Skip to main content

Authentication

Tachyon provides flexible access control for your tunnels.

Default: Team Authentication

By default, tunnels require sign-in with company credentials: 
tcn share 3000
Users must authenticate via GitHub/Google before accessing.

Public Access

Disable authentication for demos or webhooks: 
tcn share 3000 --public
Public tunnels are accessible by anyone with the URL. Use carefully.

Email Allowlist

Restrict access to specific email addresses: 
tcn share 3000 --allow [email protected] [email protected]
Only users with matching email addresses can access.

Reserved Subdomains

With a Pro plan, reserve a consistent subdomain: 
tcn share 3000 --subdomain my-api
# → https://my-api.tunnel.dotsetlabs.dev
Benefits:
  • Consistent URL across sessions
  • Easy to remember and share
  • Webhook configurations don’t break

Project-Level Access

Grant access to entire teams via projects: 
# Create project
tcn share 3000 --new-project "API Development"

# Add team members
tcn members add [email protected]
tcn members add [email protected]
All project members can access tunnels in that project.

Access Roles

RolePermissions
OwnerFull access, can delete project
AdminManage members, create tunnels
MemberAccess tunnels, view requests
ViewerView tunnels only

SSO Providers

Tachyon supports:

GitHub

Default SSO provider. Personal or organization accounts.

Google

Use tcn login --google to authenticate.

Security Best Practices

  1. Use authentication — Only use --public when necessary
  2. Limit access — Use --allow to restrict to specific emails
  3. Use projects — Organize tunnels by team or purpose
  4. Monitor access — Check tunnel access in the dashboard