tunnelctl
CLI

login & auth

Sign in with SSO, check your identity, and sign out.

tunnelctl authenticates against your organization's identity provider using OIDC (Authorization Code + PKCE). Tokens are stored locally and refreshed automatically before each API call, so you typically only log in once.

tunnelctl login

tunnelctl login

Opens your browser to the identity provider and completes the login via a local callback. On success, tokens are written to ~/.config/tunnelctl/oidc.json (mode 0600).

Headless / SSH

When there's no browser available, use the device-code flow:

tunnelctl login --no-browser
FlagDescription
--no-browserDon't try to open a browser; print a code/URL to complete sign-in on another device.

tunnelctl whoami

Show who you're signed in as and when the token expires.

tunnelctl whoami
tunnelctl whoami --verify
FlagDescription
--verifyVerify the tokens work end-to-end — against the identity provider and the tunnelctl API.

tunnelctl logout

tunnelctl logout

Removes the locally stored tokens. Running tunnels keep their own per-tunnel connection tokens until they stop.

Token lifetime

The access token is short-lived (~5 minutes) and refreshed transparently using the refresh token. See Authentication for the full model.

CLI overview

The tunnelctl command tree, global behaviour, and where state is stored.

up

Start or attach a tunnel that forwards a public hostname to a local service.

On this page

tunnelctl loginHeadless / SSHtunnelctl whoamitunnelctl logout