Skip to content
d-centralize handbook

Pangolin tunnel

Use Pangolin (server) and Newt (client) to expose a local or staging service on the public internet. This is the standard way to handle callbacks, demos, and temporary external access.

Internet -> Pangolin -> Newt -> App

Prerequisites

Section titled “Prerequisites”
  • Make sure your app is running (for example on localhost:3000).
  • Make sure you can access the Pangolin dashboard.
  • Use the credentials from Vaultwarden item pangolin, or ask an admin to create an account for you.

Reserve the subdomain first

Section titled “Reserve the subdomain first”

Create the Pangolin resource before starting Newt, so the final URL is known up front.

  1. In Pangolin, go to Sites and select +Add Site.
  2. Enter a site name and select Newt Tunnel.
  3. Select Create Site.
  4. Go to Resources and select +Add Resource.
  5. Select HTTPS resource and enter your preferred subdomain.
  6. Select +Add target and choose the site you created.
  7. Set protocol to http, host to localhost, and port to your app port (for example 3000).
  8. Select Create Resource.

Your tunnel URL is now predictable:

https://<subdomain>.tunnel.d-centralize.nl

Start Newt on the app host

Section titled “Start Newt on the app host”
  1. Open the site you created in Pangolin.
  2. Copy the Newt install and launch commands shown there.
  3. Run them on the machine or container where your app runs.
  4. Keep newt running while the tunnel is in use.

Environment variable mode is also supported:

  • NEWT_ID
  • NEWT_SECRET
  • PANGOLIN_ENDPOINT

Example:

Terminal window
curl -fsSL https://pangolin.net/get-newt.sh | bash
newt

If used in an entrypoint script, run newt &.

Scripted subdomain reservation

Section titled “Scripted subdomain reservation”

For automation, apply a Pangolin blueprint before starting Newt. newt does not provide a separate reserve-only command.

Example blueprint:

public-resources:
  app:
    name: app
    protocol: http
    full-domain: my-fixed-subdomain.tunnel.d-centralize.nl
    targets:
      - site: my-site
        hostname: localhost
        method: http
        port: 3000

Before applying with CLI, make sure Pangolin CLI is installed and authenticated:

Terminal window
pangolin login
pangolin select

Apply blueprint:

Terminal window
pangolin apply blueprint --file /path/to/blueprint.yaml

Or apply through the Pangolin API endpoint PUT /org/{orgId}/blueprint.

Verify and share

Section titled “Verify and share”
  • Open the reserved URL in a browser and confirm it reaches your app.
  • Share that same URL for callbacks or demos.
  • Stop Newt with Ctrl+C when done.

Authentication for external callbacks

Section titled “Authentication for external callbacks”

If an external service must call this endpoint, disable platform SSO on that resource:

  1. Open Resources in Pangolin.
  2. Open the resource.
  3. Go to Authentication.
  4. Disable Use platform SSO.
  5. Save changes.