Password Protection

Password protection lets you restrict access to your HTTP tunnels using Basic Authentication. When enabled, anyone visiting your tunnel URL will be prompted for a password before they can access the underlying service.

CLI Flag

Use the --password flag when starting an HTTP tunnel:

outray 3000 --password mysecretpassword

Visitors will see a browser-native login prompt. Enter any username (it is ignored) and the password you specified.

Configuration File

You can also set a password in your outray/config.toml:

[tunnel.web]
protocol = "http"
local_port = 3000
password = "mysecretpassword"

Then start all tunnels as usual:

outray start

How It Works

1. When a tunnel is opened with a password, the server stores the password in the tunnel's metadata.
2. Every incoming HTTP request is checked for a valid Authorization header.
3. If the header is missing or the credentials are wrong, the server responds with 401 Unauthorized and a WWW-Authenticate: Basic header, which triggers the browser's native login dialog.
4. Once the correct password is supplied, the request is forwarded to your local service as normal.

Programmatic Access

If you are calling a password-protected tunnel from code (e.g., curl, fetch, or a webhook provider), include the credentials in the request:

curl -u :mysecretpassword https://my-tunnel.tunnel.outray.app/api/health

Or with an explicit Authorization header:

curl -H "Authorization: Basic $(echo -n ':mysecretpassword' | base64)" \
  https://my-tunnel.tunnel.outray.app/api/health

Use Cases

• Webhook testing — prevent unauthorized payloads from reaching your dev server.
• Staging previews — share a tunnel with your team without exposing it publicly.
• Client demos — give a client temporary access without opening the tunnel to the entire internet.