Skip to main content

HTTP Variables

Action Result Variables

The following variables are made available for use in subsequent expressions and CEL interpolations after the action has run. Variable values will only apply to the last action execution, results are not concatenated.

Add Headers

NameTypeDescription
actions.ngrok.add_headers.headers_addedmap[string]stringThe headers and associated values that were added by the action.

Compress Response

NameTypeDescription
actions.ngrok.compress.already_compressedbooleanWill be true if the body was already encoded.
actions.ngrok.compress.negotiated_algorithmstringThe algorithm selected by the action.

JWT Validation

NameTypeDescription
actions.ngrok.jwt_validation.tokens[]JWTThe JWTs processed by the action.
actions.ngrok.jwt_validation.tokens[i].headermap[string]stringThe header portion of the JWT, parsed into a key value map.
actions.ngrok.jwt_validation.tokens[i].locationstringThe location in the request where the JWT was included.
actions.ngrok.jwt_validation.tokens[i].location_propertystringThe name of the header or body field where the JWT was included.
actions.ngrok.jwt_validation.tokens[i].payloadmap[string]stringThe payload portion of the JWT, parsed into a key value map.
actions.ngrok.jwt_validation.tokens[i].signaturestringThe signature portion of the JWT, in base64 encoded format.
actions.ngrok.jwt_validation.tokens[i].verifiedbooleanSet to true if token was verified.
actions.ngrok.jwt_validation.error.codestringCode for an error that occurred during the invocation of an action.
actions.ngrok.jwt_validation.error.messagestringMessage for an error that occurred during the invocation of an action.

Log

NameTypeDescription
actions.ngrok.log.metadatamap[string]stringThe key-value map of metadata that was logged.

Rate Limit

NameTypeDescription
actions.ngrok.rate_limit.bucket_keystringThe key used for bucketing requests.
actions.ngrok.rate_limit.limitedbooleanTrue if the request was limited.
actions.ngrok.rate_limit.error.codestringCode for an error that occurred during the invocation of an action.
actions.ngrok.rate_limit.error.messagestringMessage for an error that occurred during the invocation of an action.

Redirect

NameTypeDescription
actions.ngrok.redirect.matches[]stringList of matched elements.
actions.ngrok.redirect.urlstringThe resulting URL sent back for redirect.
actions.ngrok.redirect.error.codestringCode for an error that occurred during the invocation of an action.
actions.ngrok.redirect.error.messagestringMessage for an error that occurred during the invocation of an action.

Remove Headers

NameTypeDescription
actions.ngrok.remove_headers.headers_removed[]stringList of headers that were removed by the action.

Restrict IPs

NameTypeDescription
actions.ngrok.restrict_ips.actionstringThe resulting action for this action execution. Supported values are either allow or deny.
actions.ngrok.restrict_ips.matched_cidrstringThe CIDR that matched for the incoming client ip. This may be empty.
actions.ngrok.restrict_ips.error.codestringCode for an error that occurred during the invocation of an action.
actions.ngrok.restrict_ips.error.messagestringMessage for an error that occurred during the invocation of an action.

URL Rewrite

NameTypeDescription
actions.ngrok.url_rewrite.matches[]stringList of matched elements.
actions.ngrok.url_rewrite.urlstringThe resulting URL after it was re-written.
actions.ngrok.url_rewrite.error.codestringCode for an error that occurred during the invocation of an action.
actions.ngrok.url_rewrite.error.messagestringMessage for an error that occurred during the invocation of an action.

Connection Variables

The following variables are available under the conn namespace:

NameTypeDescription
conn.bytes_inint64The number of bytes entering the endpoint from the client.
conn.bytes_outint64The number of bytes leaving an endpoint to the client.
conn.client_ipstringSource IP of the connection to the ngrok endpoint.
conn.client_portint32Source port of the connection to the ngrok endpoint.
conn.server_ipstringThe IP that this connection was established on.
conn.server_portint32The port that this connection was established on.
conn.server_regionstringThe ngrok PoP (Point of Presence) that this connection was established on and serviced through.
conn.ts.starttimestampTimestamp when the connection to ngrok was started.

conn.bytes_in

The number of bytes entering the endpoint from the client.

# snippet
---
expressions:
  - "conn.bytes_in > 1000"

conn.bytes_out

The number of bytes leaving an endpoint to the client.

# snippet
---
expressions:
  - "conn.bytes_out > 1000"

conn.client_ip

Source IP of the connection to the ngrok endpoint.

# snippet
---
expressions:
  - "conn.client_ip in ['::1', '127.0.0.1']"

conn.client_port

Source port of the connection to the ngrok endpoint.

