Paste an mtk_master_ key once. Your AI assistant mints
its own short-lived project keys, opens tunnels in isolated
buckets, and you revoke everything in one click if anything
goes sideways. Same shape Stripe, OpenAI, and Resend keys use
— so AI agents already know how to consume it.
One human action, one paste, then the AI runs autonomously. If anything breaks, one click cleans it up.
Visit your API Keys page, click New master key, copy the mtk_master_… string. Default 90-day TTL, 1-year cap. You only do this once.
Same shape Stripe / OpenAI / Resend keys use. Wherever your AI assistant reads env vars (Claude Code settings, .env file, Docker -e flag, Devin secrets panel), set MYTUNNEL_API_KEY.
MYTUNNEL_API_KEY=mtk_master_AAAA…The AI runs these on its own. Project keys auto-expire on TTL. Each project has its own subdomain namespace, so two parallel AI sessions can't collide.
mytunnel projects create feature-x "Working on feature X"
eval $(mytunnel projects keys mint feature-x --ttl 4 --output-env)
mytunnel http 3000 --subdomain api
# → https://api-feature-x.21tunnel.comRevoke the master key in the dashboard. Every project key it ever minted is revoked. Every tunnel under those projects goes dark. Live agent sessions are kicked within 30 seconds. Worst-case recovery is one click.
Other tunnel services have API keys. Few have delegation primitives. These are the things we built that we didn't see elsewhere when we shipped in May 2026.
Master keys (mtk_master_…) cannot themselves open tunnels — at three layers (CLI parse, agent handshake, signed quota=0). They exist to mint and revoke child keys. Same shape OpenAI service-account keys use, applied to tunnels.
Each project gets its own subdomain space. A staging-project child key registering subdomain api becomes api-staging.21tunnel.com. Two parallel AI sessions in two projects literally cannot collide on a URL.
One DB transaction kills the master, every child key it minted, and every tunnel under those children's projects. Live agent sessions get kicked within 30 seconds by the existing session-driver re-probe.
Every child key stores minted_by_master_id in its metadata, so the audit log shows tunnel → child key → master key → human as one straight line. When something goes wrong you know exactly which AI session caused it.
AI coding agents already shell out to CLI binaries every day. mytunnel projects keys mint --output-env emits a single shell-escapable export line for eval $(…). No PyPI install, no MCP server, no SDK ceremony.
Project keys are ordinary capability tokens on the wire. mytunnel http 3000 works the same way it always has — the AI doesn't have to learn a new agent. Master-key wiring is server-side only.
Counter-evidence that we thought about this. The phrase "AI agent ready" gets over-engineered fast; here's where we drew the line.
Hobby is $0 forever — 3 tunnels, 10 Mbps per tunnel, 20k requests/month. Master key mint is included. Mint one in two minutes and hand the string to your AI assistant.