Skip to main content

ory tunnel

ory tunnel

Tunnel Ory on a subdomain of your app or a seperate port your app's domain

Synopsis

This command starts an HTTP tunnel to Ory on the domain [tunnel-url] you specify. This allows to co-locate Ory's APIs and your application on the same top-level-domain, which is required to get cookies and other security features working.

This tunnel works both in development and in production, for example when deploying a React, NodeJS, Java, PHP, ... app to a server / the cloud or when developing it locally on your machine. It is similar to the ory proxy command, but it does not require to route all your application's traffic through it!

Before you start, you need to have a running instance of Ory. Set the environment variable ORY_SDK_URL to the path where Ory is available. For Ory Cloud, this is the "SDK URL" which can be found in the "API & Services" section of your Ory Cloud Console.

$ export ORY_SDK_URL=https://playground.projects.oryapis.com

The first argument application-url points to the location of your application. This location will be used as the default redirect URL for the tunnel, for example after a successful login.

$ ory tunnel https://www.example.org

It has the same behavior as ory proxy --default-redirect-url https://example.org/....

You can change this behavior using the --default-redirect-url flag:

$ ory tunnel --default-redirect-url /welcome \
    https://www.example.org

The second argument [tunnel-url] is optional. It refers to the public URL of this tunnel (e.g. https://auth.example.org).

If [tunnel-url] is not set, it will default to the default host and port the tunnel listens on:

http://localhost:4000

You must set the [tunnel-url] if you are not using the tunnel in local development:

$ ory tunnel \
    https://www.example.org \
    https://auth.example.org

Please note that you can not set a path in the [tunnel-url]!

Per default, the tunnel listens on port 4000. If you want to listen on another port, use the port flag:

$ ory tunnel --port 8080 \
    https://www.example.org

If your application URL is available on a non-standard HTTP/HTTPS port, you can set that port in the application-url:

$ ory tunnel \
    https://example.org:1234

If this tunnel runs on a subdomain, and you want Ory's cookies (e.g. the session cookie) to be available on all of your domain, you can use the following CLI flag to customize the cookie domain:

$ ory tunnel \
    --cookie-domain example.org \
    https://www.example.org \
    https://auth.example.org

In contrast to the ory proxy, the tunnel does not alter the HTTP headers arriving at your application and it does not generate any JSON Web Tokens.

ory tunnel application-url [tunnel-url] [flags]

Options

      --cookie-domain string          Set a dedicated cookie domain.
      --default-redirect-url string   Set the URL to redirect to per default after e.g. login or account creation.
  -h, --help                          help for tunnel
      --port int                      The port the proxy should listen on. (default 4000)
      --sdk-url string                Set the Ory SDK URL.

SEE ALSO

  • ory - The ORY CLI