# snippet
---
expressions:
  - "conn.client_port == 80"

conn.server_ip

The IP that this connection was established on.

# snippet
---
expressions:
  - "conn.server_ip == '192.168.1.1'"

conn.server_port

The port that this connection was established on.

# snippet
---
expressions:
  - "conn.server_port == 80"

conn.server_region

The ngrok PoP (Point of Presence) that this connection was established on and serviced through.

# snippet
---
expressions:
  - "conn.server_region == 'eu'"

conn.ts.start

Timestamp when the connection to ngrok was started.

# snippet
---
expressions:
  - "conn.ts.start > timestamp('2023-12-31T00:00:00Z')"

Connection Geo Variables

The following variables are available under the conn.geo namespace:

NameTypeDescription
conn.geo.citystringThe name of the city, in EN, where the conn.client_ip is likely to originate.
conn.geo.countrystringThe name of the country, in EN, where the conn.client_ip is likely to originate.
conn.geo.country_codestringThe two-letter ISO country code where the conn.client_ip is likely to originate.
conn.geo.latitudestringThe approximate latitude where the conn.client_ip is likely to originate.
conn.geo.longitudestringThe approximate longitude where the conn.client_ip is likely to originate.
conn.geo.radiusstringThe radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate.
conn.geo.subdivisionstringThe name of the subdivision, in EN, where the conn.client_ip is likely to originate.

conn.geo.city

The name of the city, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - "conn.geo.city == 'Strongsville'"

conn.geo.country

The name of the country, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - "conn.geo.country == 'United States'"

conn.geo.country_code

The two-letter ISO country code where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - "conn.geo.country_code != 'US'"

conn.geo.latitude

The approximate latitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - "double(conn.geo.latitude) >= 45.0"

conn.geo.longitude

The approximate longitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - "double(conn.geo.longitude) <= -93.0"

conn.geo.radius

The radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - "conn.geo.radius <= '5'"

conn.geo.subdivision

The name of the subdivision, in EN, where the conn.client_ip is likely to originate.

# snippet
---
expressions:
  - "conn.geo.subdivision == 'California'"

Connection TLS Variables

The following variables are available under the conn.tls namespace:

NameTypeDescription
conn.tls.cipher_suitestringThe cipher suite selected during the TLS handshake.
conn.tls.snistringThe hostname included in the ClientHello message via the SNI extension.
conn.tls.versionstringThe version of the TLS protocol used between the client and the ngrok edge.

conn.tls.cipher_suite

The cipher suite selected during the TLS handshake.

# snippet
---
expressions:
  - "conn.tls.cipher_suite == 'TLS_AES_128_GCM_SHA256'"

conn.tls.sni

The hostname included in the ClientHello message via the SNI extension.

# snippet
---
expressions:
  - "conn.tls.sni == 'client.example.com'"

conn.tls.version

The version of the TLS protocol used between the client and the ngrok edge.

# snippet
---
expressions:
  - "conn.tls.version == '1.3'"

Connection TLS Client Variables

The following variables are available under the conn.tls.client namespace:

NameTypeDescription
conn.tls.client.extensions[]ExtensionAdditional information added to the certificate.
conn.tls.client.extensions[i].idstringThe identifier (OID) that specifies the type of extension.
conn.tls.client.extensions[i].criticalboolTrue if the extension is critical.
conn.tls.client.extensions[i].value[]byteThe data for the extension.
conn.tls.client.issuerstringThe issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.client.issuer.common_namestringCommon name of the issuing authority, usually the domain name.
conn.tls.client.issuer.country[]stringCountry name(s) where the issuing authority is located.
conn.tls.client.issuer.locality[]stringLocality or city of the issuing authority.
conn.tls.client.issuer.organization[]stringName(s) of the organization that issued the certificate.
conn.tls.client.issuer.organizational_unit[]stringDivision of the organization responsible for the certificate.
conn.tls.client.issuer.postal_code[]stringPostal code of the issuing authority.
conn.tls.client.issuer.province[]stringProvince or state of the issuing authority.
conn.tls.client.issuer.street_address[]stringStreet address of the issuing authority.
conn.tls.client.sanstringSubject alternative names of the client certificate.
conn.tls.client.san.dns_names[]stringDNS names in the subject alternative names.
conn.tls.client.san.email_addresses[]stringEmail addresses in the subject alternative names.
conn.tls.client.san.ip_addresses[]stringIP addresses in the subject alternative names.
conn.tls.client.san.uris[]stringURIs in the subject alternative names.
conn.tls.client.serial_numberstringUnique identifier for the certificate.
conn.tls.client.signature_algorithmstringAlgorithm used to sign the certificate.
conn.tls.client.subjectstringThe entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.client.subject.common_namestringCommon name of the subject, usually the domain name.
conn.tls.client.subject.country[]stringCountry name(s) where the subject of the certificate is located.
conn.tls.client.subject.locality[]stringLocality or city where the subject is located.
conn.tls.client.subject.organization[]stringName(s) of the organization to which the subject belongs.
conn.tls.client.subject.organizational_unit[]stringDivision of the organization to which the subject belongs.
conn.tls.client.subject.postal_code[]stringPostal code where the subject is located.
conn.tls.client.subject.province[]stringProvince or state where the subject is located.
conn.tls.client.subject.street_address[]stringStreet address where the subject is located.
conn.tls.client.validity.not_aftertimestampExpiration date and time when the certificate is no longer valid.
conn.tls.client.validity.not_beforetimestampStart date and time when the certificate becomes valid.

