Port Tunnels

Port tunnels let you expose a local port with a public HTTPS URL, similar to ngrok. Traffic flows through the Wrapd tunnel server to your machine — no configuration or firewall changes needed.

Quick start

# Expose local port 3000
wrapd tunnel 3000

# Expose a specific host
wrapd tunnel 8080 --host 0.0.0.0

Output:

  Tunnel active!

  Public URL:  https://a1b2c3d4.tunnel.wrapd.sh
  Forwarding:  127.0.0.1:3000
  Tunnel ID:   a1b2c3d4

  Press Ctrl+C to close the tunnel.

The public URL is immediately accessible from anywhere. All traffic is proxied through Wrapd’s servers to your local port.

How it works

[Internet] → [Caddy *.tunnel.wrapd.sh] → [Tunnel Proxy :7508] → [Agent WS] → [localhost:port]

wrapd tunnel <port> authenticates with your agent token and opens a WebSocket connection
The tunnel server assigns a random subdomain (8 hex characters)
HTTP requests to <subdomain>.tunnel.wrapd.sh are serialized and forwarded through the WebSocket
Your agent forwards the request to localhost:<port> and sends the response back

Authentication

Port tunnels use the same agent token as regular Wrapd endpoints. Pass it via --token flag or WRAPD_TOKEN environment variable:

wrapd tunnel 3000 --token wrapd_at_...

Tier limits

Feature	Free	Pro	Team
Active tunnels	1	5	20
Max duration	4 hours	12 hours	Unlimited

Managing tunnels

Active tunnels appear in the dashboard at Tunnels in the sidebar. You can close tunnels from the dashboard or by pressing Ctrl+C in the terminal.

Limitations

HTTP only — WebSocket upgrade passthrough is not supported in v1
10 MB body limit — request and response bodies are capped at 10 MB (base64 encoded over JSON WebSocket frames)
Latency — every request has WebSocket round-trip overhead, similar to ngrok
No custom subdomains — subdomains are randomly assigned (8 hex chars)
Ephemeral — tunnels die immediately when the agent disconnects; there’s no persistent tunnel state