ngrok is a hosted ingress service that exposes services running behind NAT or a firewall on a public HTTPS, TCP, or TLS endpoint without any inbound port forwarding. You run the ngrok agent next to your app; it opens an outbound TLS connection to ngrok’s edge and receives reversed traffic over that tunnel.
The classic use case is giving a local development server a public URL for testing Stripe, GitHub, or Slack webhooks, but the product has grown into a general-purpose API gateway. The edge can terminate TLS on custom domains, enforce OAuth, OIDC, SAML, or JWT auth, apply rate limits and IP restrictions, rewrite headers, mirror traffic for inspection, and load-balance across multiple agents. Configuration is expressed either via CLI flags, a YAML config file, or declaratively through the Kubernetes Ingress controller and Gateway API implementation, so the same endpoint rules can be managed from cluster manifests.
ngrok is commercial and closed-source, with a free tier that hands out random subdomains. In the same space you will find Cloudflare Tunnel (cloudflared), Tailscale Funnel, Telepresence, localtunnel, and frp for a fully self-hosted option. Its niche is the combination of zero-config tunnels with an API-gateway-grade edge, rather than just raw TCP forwarding.