conn.tls.client.extensions

Additional information added to the certificate.

# snippet
---
expressions:
  - "size(conn.tls.client.extensions) > 0"

conn.tls.client.extensions[i].id

The identifier (OID) that specifies the type of extension.

# snippet
---
expressions:
  - "conn.tls.client.extensions[0].id == '2.5.29.15'"

conn.tls.client.extensions[i].critical

True if the extension is critical.

# snippet
---
expressions:
  - "conn.tls.client.extensions[0].critical"

conn.tls.client.extensions[i].value

The data for the extension.

# snippet
---
expressions:
  - "conn.tls.client.extensions[0].value == b'\x03\x02\x05 '"

conn.tls.client.issuer

The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
  - "conn.tls.client.issuer == 'CN=E1,O=Let's Encrypt,C=US'"

conn.tls.client.issuer.common_name

Common name of the issuing authority, usually the domain name.

# snippet
---
expressions:
  - "conn.tls.client.issuer.common_name == 'exampleca.com'"

conn.tls.client.issuer.country

Country name(s) where the issuing authority is located.

# snippet
---
expressions:
  - "conn.tls.client.issuer.country == ['US']"

conn.tls.client.issuer.locality

Locality or city of the issuing authority.

# snippet
---
expressions:
  - "conn.tls.client.issuer.locality == ['Mountain View']"

conn.tls.client.issuer.organization

Name(s) of the organization that issued the certificate.

# snippet
---
expressions:
  - "conn.tls.client.issuer.organization == ['Example CA']"

conn.tls.client.issuer.organizational_unit

Division of the organization responsible for the certificate.

# snippet
---
expressions:
  - "conn.tls.client.issuer.organizational_unit == ['Certification Authority
    Division']"

conn.tls.client.issuer.postal_code

Postal code of the issuing authority.

# snippet
---
expressions:
  - "conn.tls.client.issuer.postal_code == ['94043']"

conn.tls.client.issuer.province

Province or state of the issuing authority.

# snippet
---
expressions:
  - "conn.tls.client.issuer.province == ['California']"

conn.tls.client.issuer.street_address

Street address of the issuing authority.

# snippet
---
expressions:
  - "conn.tls.client.issuer.street_address == ['1234 Encryption Way']"

conn.tls.client.san

Subject alternative names of the client certificate.

# snippet
---
expressions:
  - "conn.tls.client.san == 'DNS:www.example.com, DNS:example.com, IP
    Address:192.168.1.1'"

conn.tls.client.san.dns_names

DNS names in the subject alternative names.

# snippet
---
expressions:
  - "conn.tls.client.san.dns_names == ['www.example.com', 'example.com']"

conn.tls.client.san.email_addresses

Email addresses in the subject alternative names.

# snippet
---
expressions:
  - "conn.tls.client.san.email_addresses == ['ngrok-email1@example.com',
    'ngrok-email2@example.com']"

conn.tls.client.san.ip_addresses

IP addresses in the subject alternative names.

# snippet
---
expressions:
  - "conn.tls.client.san.ip_addresses == ['192.168.1.1']"

conn.tls.client.san.uris

URIs in the subject alternative names.

# snippet
---
expressions:
  - "conn.tls.client.san.uris == ['https://example.com/example']"

conn.tls.client.serial_number

Unique identifier for the certificate.

# snippet
---
expressions:
  - "conn.tls.client.serial_number == 'b53017e79d4a5208b314a55d3574e0a8'"

conn.tls.client.signature_algorithm

Algorithm used to sign the certificate.

