Quickstart
Run a private service on the public internet in three commands. We'll provision an edge node, issue a wildcard certificate, and route traffic to your local process.
Install the CLI
Install tgate using your platform's package manager. The CLI is a single static binary with no runtime dependencies.
# via Homebrew
brew install tgate
# or curl
curl -fsSL "https://install.t-gates.de" | shStarting your first tunnel
Once installed, point tgate at a local port. We'll allocate a public hostname on *.tgate.app and provision TLS automatically.
tgate http 3000
# →
Session : connected (eu-frankfurt-1)
Forwarding : https://still-meadow-7421.tgate.app → http://localhost:3000
Latency : 38ms · Region: fra-04Use tgate http 3000 --inspect to open a local web UI that replays requests, mocks responses, and exports HAR files.
Claim a reserved domain
Reserved domains stay yours forever. Bind one to a service so the URL never changes between deploys.
tgate domains create "api.acme.dev"
✓ Domain reserved · CNAME pending verification
✓ TLS certificate issued (Let's Encrypt)
✓ Bound to tunnel "api"Add an edge policy
Policies run at every edge node before traffic reaches your service. They're deployed via the CLI or committed alongside your code.
// Block bots, rate-limit by IP, require API key for /admin
policy "public-api" {
deny ua matches "bot|crawl"
limit ip 100/min
match path "/admin/*" {
require header "X-API-Key"
}
}Next steps
You've shipped your first tunnel. Up next:
→ Connect SAML SSO for your team
→ Set up edge policies for production
→ Configure observability with OpenTelemetry