Home · Blog · What is ngrok?

What is ngrok? The honest 2026 explainer.

ngrok is a service that gives your local development server a public HTTPS URL. You run one command, and anyone on the internet can hit your laptop. This post explains how it works, what it costs in 2026, when it's the right tool, and when you'd pick an alternative. We compete with ngrok (we make 21tunnel), so we have skin in the game — which means we'll keep this honest. Pure hatchet jobs read as spam.

Published 2026-05-11 · ~10 minute read

TL;DR

ngrok takes a port on your laptop (say localhost:3000) and gives you a public URL like https://abc123.ngrok-free.app that forwards to it. No DNS, no certificates, no firewall config. Free tier lets you run one tunnel with a random subdomain; paid tiers (~$10/mo and up) add reserved domains, custom domains, team features, and more concurrent tunnels. It's been around since 2015, runs on Go, is open-source on the agent side (the server is proprietary SaaS-only). For most developers who just need a public URL for an afternoon, it's the default — and that default is fine. When you'd pick something else: if you need to self-host the entire stack, if you want lower starting prices for paid features, or if you're building for AI coding agents that need delegated API keys.

What is ngrok, actually?

ngrok is a tunneling service. The name covers two things: an open-source agent (a CLI binary called ngrok you run on your machine) and a hosted backend (ngrok's servers, which are not open-source). When you run ngrok http 3000, the agent opens an outbound TLS connection to ngrok's servers, and ngrok hands you a public hostname like abc123.ngrok-free.app. Any HTTPS request to that hostname gets multiplexed over the open connection back to your laptop, where the agent forwards it to port 3000 on localhost.

The clever bit is that this works through firewalls and NAT. Your laptop never accepts an inbound connection — the agent initiates the TLS connection outbound, then everything afterwards rides on that same long-lived socket. So you don't need to forward a port on your home router, fight with corporate IT, or beg DNS for a CNAME. You just run a command.

How ngrok works under the hood

The bones of the system:

• Agent — the ngrok binary. Reads your config, authenticates with the backend (via a long-lived API key after your first ngrok config add-authtoken), opens a TLS connection to one of ngrok's regional edges.
• Edge — ngrok's globally-distributed servers. When traffic arrives for abc123.ngrok-free.app, the edge looks up which agent is currently bound to that subdomain and forwards the request over the agent's open connection.
• Multiplexing — many concurrent requests ride on a single TLS connection per agent. ngrok historically used QUIC for this; the wire format is internal to ngrok. (For comparison, 21tunnel uses TLS 1.3 + yamux for the same job; the multiplexing primitive matters less than the fact that there is one.)
• Public certificate — ngrok terminates HTTPS at the edge using Let's Encrypt-issued certs. Your localhost server only needs to speak plain HTTP; ngrok handles TLS for you.

What people use ngrok for

The most common use cases — in order of frequency we've observed:

1. Webhook testing. You're integrating Stripe, GitHub, Twilio, Shopify. They need to POST to a public URL. You don't want to deploy your code every time you change a line. ngrok gives you a URL that forwards to localhost so webhook deliveries hit your debugger.
2. Sharing a preview. You're a designer or frontend dev showing your work-in-progress to a client or stakeholder. You don't want to deploy to staging just for an afternoon review. ngrok URL → done.
3. Testing on real mobile devices. Your iPhone can't reach http://localhost:3000. With ngrok, it hits https://abc123.ngrok-free.app instead.
4. Demos on video calls. Stop screen-sharing, send the URL, let prospects click around themselves.
5. AI coding agents. Newer use case in 2024-2026 — AI coding tools (Claude Code, Cursor, etc.) increasingly need to expose localhost previews via tunnel so the human can review what the agent built.

ngrok pricing in 2026

ngrok's pricing (as of 2026) has four tiers:

• Free — one tunnel at a time, random subdomain that changes every restart, basic features. Good for trying ngrok out; less good for daily use because the subdomain churn breaks webhook integrations.
• Personal — ~$10/mo. One reserved your-name.ngrok.io subdomain so your URL stays stable. Still only one concurrent tunnel.
• Pro — ~$20/mo. Multiple concurrent tunnels, bring-your-own custom domain, audit log, MFA.
• Enterprise — custom pricing. SSO, SCIM, dedicated regions, support SLA.