# snippet
---
expressions:
  - "conn.tls.client.signature_algorithm == 'SHA256-RSA'"

conn.tls.client.subject

The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
  - "conn.tls.client.subject == 'CN=www.example.com'"

conn.tls.client.subject.common_name

Common name of the subject, usually the domain name.

# snippet
---
expressions:
  - "conn.tls.client.subject.common_name == 'www.example.com'"

conn.tls.client.subject.country

Country name(s) where the subject of the certificate is located.

# snippet
---
expressions:
  - "conn.tls.client.subject.country == ['US']"

conn.tls.client.subject.locality

Locality or city where the subject is located.

# snippet
---
expressions:
  - "conn.tls.client.subject.locality == ['Mountain View']"

conn.tls.client.subject.organization

Name(s) of the organization to which the subject belongs.

# snippet
---
expressions:
  - "conn.tls.client.subject.organization == ['Example Corp']"

conn.tls.client.subject.organizational_unit

Division of the organization to which the subject belongs.

# snippet
---
expressions:
  - "conn.tls.client.subject.organizational_unit == ['Web Services']"

conn.tls.client.subject.postal_code

Postal code where the subject is located.

# snippet
---
expressions:
  - "conn.tls.client.subject.postal_code == ['94043']"

conn.tls.client.subject.province

Province or state where the subject is located.

# snippet
---
expressions:
  - "conn.tls.client.subject.province == ['California']"

conn.tls.client.subject.street_address

Street address where the subject is located.

# snippet
---
expressions:
  - "conn.tls.client.subject.street_address == ['1234 Secure Blvd']"

conn.tls.client.validity.not_after

Expiration date and time when the certificate is no longer valid.

# snippet
---
expressions:
  - "conn.tls.client.validity.not_after == timestamp('2023-01-01T00:00:00Z')"

conn.tls.client.validity.not_before

Start date and time when the certificate becomes valid.

# snippet
---
expressions:
  - "conn.tls.client.validity.not_before == timestamp('2020-01-01T00:00:00Z')"

Connection TLS Server Variables

The following variables are available under the conn.tls.server namespace:

NameTypeDescription
conn.tls.server.extensions[]ExtensionAdditional information added to the certificate.
conn.tls.server.extensions[i].idstringThe identifier that specifies the type of extension.
conn.tls.server.extensions[i].criticalboolTrue if the extension is critical.
conn.tls.server.extensions[i].value[]byteThe data for the extension.
conn.tls.server.issuerstringThe issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.server.issuer.common_namestringCommon name of the issuing authority, usually the domain name.
conn.tls.server.issuer.country[]stringCountry name(s) where the issuing authority is located.
conn.tls.server.issuer.locality[]stringLocality or city of the issuing authority.
conn.tls.server.issuer.organization[]stringName(s) of the organization that issued the certificate.
conn.tls.server.issuer.organizational_unit[]stringDivision of the organization responsible for the certificate.
conn.tls.server.issuer.postal_code[]stringPostal code of the issuing authority.
conn.tls.server.issuer.province[]stringProvince or state of the issuing authority.
conn.tls.server.issuer.street_address[]stringStreet address of the issuing authority.
conn.tls.server.sanstringSubject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.dns_names[]stringDNS names in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.email_addresses[]stringEmail addresses in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.ip_addresses[]stringIP addresses in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.san.uris[]stringURIs in the subject alternative names of the ngrok server's leaf TLS certificate.
conn.tls.server.serial_numberstringUnique identifier for the certificate.
conn.tls.server.signature_algorithmstringAlgorithm used to sign the certificate.
conn.tls.server.subjectstringThe entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.
conn.tls.server.subject.common_namestringCommon name of the subject, usually the domain name.
conn.tls.server.subject.country[]stringCountry name(s) where the subject of the certificate is located.
conn.tls.server.subject.locality[]stringLocality or city where the subject is located.
conn.tls.server.subject.organization[]stringName(s) of the organization to which the subject belongs.
conn.tls.server.subject.organizational_unit[]stringDivision of the organization to which the subject belongs.
conn.tls.server.subject.postal_code[]stringPostal code where the subject is located.
conn.tls.server.subject.province[]stringProvince or state where the subject is located.
conn.tls.server.subject.street_address[]stringStreet address where the subject is located.
conn.tls.server.validity.not_aftertimestampExpiration date and time when the certificate is no longer valid.
conn.tls.server.validity.not_beforetimestampStart date and time when the certificate becomes valid.

conn.tls.server.extensions

Additional information added to the certificate.

