Posts from the team building 21tunnel in the open. Every claim links back to a commit, a migration, or a design doc in the repo.
Every credible ngrok alternative scored on a reproducible 8-dimension rubric (setup, stable URL, custom domain, self-host, AI-agent delegation, pricing, inspector, polish). Top-banner disclosure: we make 21tunnel and rank ourselves #1 — competitors scored on merit.
AI coding agents (Claude Code, Cursor, Aider, Devin) need public URLs for the work they produce on localhost. The naive answer — paste your god-mode token into the agent's env — is the same mistake that gave us a decade of API-key leaks. The master-key pattern as the actual answer.
Step-by-step: tunnel a Model Context Protocol server so hosted Claude, Cursor on another machine, or a teammate can reach it. Includes claude_desktop_config.json and .cursor/mcp.json samples, plus the master-key pattern that keeps it safe.
An honest, vendor-neutral explanation of what ngrok is, how it works, what it costs, when it's safe to use, and when you should pick an alternative. Written by a competitor — kept honest.
smee.io vs a real tunnel, HMAC-SHA256 verification over the raw body in Node / Python / Rust, dedupe on X-GitHub-Delivery, and the retry semantics nobody writes down.
The minimal setup: one command, HTTPS URL, works on any network. Then persistent URLs across restarts, OIDC gating, and 5 pitfalls to avoid.
Tunneling, mkcert, Caddy, Let's Encrypt DNS-01, framework --https flags, old-school self-signed. When each works, gotchas that waste hours.
Stripe CLI forward vs a real tunnel, HMAC signature verification in Node / Python / Rust, idempotency via stripe_event_id UNIQUE, and graduating to production without redoing anything.
Five real options: tunneling services, router port-forward + dyndns, mesh VPNs, cloud-proxy reverse SSH, WebRTC. Framework-specific notes for Next / Vite / Rails / Django / Flask / Express, plus the safety checklist.
Every tunnel tool I could find that's open-source or has a no-credit-card free tier. Cloudflare Tunnel, Tailscale Funnel, frp, localtunnel, bore, chisel, and 21tunnel — what each shines at, what each pinches on, and a one-liner for how to pick.
Every tunneling service in the market is Go. We picked Rust, forbid unsafe code, and denied unwrap, panic, and todo! at compile time. Why — and what that cost us.
Where ngrok genuinely wins, where the free-tier cap and custom-domain paywall pinch, and when to switch to an open-source, self-hostable alternative.
argon2id, JWT+refresh rotation, RBAC with a superadmin bit, TOTP MFA, Stripe Checkout + Portal, and a dual-auth middleware that keeps ops scripts working. What the build actually looked like, day by day.