ngrok exposes a port. tunnel.locker knows the far end is an MCP server with a tool list — so the door is scoped to the exact tools you allow, refuses everything else agent-side, and dies on a TTL.
Because the agent speaks the protocol, it filters the advertised tools/list to your allowlist, rejects any out-of-scope tools/call before the server ever sees it, and re-checks the TTL on every call. Revocation is real, not cosmetic — close the tunnel and the link is dead.
A teammate opens the link. Sees only the filtered tool list.
Pairs the two sockets by id and shuttles opaque frames. Holds no secret, no state.
Mints the token, filters tools, refuses out-of-scope calls, enforces the TTL.
Runs locally, unchanged. No inbound port is ever opened.
Trust lives at the agent — the only component holding the signing secret. A compromised relay can't widen scope or extend a TTL; it just moves bytes.
read { "path": "notes.txt" }
Passes the allowlist + TTL check, reaches the MCP server, returns the result.
shell { "cmd": "rm -rf /" }
Refused agent-side with a clear error. The server never receives the call.
# install the CLI $ cargo install tunnel-locker # share a read-only view of your MCP server $ tunnel open ./my-mcp-server \ --relay wss://tunnel.locker --scope read --ttl 15m # → prints https://tunnel.locker/t/<id>#<token> # revoke anytime: $ tunnel close
Your model and data stay on your machine. When a teammate needs to talk to your running agent, open a door scoped to one session and specific tools — then let it evaporate.