# snippet
---
expressions:
  - "size(conn.tls.server.extensions) > 0"

conn.tls.server.extensions[i].id

The identifier that specifies the type of extension.

# snippet
---
expressions:
  - "conn.tls.server.extensions[0].id == '2.5.29.15'"

conn.tls.server.extensions[i].critical

True if the extension is critical.

# snippet
---
expressions:
  - "conn.tls.server.extensions[0].critical"

conn.tls.server.extensions[i].value

The data for the extension.

# snippet
---
expressions:
  - "conn.tls.server.extensions[0].value == b'\x03\x02\x05 '"

conn.tls.server.issuer

The issuing authority of the certificate as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
  - "conn.tls.server.issuer == 'CN=E1,O=Let's Encrypt,C=US'"

conn.tls.server.issuer.common_name

Common name of the issuing authority, usually the domain name.

# snippet
---
expressions:
  - "conn.tls.server.issuer.common_name == 'exampleca.com'"

conn.tls.server.issuer.country

Country name(s) where the issuing authority is located.

# snippet
---
expressions:
  - "conn.tls.server.issuer.country == ['US']"

conn.tls.server.issuer.locality

Locality or city of the issuing authority.

# snippet
---
expressions:
  - "conn.tls.server.issuer.locality == ['Mountain View']"

conn.tls.server.issuer.organization

Name(s) of the organization that issued the certificate.

# snippet
---
expressions:
  - "conn.tls.server.issuer.organization == ['Example CA']"

conn.tls.server.issuer.organizational_unit

Division of the organization responsible for the certificate.

# snippet
---
expressions:
  - "conn.tls.server.issuer.organizational_unit == ['Certification Authority
    Division']"

conn.tls.server.issuer.postal_code

Postal code of the issuing authority.

# snippet
---
expressions:
  - "conn.tls.server.issuer.postal_code == ['94043']"

conn.tls.server.issuer.province

Province or state of the issuing authority.

# snippet
---
expressions:
  - "conn.tls.server.issuer.province == ['California']"

conn.tls.server.issuer.street_address

Street address of the issuing authority.

# snippet
---
expressions:
  - "conn.tls.server.issuer.street_address == ['1234 Encryption Way']"

conn.tls.server.san

Subject alternative names of the server certificate of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
  - "conn.tls.server.san == 'DNS:www.example.com, DNS:example.com, IP
    Address:192.168.1.1'"

conn.tls.server.san.dns_names

DNS names in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
  - "conn.tls.server.san.dns_names == ['ngrok-dns.com', 'ngrok-dns2.com']"

conn.tls.server.san.email_addresses

Email addresses in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
  - "conn.tls.server.san.email_addresses == ['ngrok-email1@example.com',
    'ngrok-email2@example.com']"

conn.tls.server.san.ip_addresses

IP addresses in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
  - "conn.tls.server.san.ip_addresses == ['192.168.1.1']"

conn.tls.server.san.uris

URIs in the subject alternative names of the ngrok server's leaf TLS certificate.

# snippet
---
expressions:
  - "conn.tls.server.san.uris == ['https://example.com/example']"

conn.tls.server.serial_number

Unique identifier for the certificate.

# snippet
---
expressions:
  - "conn.tls.server.serial_number == 'b53017e79d4a5208b314a55d3574e0a8'"

conn.tls.server.signature_algorithm

Algorithm used to sign the certificate.

# snippet
---
expressions:
  - "conn.tls.server.signature_algorithm == 'SHA256-RSA'"

conn.tls.server.subject

The entity to whom the certificate is issued as a string roughly following the RFC 2253 Distinguished Names syntax.

# snippet
---
expressions:
  - "conn.tls.server.subject == 'CN=www.example.com'"

conn.tls.server.subject.common_name

Common name of the subject, usually the domain name.

# snippet
---
expressions:
  - "conn.tls.server.subject.common_name == 'ngrok-server.example.com'"

conn.tls.server.subject.country

Country name(s) where the subject of the certificate is located.

# snippet
---
expressions:
  - "conn.tls.server.subject.country == ['US']"

conn.tls.server.subject.locality

Locality or city where the subject is located.

# snippet
---
expressions:
  - "conn.tls.server.subject.locality == ['Mountain View']"

conn.tls.server.subject.organization

Name(s) of the organization to which the subject belongs.

# snippet
---
expressions:
  - "conn.tls.server.subject.organization == ['Example Corp']"

conn.tls.server.subject.organizational_unit

Division of the organization to which the subject belongs.

# snippet
---
expressions:
  - "conn.tls.server.subject.organizational_unit == ['Web Services']"

conn.tls.server.subject.postal_code

Postal code where the subject is located.

