Fine-grained tunnel grants

Tunnel access can be restricted directly on credentials and short-lived tokens.

Tunnel grants let a token apply to every tunnel project, selected workspaces, selected projects, or advanced JSON rules. Advanced grants can limit tunnel creation, tunnel discovery, tunnel connections, and HTTP request paths.

This is designed for backend delegation. A backend can keep an application credential, then issue a one-minute token to a remote device that can create HTTP tunnels for one project without receiving account-wide API access or connection rights.

Tunnel grants are available from the Dashboard and API on all managed plans. Operation-level tunnel scopes are available on Pro and Enterprise. Community Edition deployments do not enforce this model.

For the full model and examples, refer to Fine-grained tokens.