funnel

Authentication

API keys, OAuth, and access control

Funnel uses API keys for all authenticated requests. OAuth provides a way to obtain keys through a browser flow.

API keys

Every API request requires an Authorization: Bearer <key> header. Keys are created with scoped permissions:

  • tunnels: can create and use tunnels
  • management: can manage keys, users, teams, and view sessions

Keys are stored as hashes. The plaintext is only returned once at creation.

Seed key

On first startup, use --seed-api-key to create an initial admin key:

funnel-server --seed-api-key

The key is printed to the server logs. Use it to bootstrap your setup, then create dedicated keys for users.

Create keys via CLI

funnel keys create --name "ci-deploy"

Create keys via API

curl -X POST https://tunnel.example.com/api/v1/keys \
  -H "Authorization: Bearer $ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "ci-deploy", "scopes": ["tunnels"]}'

Key expiry

Keys can be created with an expiry time. After expiry, the key is rejected.

Revoke keys

funnel keys list
# find the key ID, then:
curl -X DELETE https://tunnel.example.com/api/v1/keys/<id> \
  -H "Authorization: Bearer $ADMIN_KEY"

OAuth

OAuth lets users log in through a browser and receive an API key automatically. Two providers are supported.

GitHub

funnel-server \
  --base-url https://tunnel.example.com \
  --github-client-id <client_id> \
  --github-client-secret <client_secret>
FlagEnv
--github-client-idGITHUB_CLIENT_ID
--github-client-secretGITHUB_CLIENT_SECRET
--base-urlBASE_URL

Set the GitHub OAuth callback URL to https://tunnel.example.com/auth/v1/github/callback.

Generic OIDC

Any OpenID Connect provider (GitLab, Google, Keycloak, etc.):

funnel-server \
  --base-url https://tunnel.example.com \
  --oauth-provider-name gitlab \
  --oauth-client-id <id> \
  --oauth-client-secret <secret> \
  --oauth-authorize-url https://gitlab.com/oauth/authorize \
  --oauth-token-url https://gitlab.com/oauth/token \
  --oauth-userinfo-url https://gitlab.com/api/v4/user
FlagEnvDefault
--oauth-provider-nameOAUTH_PROVIDER_NAME-
--oauth-client-idOAUTH_CLIENT_ID-
--oauth-client-secretOAUTH_CLIENT_SECRET-
--oauth-authorize-urlOAUTH_AUTHORIZE_URL-
--oauth-token-urlOAUTH_TOKEN_URL-
--oauth-userinfo-urlOAUTH_USERINFO_URL-
--oauth-scopesOAUTH_SCOPESopenid email profile
--oauth-id-fieldOAUTH_ID_FIELDsub
--oauth-email-fieldOAUTH_EMAIL_FIELDemail
--oauth-name-fieldOAUTH_NAME_FIELDname
--oauth-avatar-fieldOAUTH_AVATAR_FIELDpicture

The callback URL is https://tunnel.example.com/auth/v1/<provider_name>/callback.

Client login

funnel login                     # uses github by default
funnel login --provider gitlab   # use a specific provider

The CLI starts a local HTTP server, opens the browser for the OAuth flow, and stores the received API key in the context config.

Initial admin

Set --initial-admin-email to auto-promote a user to admin on their first OAuth login:

funnel-server --initial-admin-email admin@example.com

TLS

Automatic TLS with Let's Encrypt

Teams

Team management and team-scoped tunnels

On this page

API keys
Seed key
Create keys via CLI
Create keys via API
Key expiry
Revoke keys
OAuth
GitHub
Generic OIDC
Client login
Initial admin