# snippet
---
expressions:
  - "conn.tls.server.subject.postal_code == ['94043']"

conn.tls.server.subject.province

Province or state where the subject is located.

# snippet
---
expressions:
  - "conn.tls.server.subject.province == ['California']"

conn.tls.server.subject.street_address

Street address where the subject is located.

# snippet
---
expressions:
  - "conn.tls.server.subject.street_address == ['1234 Secure Blvd']"

conn.tls.server.validity.not_after

Expiration date and time when the certificate is no longer valid.

# snippet
---
expressions:
  - "conn.tls.server.validity.not_after > timestamp('2023-01-01T00:00:00Z')"

conn.tls.server.validity.not_before

Start date and time when the certificate becomes valid.

# snippet
---
expressions:
  - "conn.tls.server.validity.not_before < timestamp('2020-01-01T00:00:00Z')"

Endpoint Variables

The following variables are available under the endpoint namespace:

NameTypeDescription
endpoint.addrstringThe address for this endpoint.
endpoint.hoststringThe hostname for this endpoint.
endpoint.idstringThe endpoint that serviced this connection.
endpoint.portint32The port for this endpoint.
endpoint.protocolstringThe protocol for this endpoint. Current supported values are http, https, tcp, and tls.
endpoint.urlstringThe url for this endpoint.

endpoint.addr

The address for this endpoint.

# snippet
---
expressions:
  - "endpoint.addr == 'my-subdomain.ngrok.app:443'"

endpoint.host

The hostname for this endpoint.

# snippet
---
expressions:
  - "endpoint.host == 'my-subdomain.ngrok.app'"

endpoint.id

The id for this endpoint.

# snippet
---
expressions:
  - "endpoint.id == 'ep_2iL8LRbQilSCKYjaslRoqBwJcfT'"

endpoint.port

The port for this endpoint.

# snippet
---
expressions:
  - "endpoint.port == 443"

endpoint.protocol

The protocol for this endpoint. Current supported values are http, https, tcp, and tls.

# snippet
---
expressions:
  - "endpoint.protocol == 'https'"

endpoint.url

The url for this endpoint.

# snippet
---
expressions:
  - "endpoint.url == 'https://my-subdomain.ngrok.app'"

Request Variables

The following variables are available under the req namespace:

NameTypeDescription
req.content_encodinglist[string]The encodings set in the Content-Encoding header for this request.
req.content_lengthint64The content length of the body in bytes. This may not be present if the request does not contain a body or if the client does not specify a content length because they are streaming the body.
req.content_typestringThe media type set in the Content-Type header for this request.
req.content_type.parametersmap[string]stringThe parameters set in the Content-Type header for this request.
req.content_type.rawstringThe value of the Content-Type header for this request.
req.cookiesmap[string][]cookieThe HTTP cookie objects included in this request. If there are multiple cookies with the same name, they will be ordered as specified in the Cookie header.
req.cookies[k][i].namestringThe name of the cookie.
req.cookies[k][i].valuestringThe value of the cookie.
req.headersmap[string][]stringThe request headers parsed as a map of lower-case names to values.
req.hoststringThe value of the host header field for this request.
req.locationstringThe value of the Location header for this request.
req.methodstringThe method for this request.
req.trailersmap[string][]stringThe request trailers parsed as a map of lower-case names to values.
req.ts.body_receivedtimestampThe timestamp when ngrok received the body of the request. This may not be present if the request does not contain a body.
req.ts.header_receivedtimestampThe timestamp when ngrok received the header of the request.
req.urlstringThe normalized full URL for this request.
req.url.authoritystringThe authority portion of the URL.
req.url.hoststringThe hostname portion of the host for this request.
req.url.pathstringThe path for this request including the leading forward slash.
req.url.portint32The port portion of the URL. This may not be present if the URL does not explicitly specify a port.
req.url.querystringThe full query string for this request excluding the leading question mark.
req.url.query_paramsmap[string][]stringThe request query string parsed as a map of names to values.
req.url.rawstringThe un-normalized full URL for this request.
req.url.raw_pathstringThe un-normalized path including the leading slash for this request.
req.url.schemestringThe scheme for this request.
req.url.uristringThe URI (path and query) portion of the URL.
req.url.user_passwordstringThe user:password portion of the URL.
req.user_agentstringThe value of the User-Agent header for this request.
req.versionstringThe HTTP version for this request.

req.content_encoding

The encoding set in the Content-Encoding header for this request.

# snippet
---
expressions:
  - "req.content_encoding[0] == 'br'"

req.content_length

The content length of the body in bytes. This may not be present if the request does not contain a body or if the client does not specify a content length because they are streaming the body.

