Route, transform, and authenticate your traffic.
One CLI. Zero infrastructure. Global edge.
Trusted by engineering teams at
Three production-grade primitives. Every ingress challenge solved — no glue code required.
Path-based routing, weighted splits, header matching, and canary deployments — all declared as code and deployed globally in seconds.
Strip secrets, inject identity headers, reshape payloads, validate schemas — all processed at the edge before your origin ever sees the request.
SAML, OIDC, JWT validation, mTLS, IP allow-lists, and rate limits enforced at the edge. Every tunnel is authenticated by default.
Every primitive you'd otherwise build yourself — observability, rate limits, failover, cache, replay, multi-region routing, policy-as-code. Visible. Verifiable. Yours.
Logs, metrics & traces — streamed in real-time. Filter by status, region, latency or path.
Refill, burst & quota — defined as code. Block abuse before it hits your origin.
policy "api-public" {
rate {
capacity = 10
refill = "10/s"
key = client.ip
}
on_exceed = "429 Too Many"
}Active probes, weighted pools, regional failover. Your users never see a 502.
Layer 7 cache with stale-while-revalidate, surrogate keys & instant purge.
Durable queue with exponential backoff. Replay any event, inspect every attempt.
Your users hit the closest edge. Failover & traffic-shaping built in — no DNS hacks.
Policies live in git. Rollbacks are a `git revert`. Every deploy is reviewed, signed, replayable.
policy "api-public" {rate {- capacity = 10+ capacity = 25refill = "10/s"}+ auth = jwt.from("Authorization")}
Install once, tunnel forever. From localhost to enterprise ingress without rewiring anything.
One binary. No Docker, no daemons, no firewall changes. Works on every OS.
Single 12 MB static binary. Drop it anywhere, run it anywhere. Zero root required.Point it at any local port. We allocate a globally-routed hostname + TLS cert instantly.
Your service is on the internet in under 60 seconds. TLS from Let's Encrypt, included.Bind your domain, attach policies, scale to enterprise. Same CLI, same config.
From demo URL to production domain without touching your origin. Policy as code.$ brew install tgate
# or: curl -sSL https://install.t-gates.de | sh$ tgate http 3000
# → https://your-name.t-gates.de$ tgate deploy \
--domain api.acme.com \
--policy ./tgate.yamlFrom a solo developer testing webhooks to a 500-person platform team managing production ingress at scale.
Share localhost with clients, test webhooks, demo live builds — no deploys needed.
Every PR gets a unique, policy-gated public URL. No extra infra.
Rate limiting, JWT validation, schema enforcement at the edge — not in your code.
Give every field device a stable, audited tunnel. No VPN, no static IP needed.
Connect on-premise services to the cloud without firewall holes or VPN agents.
Expose dashboards, admin panels, and dev tools securely to your team worldwide.
84 native integrations. Full webhook SDK. Works with whatever you're already running.
Don't see yours? Browse all 84 integrations →
We pass the questionnaire so you don't have to. Full audit trail, tamper-evident logs, and policy-as-code that lives in your repo.
Mutual TLS between edge and origin. Only verified clients reach your services.
Every request logged with cryptographic chain-of-custody. Stream to any SIEM.
WAF rules, rate limits, and routing — in your Git repo, reviewed like code.
Okta, Azure AD, Google Workspace. Auto-provision and deprovision instantly.
Bring your own KMS. We never see your encryption keys.
Every connection verified at every hop. No implicit trust — ever.
A fair comparison of what actually matters in production.
| RecommendedtGate | ngrok | Cloudflare Tunnel | Tailscale Funnel | Homegrown nginx/VPN | |
|---|---|---|---|---|---|
| Global anycast routing | ✓ | – | ✓ | – | – |
| Policy as code | ✓ | – | – | – | – |
| mTLS to origin | ✓ | – | – | ✓ | – |
| SOC 2 audit logs | ✓ | ✓ | ✓ | – | – |
| SAML SSO + SCIM | ✓ | ✓ | ✓ | – | – |
| Per-route observability | ✓ | – | – | – | – |
| Customer-managed keys | ✓ | – | – | – | – |
| BYO domain (any registrar) | ✓ | ✓ | – | ✓ | ✓ |
| Open protocol / SDK | ✓ | – | – | ✓ | ✓ |
| On-prem support | ✓ | – | – | – | ✓ |
| Free tier | ✓ | ✓ | ✓ | ✓ | – |
1,427 engineering teams across 62 countries. Here's what they actually say.
"tGate replaced four different tools. Our incident MTTR dropped 68% in the first month."
"We push 11k images per minute from boats over LTE. tGate's edge buffer means we lost zero frames in 90 days."
"Edge policies as code is the feature we didn't know we needed. Audits are now a git diff."
"We needed SOC 2 ingress on day one. tGate ships with everything — shaved an entire quarter off compliance."
"Showing builds to publishers used to mean uploading 4GB binaries. Now we send a URL."
"Our customers run on-prem in industrial parks. tGate gives us one audited path to every server."
Free for personal projects. No credit card to start. Cancel anytime.
For solo builders & local development.
Production tunnels with team controls.
Custom edge, dedicated tenancy, SLAs.
All plans include: 99.998% uptime SLA · SOC 2 compliant · GDPR ready · Global CDN
Free forever for personal projects. 14-day trial on every paid plan. No credit card required.