffic to your endpoints to ensure fairness across all clients and maintain multi-tenant resiliency.

This code snippet example specifies that only 30 requests per minute are allowed.

Explore rate limiting traffic
Restrict IPs
Control access by IP

Allow or deny traffic based on the source IP of the connection that was initiated to your ngrok endpoints.

This example shows a configuration that only allows requests from the IP 1.1.1.1, while requests from the IP e680:5791:be4c:5739:d959:7b94:6d54:d4b4 are denied.

Explore restricting IPs
OAuth
Protect services with OAuth

ngrok supports a wide range of OAuth providers such as Google, Microsoft, GitHub and others that you can define in Traffic Policy.

Once authenticated by the IdP, ngrok adds headers to the HTTP request with details about the authenticated OAuth user, providing additional context for your upstream service.

Redirect
Redirect traffic to ensure backwards compatibility

Redirect incoming requests to new URLs by modifying the original URLs with regular expressions.

Use this action to prevent 404 errors or ensure backwards compatibility of your applications and APIs by redirecting traffic to updated URLs. Redirection is performed using the Location header.

This example shows a configuration that will redirect any request from /products to /store/products with the default 302 Found status code.

Explore redirects
Try Traffic Policy now
Try now

More Traffic Policy capabilities

Custom response
  • Return a hard-coded custom response, such as a maintenance page.
  • Supports CEL interpolation - access traffic policy variables and embed CEL expressions in your custom response.
Explore custom responses
Deny traffic
  • Protect your services by blocking HTTP or TLS requests or terminate a TCP connection.
  • Eg: Deny requests from specific regions or restrict access to particular paths.
Explore deny traffic
URL rewrite
  • Transforms SEO friendly, customer-facing URL into actual service URLs at runtime.
  • Hide internal routing details from end users.
Explore URL rewrite
Forward Internal
  • Forward traffic to an internal endpoint within the same ngrok account.
  • Route traffic from public-facing cloud endpoints or internal endpoints.
  • Orchestrate traffic flow based on headers, paths, domains or other parameters.
Explore Forward Internal
Add headers
  • Add headers to an HTTP request or a HTTP response.
  • Eg: Add geographical data about clients that are connecting to your services.
  • Supports CEL interpolation - access traffic policy variables and embed CEL expressions into header values.
Explore add headers
Remove headers
  • Remove headers from an HTTP request or a HTTP response.
  • Strip internal headers from responses to ensure sensitive data is not exposed.
  • Remove unnecessary headers from requests to reduce overhead and prevent bloat.
Explore remove headers
Log
  • Add metadata to log events for HTTP, TCP, and TLS traffic, providing additional context.
  • Eg: Include the endpoint identifier for every request.
  • Supports CEL interpolation - access traffic policy variables and embed CEL expressions in this action.
Explore logs
Compression
  • Improve performance by compressing HTTP response bodies returned by your upstream service.
  • Supported algorithms: br ,compress ,gzip , and deflate.
Explore Compression
Traffic identities
  • Get live visibility into active OAuth, OIDC, and SAML user sessions in your tunnels.
  • View session context—such as user, device, identity provider, and network details—and terminate sessions instantly through the dashboard or via REST API.
Explore Traffic identities
Terminate TLS
  • Terminate TLS and enable mutual TLS (mTLS) authentication for your HTTP and TLS endpoints.
  • Specify which TLS versions your endpoint supports for added security and compatibility.
  • For HTTPS endpoints, TLS is terminated automatically at ngrok's global network.
  • For TLS endpoints, you can choose to terminate TLS at the global network, the agent, or your upstream service.
Explore Terminate TLS
OpenID Connect

Coming soon.

Basic Auth
  • Enforce HTTP Basic Auth by securing your services with usernames and passwords.
Explore Basic Auth
Circuit Breaker
  • Automatically block traffic to protect your upstream service when it becomes overloaded.
  • Pause traffic flow to give your service time to stabilize.
  • Resume traffic flow automatically once the service recovers.
Explore Circuit Breaker
Verify Webhook
  • Ensure that only authenticated requests from your webhook provider reach your upstream service.
  • Block malicious payloads and prevent security vulnerabilities.
  • ngrok verifies the webhook signature before forwarding it your service.
  • Explore full list of webhook providers supported by ngrok.
Explore Verify Webhook

Explore more features and capabilities

Universal Gateway
Simplify App & API Delivery with ngrok’s All-in-One Gateway.
Secure Tunnels
Your connection to upstream services running anywhere.
Kubernetes Operator
Ingress Controller, Gateway API, Cross-Cluster Connectivity, and more.
Traffic Observability
Gain full visibility into your traffic.
Platform Security
Trusted by over 7 million developers and leading enterprises.
Developer Platform
CLI, API, Dashboard, third-party extensions, and more
Getting Started
Pricing
Trust
Docs

Learn more about

Traffic Policy

features

Blog
Manage traffic with CEL expressions and connection variables
Blog
What are CEL variables?
Blog
Introducing ngrok's Traffic Policy module
Blog
Traffic Policy Engine now supports dynamic configuration with CEL Interpolation
Blog
Redirect vs URL rewrite in an API gateway