# snippet
---
expressions:
  - "req.content_length > 10000000"

req.content_type

The media type set in the Content-Type header for this request.

# snippet
---
expressions:
  - "req.content_type == 'application/json'"

req.content_type.parameters

The parameters set in the Content-Type header for this request.

# snippet
---
expressions:
  - "req.content_type.parameters['charset'] == 'utf-8'"

req.content_type.raw

The value of the Content-Type header for this request.

# snippet
---
expressions:
  - "req.content_type.raw == 'application/json; charset=utf-8'"

req.cookies

The HTTP cookie objects included in this request. If there are multiple cookies with the same name, they will be ordered as specified in the Cookie header.

# snippet
---
expressions:
  - "size(req.cookies) > 0"

req.cookies[k][i].name

The name of the cookie.

# snippet
---
expressions:
  - "req.cookies['sessionId'][0].name == 'sessionId'"

req.cookies[k][i].value

The value of the cookie.

# snippet
---
expressions:
  - "req.cookies['sessionId'][0].value > 'value'"

req.headers

The request headers parsed as a map of lower-case names to values.

# snippet
---
expressions:
  - "'Fizz' in req.headers['baz']"

req.host

The value of the host header field value for this request.

# snippet
---
expressions:
  - "req.host == 'nba.com'"

req.location

The value of the Location header for this request.

# snippet
---
expressions:
  - "req.location == '/index.html'"

req.method

The method for this request.

# snippet
---
expressions:
  - "req.method == 'POST' || req.method == 'PUT'"

req.trailers

The request trailers parsed as a map of lower-case names to values.

# snippet
---
expressions:
  - "'Fizz' in req.trailers['baz']"

req.ts.body_received

The timestamp when ngrok received the body of the request. This may not be present if the request does not contain a body.

# snippet
---
expressions:
  - "req.ts.body_received > timestamp('2023-12-31T00:00:00Z')"

req.ts.header_received

The timestamp when ngrok received the header of the request.

# snippet
---
expressions:
  - "req.ts.header_received > timestamp('2023-12-31T00:00:00Z')"

req.url

The normalized full URL for this request.

# snippet
---
expressions:
  - "req.url == 'https://nba.com/')"

req.url.authority

The authority portion of the URL.

# snippet
---
expressions:
  - "req.url.authority == 'user:password@nba.com'"

req.url.host

The hostname portion of the host for this request.

# snippet
---
expressions:
  - "req.url.host == 'nba.com'"

req.url.path

The path for this request including the leading forward slash.

# snippet
---
expressions:
  - "req.url.path.startsWith('/foo')"

req.url.port

The port portion of the URL. This may not be present if the URL does not explicitly specify a port.

# snippet
---
expressions:
  - "req.url.port == 443"

req.url.query

The full query string for this request excluding the leading question mark.

# snippet
---
expressions:
  - "req.url.query == 'number=23&name=jordan'"

req.url.query_params

The request query string parsed as a map of names to values.

# snippet
---
expressions:
  - "'bar' in req.url.query_params['foo']"

req.url.raw

The un-normalized full URL for this request.

# snippet
---
expressions:
  - "req.url.raw.includes('/foo')"

req.url.raw_path

The un-normalized path including the leading slash for this request.

# snippet
---
expressions:
  - "req.url.raw_path.startsWith('/foo')"

req.url.scheme

The scheme for this request.

# snippet
---
expressions:
  - "req.url.scheme == 'https'"

req.url.uri

The URI (path and query) portion of the URL.

# snippet
---
expressions:
  - "req.url.uri.contains('/api/players?number=23&name=jordan')"

req.url.user_password

The user:password portion of the URL.

# snippet
---
expressions:
  - "req.url.user_password == 'user:password'"

req.user_agent

The value of the User-Agent header for this request.

# snippet
---
expressions:
  - "req.user_agent.contains('curl')"

req.version

The HTTP version for this request.

