Expose a Localhost Port to the Public Internet with amux
One command. Stable HTTPS URL. No inbound port, no firewall config, no ngrok account.
amux tunnel makes any local port reachable from the public internet in seconds. Your machine dials out to the amux cloud relay — no inbound firewall port needed, no router forwarding, no ISP restrictions. The resulting URL at https://<id>.t.amux.io/ is stable across restarts: same token, same URL, forever. Updated July 2026.
Quick start
# Start your local server (any port)
npm run dev # → localhost:3000
# Start the tunnel
amux tunnel start 3000
# → https://abc123def456789.t.amux.io/
# Now share that URL — it forwards to your local port
Requires an amux cloud account — the tunnel relay is the only paid feature in amux. The core orchestration, dashboard, self-healing, and iOS app are all free and open source.
How amux tunnel works
Traditional reverse proxies (ngrok, Cloudflare Tunnel) require your local machine to receive inbound connections. That means you need an open port, router forwarding, or a VPN. amux tunnel flips the model:
- Your machine dials out to the amux cloud relay over a persistent outbound HTTPS connection.
- The relay assigns you a subdomain at
<id>.t.amux.iowhere<id>is derived from your account token. - Incoming requests to that URL hit the relay, which forwards them through the persistent connection to your local server.
- Your server responds through the same connection. The relay delivers the response to the caller.
Because your machine only makes outbound connections, the tunnel works from behind corporate firewalls, NAT, CGNAT, and networks with no open inbound ports.
URL stability
The tunnel URL is derived from your account token: sha256(token)[:16]. This means:
- The URL is the same every time you start the tunnel — no random string on each run.
- You can set it as a permanent webhook endpoint with your payment provider, CI system, or GitHub webhooks, and it will keep working across machine reboots.
- You can set it as a fixed OAuth redirect URI registered with your OAuth provider — no dashboard visits to copy a new URL after each restart.
# Your tunnel URL — copy this once, use it everywhere
https://abc123def456789.t.amux.io/
# It never changes as long as your amux token is the same
amux tunnel stop
# ... later ...
amux tunnel start 3000
# → same URL: https://abc123def456789.t.amux.io/
Common use cases
Webhook testing
Testing Stripe, GitHub, Twilio, or any webhook provider locally requires a public URL they can POST to. With amux tunnel:
# Start your webhook handler
python webhook_server.py # → localhost:5000
# Start the tunnel
amux tunnel start 5000
# → https://abc123.t.amux.io/webhooks/stripe
# Paste the URL into your Stripe webhook endpoint config
# Webhooks now land in your local handler in real time
Sharing a dev server with a client or teammate
# Working on a design change — share it instantly
npm run dev # → localhost:3000
amux tunnel start 3000
# Send teammate: https://abc123.t.amux.io/
# They can see live changes as you save files
OAuth redirect URIs during local development
OAuth providers (Google, GitHub, Slack) require a pre-registered redirect URI. With a stable tunnel URL, you register it once and never change it:
# In your OAuth provider's app settings:
# Authorized redirect URIs:
# https://abc123.t.amux.io/auth/callback
#
# In your local .env:
# OAUTH_REDIRECT_URI=https://abc123.t.amux.io/auth/callback
amux tunnel start 3000
# → OAuth flows now work locally
Testing from a mobile device
Testing how your app looks on a real iOS or Android device is painful without a public URL. The tunnel solves it in one command — no need to configure your local network or find your machine's IP:
# Start your app
npm run dev # → localhost:3000
amux tunnel start 3000
# → Open https://abc123.t.amux.io/ on your phone
# Full HTTPS, real device, live reloads
Exposing the amux dashboard remotely
# Make your amux dashboard reachable from anywhere
amux serve & # → localhost:8822
amux tunnel start 8822
# → Access your agent fleet from your phone, hotel WiFi, anywhere
See also: Managing agents from your phone.
What amux tunnel does NOT support
amux tunnel is intentionally simple — HTTP/HTTPS request-response only. Be aware of these limitations before choosing it for your use case:
| Capability | amux tunnel | ngrok |
|---|---|---|
| HTTP/HTTPS forwarding | Yes | Yes |
| Stable URL across restarts | Yes (token-derived) | Paid plan only |
| Server-Sent Events (SSE) | No (buffered only) | Yes |
| WebSocket upgrades | No | Yes |
| TCP tunneling | No | Paid plan |
| Request inspection UI | No | Yes (localhost:4040) |
| Custom domains | No (*.t.amux.io only) | Paid plan |
| Authentication on the URL | No (public, unguessable) | Basic auth option |
| Free tier | No (cloud feature) | Yes (limited) |
| Integrated with AI agent fleet | Yes | No |
If you need streaming responses, WebSocket support, request inspection, or custom domains, use ngrok. amux tunnel is the right choice when you want a stable, zero-config URL that stays the same across restarts and is managed from the same tool as your agent fleet.
Security: the URL is public
The tunnel URL is publicly accessible. Anyone who has the URL can reach your local server. The URL is unguessable (a 16-character hex hash of your token), but it is not authenticated — there is no built-in credential check at the tunnel layer.
For services that handle user data, tokens, or admin actions:
- Add authentication at your application level (login page, API key header check).
- Limit the scope of what the tunneled port can access.
- Stop the tunnel when you're done (
amux tunnel stop).
Frequently asked questions
How do I expose a localhost port without ngrok?
Run amux tunnel start PORT. Your machine dials out to the amux cloud relay — no inbound firewall port, no router config. You get a stable HTTPS URL at https://<id>.t.amux.io/ immediately. Requires an amux cloud account.
Is the tunnel URL stable across restarts?
Yes. The URL is derived from your account token — stop and restart the tunnel, reboot your machine, or switch networks, and the URL stays the same. Safe to use as a permanent webhook endpoint or OAuth redirect URI.
Does amux tunnel support WebSockets or Server-Sent Events?
No. amux tunnel relays HTTP/HTTPS with one buffered response per request. SSE and WebSocket upgrades do not pass through. For streaming or WebSocket use cases, use ngrok or Cloudflare Tunnel.
Is the tunnel URL private?
No — it is publicly accessible. The URL is unguessable (a hash of your token), but anyone with the URL can reach your local server. Add authentication at the application level for sensitive services.
Does amux tunnel require a paid plan?
Yes. The tunnel is the only paid feature in amux (part of amux cloud). Core orchestration, self-healing, dashboard, and iOS app are free and open source.
See also
- amux vs ngrok — full comparison of both tools
- Managing agents from your phone — access your dashboard remotely
- Run agent sessions in the background — tunnel + detached = fully remote dev setup
- Remote access with Tailscale — alternative for team/corporate access
Stable public URL for any local port — zero firewall config
amux tunnel is one part of the full amux stack: agent orchestration, self-healing, phone management, and now a stable tunnel — all from one tool.
amux tunnel start 3000
# → https://abc123def456789.t.amux.io/
⭐ Star on GitHub