Prices on ngrok's actual pricing page may differ slightly when you read this. The structure has been stable for years; the numbers drift.

ngrok free tier — what's included

The ngrok free tier in 2026:

• 1 concurrent tunnel
• Ephemeral subdomain (changes on restart)
• 40 connections / minute rate limit
• No reserved domain
• No custom domain
• Basic web inspector for requests

That's a useful sample of the product but limiting for daily development. The ephemeral-subdomain churn especially — every time you restart your tunnel, Stripe / GitHub / etc need to be reconfigured with the new URL. If you're testing webhooks more than once a week, you'll feel that friction quickly.

Is ngrok safe?

Yes — for development. Three things to know:

• Traffic is encrypted. ngrok terminates HTTPS at its edge; the connection from edge → your agent rides over TLS. So nobody on your wifi or in the middle can read the requests.
• The public URL is publicly reachable. If you expose localhost:3000 and your dev server has admin endpoints without auth, ANYONE who guesses the URL can hit those endpoints. The URL is randomly generated (hard to guess) but assume that with enough scanning it'll eventually be found.
• Use ngrok's basic-auth or OAuth gate if your tunnel exposes anything sensitive. ngrok supports both on paid tiers. Same idea applies to any tunnel service.

For production, ngrok recommends their TCP edge or their Cloud Edge product (paid). The free tier and Personal aren't designed for production traffic — they're development tools.

ngrok alternatives — when to look elsewhere

ngrok is the default for good reason. But there are real scenarios where an alternative is the better pick:

• You need to self-host — compliance, data residency, or just wanting your tunnel traffic to never leave your own infrastructure. ngrok is SaaS-only. 21tunnel ships open-source server + dashboard you can run on your own VM.
• You want lower starting prices — ngrok's Personal tier is ~$10/mo for a single reserved subdomain with no custom-domain support. 21tunnel's Pro is the same $10/mo and includes bring-your-own custom domains, edge auth, multiple concurrent tunnels.
• You need open-source server code — for audit, for forking, for replacing parts. ngrok's agent is MIT-licensed but the server is proprietary. 21tunnel is dual MIT + Apache-2.0 end to end.
• You want simpler / lighter — Pinggy.io and localhost.run both let you start a tunnel with a single SSH command (no install). Free, no account needed.
• Your domain is on Cloudflare DNS — Cloudflare Tunnel is free, integrates with Cloudflare Access for auth, and rides Cloudflare's edge network.

We wrote a longer head-to-head at 21tunnel vs ngrok and a comparison- intent landing at 21tunnel — the open-source ngrok alternative.

ngrok for AI agents

A use case that's grown sharply in 2024-2026: AI coding agents (Claude Code, Cursor, Aider, Devin) increasingly need a public URL to expose what the agent built. The human pastes an API key into the agent's environment, the agent runs a tunnel command, shares the resulting URL back to the human in chat.

ngrok works for this — paste your auth token into NGROK_AUTHTOKEN and the AI agent shells out to ngrok http 3000. The friction shows up at scale: ngrok doesn't have a first-class delegation primitive (no "master key" that can mint short-lived child keys). If you give your AI agent your ngrok auth token, it has all the same permissions you do, indefinitely, until you rotate the token.

For this specific case we built 21tunnel's AI-agent flow: a master key (mtk_master_) that can mint scoped child keys with TTL + quota, organized into project namespaces with subdomain isolation, and one-click cascade revoke. Same shape Stripe / OpenAI / Resend keys use, applied to tunnels.

Should you use ngrok?

If you need a public URL for your laptop's port for an afternoon's webhook debugging and you've never heard of tunneling before — yes, just brew install ngrok, run the command, you'll be productive in five minutes. ngrok is the safe default and being the default is worth something.

Look at alternatives if any of these are true: you want to self-host the entire stack, you want better unit economics on the paid tier, you want open-source server code, or you're building AI-agent workflows that benefit from delegated API keys. For the alternatives we recommend in each case, see the list above.

Disclosure: we build 21tunnel. We try to recommend the right tool for each shape — ngrok itself in the cases where it's the right answer, Cloudflare Tunnel / Pinggy / Localtunnel where those fit better, 21tunnel when our specific tradeoffs (open-source + self-host + AI-agent delegation) match what you're optimising for.

---

Want to try the open-source alternative? 21tunnel is free on Hobby (3 tunnels, 10 Mbps per tunnel, 20k requests/month, custom domain on signup). Or run the whole thing on your own VM — dual MIT + Apache-2.0.