What Is ngrok? How It Works and How to Use It

What Is ngrok?

ngrok is a reverse proxy that gives a service running on your own machine a public URL. ngrok's documentation describes it as a globally distributed reverse proxy that acts as the front door to your applications, wherever they run.

In plain terms, it takes something only you can reach at http://localhost and makes it reachable on the open internet at a URL like https://your-name.ngrok-free.app. Nothing about your app changes. You do not deploy it, buy a server, open a port, or edit DNS.

That is why ngrok became a default tool in so many developer toolkits: the gap between "running on my laptop" and "reachable by the outside world" usually takes infrastructure work, and ngrok closes it with a single command.

How Does ngrok Work?

ngrok works through two pieces: a lightweight agent you run locally and ngrok's cloud edge. The agent does not wait for inbound connections, which is what makes it firewall friendly.

• The agent dials out. When you run the ngrok command, the agent opens a single outbound, encrypted connection from your machine to ngrok's cloud. Outbound connections are almost always allowed, so no port forwarding or firewall change is needed.
• The edge assigns a public URL. ngrok's cloud gives your tunnel a public HTTPS address and terminates TLS for you, so visitors get a valid certificate automatically.
• Traffic is forwarded down the tunnel. Any request that hits the public URL is relayed back through the open connection to the local port you specified, and your app's response travels back the same way.
• You inspect it locally. ngrok exposes a local inspection interface where you can see every request and replay it, which is invaluable for debugging webhooks.

Because the connection is outbound and encrypted, your local app is never directly exposed to the internet. Visitors only ever talk to ngrok's edge, and the edge talks to your machine over the tunnel you opened.

What ngrok Is Used For

ngrok shows up wherever a local service suddenly needs to be reachable from outside. The most common uses are:

• Receiving webhooks. Services like payment providers, chat platforms, and CI systems call a public URL when an event happens. ngrok gives your local handler that URL, so you can build and debug webhook flows without deploying.
• Sharing a work-in-progress build. Send a teammate, designer, or client a link to the version running on your machine right now, instead of waiting for a deploy to your staging environment.
• Testing integrations and OAuth. Many third-party callbacks, OAuth redirects, and API testing flows require a real, public HTTPS URL. ngrok satisfies that requirement from localhost.
• Reaching services behind a firewall. Expose an internal API, a device, or a home-lab service without standing up public infrastructure.
• Quick mobile checks. Open your local site on a physical phone over its public URL to eyeball how it behaves on a real device.

The through-line is speed. Each of these tasks normally needs a deploy or an infrastructure change, and ngrok replaces that with one command.

How to Use ngrok

Getting a public URL takes three steps: install the agent, connect it to your account, and start a tunnel.

1. Install and connect

Install the agent with a package manager or download it for your operating system, then add the authtoken from your ngrok dashboard so the agent is tied to your account.

# Install (pick one)
brew install ngrok            # macOS
choco install ngrok           # Windows
npm install -g ngrok          # any OS with Node.js

# Connect the agent to your account
ngrok config add-authtoken <YOUR_AUTHTOKEN>

2. Start a tunnel

Point ngrok at the local port your app already runs on. If your dev server is on port 3000, one command exposes it:

$ ngrok http 3000

Session Status   online
Account          your-name (Plan: Free)
Forwarding       https://abc123.ngrok-free.app -> http://localhost:3000

Connections      ttl     opn     rt1     rt5
                 0       0       0.00    0.00

The Forwarding line is the public URL. Share it, paste it into a webhook configuration, or open it on another device. Visit the local inspection interface (usually http://127.0.0.1:4040) to watch and replay requests as they come in.

Is ngrok Safe?

ngrok the tool is safe and encrypted; the risk lives in how a tunnel is used. The traffic between the agent and ngrok's edge is encrypted, and the tool is a legitimate, widely used product.

It is worth knowing the security context, though. MITRE ATT&CK catalogs ngrok as a legitimate reverse proxy that attackers also abuse, for example to tunnel command-and-control traffic or quietly proxy connections through a firewall. The tool is not malicious; the same capability that helps you is useful to an intruder.

For everyday development, treat a tunnel like an open door and follow a few habits:

• Only tunnel what you mean to share. A tunnel exposes whatever runs on that port, so do not point it at an app holding real secrets or production data.
• Add authentication. Protect the endpoint with basic auth, OAuth, or an IP restriction so a leaked URL is not an open invitation.
• Close it when done. Stop the agent as soon as you finish, rather than leaving a long-lived public URL pointing at your laptop.

Is ngrok Free?

Yes, ngrok has a free plan, with limits. The free tier is enough to learn the tool and handle light webhook and demo work, and it now includes a free assigned dev domain, so you are not handed a brand-new random URL on every run.

The free plan also carries usage limits on things like monthly requests, bandwidth, and how many tunnels you can run at once, and it shows visitors an interstitial warning page before they reach your app. Paid plans remove that warning page, raise the limits, and unlock custom domains and team features. Because these limits change over time, confirm the current numbers on ngrok's pricing page before you rely on them.

For short-lived sharing and webhook debugging, the free plan is usually plenty. For an always-on endpoint or anything customer-facing, a paid plan or a reserved domain is the more dependable choice.

ngrok for Testing

ngrok is great for getting eyes on a local build, and that includes opening it manually on a phone or a colleague's machine. Where it stops is automated testing: ngrok hands you a URL, but it does not run your cross-browser tests across operating systems and real devices.

That is the job of a testing-cloud tunnel. TestMu AI Underpass creates an outbound, SSH-encrypted tunnel from your machine to the TestMu AI cloud, so cloud browsers can reach your local or staging server without it being publicly exposed. Your app stays private, and the grid does the testing.

The practical difference for a QA workflow:

• Scale instead of a single viewer. Run a local or staging build against 3,000+ browser and OS combinations and 10,000+ real devices on the real device cloud, rather than one manual look.
• Private by design. The SSH tunnel routes safely through firewalls and proxies, with no public URL and no certificate to install on your machine.
• Automation ready. It works with Selenium, Playwright, Cypress, and Appium, so your existing test suite runs against the tunneled app.
• Bundled with the platform. Underpass is included with TestMu AI plans, and you can author the tests themselves in plain English with KaneAI.

A useful rule of thumb: reach for ngrok when a human needs to see your local app, and reach for a testing-cloud tunnel when a test suite needs to run against it at scale.

Conclusion

ngrok earns its place in the toolkit by solving one problem cleanly: it turns localhost into a public URL in seconds, with no deploy and no network changes. That makes it ideal for webhooks, quick demos, and integrations that need a real address.

Just keep its boundaries in mind. Treat each tunnel as a public door, mind the free-plan limits, and when the goal shifts from "let me show this" to "let me test this everywhere," move to a testing-cloud tunnel like TestMu AI Underpass so your local build can run across real browsers and devices while staying private. Start testing your local builds on the TestMu AI cloud and let the grid do the work.