# snippet
---
expressions:
  - "req.version == 'HTTP/2.0"

Response Variables

The following variables are available under the res namespace:

NameTypeDescription
res.content_encodinglist[string]The encoding set in the Content-Encoding header for this response.
res.content_lengthint64The length of the content associated with the response.
res.content_typestringThe media type set in the Content-Type header for this response.
res.content_type.parametersmap[string]stringThe parameters set in the Content-Type header for this response.
res.content_type.rawstringThe Content-Type header for this response as a string.
res.cookiesmap[string][]cookieThe HTTP cookie objects included in this response. If there are multiple cookies with the same name, they will be ordered by path length, with longest path first.
res.cookies[k][i].domainstringThe value of the Domain attribute of the cookie.
res.cookies[k][i].expirestimestampThe value of the Expires attribute of the cookie.
res.cookies[k][i].http_onlybooleanThe value of the HttpOnly attribute of the cookie.
res.cookies[k][i].max_agedurationThe value of the MaxAge attribute of the cookie.
res.cookies[k][i].namestringThe name of the cookie.
res.cookies[k][i].pathstringThe value of the Path attribute of the cookie.
res.cookies[k][i].same_sitestringThe value of the SameSite attribute of the cookie.
res.cookies[k][i].securebooleanThe value of the Secure attribute of the cookie.
res.cookies[k][i].unparsed_attributesmap[string]stringAny non-standard attributes of the cookie parsed as a map of names to values .
res.cookies[k][i].valuestringThe value of the cookie.
res.headersmap[string][]stringThe response headers parsed as a map of lower-case names to values.
res.locationstringThe Location header value of this response.
res.status_codeint32The status code of this response.
res.trailersmap[string][]stringThe response trailers parsed as a map of lower-case names to values.

res.content_encoding

The encoding set in the Content-Encoding header for this response.

# snippet
---
expressions:
  - "res.content_encoding[0] == 'br'"

res.content_length

The length of the content associated with the response.

# snippet
---
expressions:
  - "res.content_length != 0"

res.content_type

The media type set in the Content-Type header for this response.

# snippet
---
expressions:
  - "res.content_type == 'application/json'"

res.content_type.parameters

The parameters set in the Content-Type header for this response.

# snippet
---
expressions:
  - "res.content_type.parameters['charset'] == 'utf-8'"

res.content_type.raw

The Content-Type header for this response as a string.

# snippet
---
expressions:
  - "res.content_type.raw == 'application/json; charset=utf-8'"

res.cookies

The HTTP cookie objects included in this response. If there are multiple cookies with the same name, they will be ordered by path length, with longest path first.

# snippet
---
expressions:
  - "size(res.cookies) > 0"

res.cookies[k][i].domain

The value of the Domain attribute of the cookie.

# snippet
---
expressions:
  - "res.cookies['sessionId'][0].domain == 'nba.com'"

res.cookies[k][i].expires

The value of the Expires attribute of the cookie.

# snippet
---
expressions:
  - "res.cookies['sessionId'][0].expires > timestamp(time.now)"

res.cookies[k][i].http_only

The value of the HttpOnly attribute of the cookie.

# snippet
---
expressions:
  - "res.cookies['sessionId'][0].http_only"

res.cookies[k][i].max_age

The value of the MaxAge attribute of the cookie.

# snippet
---
expressions:
  - "res.cookies['sessionId'][0].max_age > duration('24h')"

res.cookies[k][i].name

The name of the cookie.

# snippet
---
expressions:
  - "res.cookies['sessionId'][0].name == 'sessionId'"

res.cookies[k][i].path

The value of the Path attribute of the cookie.

# snippet
---
expressions:
  - "res.cookies['sessionId'][0].path == '/"

res.cookies[k][i].same_site

The value of the SameSite attribute of the cookie.

# snippet
---
expressions:
  - "res.cookies['sessionId'][0].same_site"

res.cookies[k][i].secure

The value of the Secure attribute of the cookie.

# snippet
---
expressions:
  - "res.cookies['sessionId'][0].secure"

res.cookies[k][i].unparsed_attributes

Any non-standard attributes of the cookie parsed as a map of names to values.

# snippet
---
expressions:
  - "size(res.cookies['sessionId'][0].unparsed_attributes) > 0"

res.cookies[k][i].value

The value of the cookie.

# snippet
---
expressions:
  - "res.cookies['sessionId'][0].value > 'value'"

res.headers

The response headers parsed as a map of lower-case names to values.

# snippet
---
expressions:
  - "'Fizz' in res.headers['baz']"

res.location

The location header value of the response.

# snippet
---
expressions:
  - "res.location == '/index.html'"

res.status_code

The status code of this response.

# snippet
---
expressions:
  - "res.status_code >= 300"

res.trailers

The response trailers parsed as a map of lower-case names to values.

# snippet
---
expressions:
  - "'fizz' in res.trailers['baz']"

Time variables

The following variables are available under the time namespace:

NameTypeDescription
time.nowstringThe current UTC time in RFC3339 format.

time.now

The current UTC time in RFC3339 format.

# snippet
---
expressions:
  - "conn.ts.end < timestamp(time.now)"