CLI Reference
Available commands
hle expose
Expose a local service to the internet. This is the primary command for HLE clients.
hle expose --service http://localhost:8080 --label myappExpose and allow specific users in one command:
hle expose --service http://localhost:8080 --allow user@gmail.com --allow google:friend@gmail.comhle auth login
Save an API key to ~/.config/hle/config.toml. Opens the dashboard in your browser to copy the key.
hle auth login # Interactive (opens browser)hle auth login --api-key hle_xxx # Non-interactivehle auth status
Show the current API key source and masked value.
hle auth statushle auth logout
Remove the saved API key from ~/.config/hle/config.toml.
hle auth logouthle webhook
Create a webhook tunnel for receiving HTTP callbacks from external services (GitHub, Stripe, etc.). Disables SSO gate and WebSocket, enforces path prefix filtering.
hle webhook --path /hook/github --forward-to http://localhost:3000/webhookSee the Webhooks guide for details on security, rate limits, and provider setup.
hle tunnels
List active tunnels for your account.
hle tunnelshle access list
List access rules for a subdomain.
hle access list myapp-x7khle access add
Add an email to a subdomain’s access allow-list.
hle access add myapp-x7k friend@example.com --provider anyhle access remove
Remove an access rule by its ID (shown in hle access list).
hle access remove myapp-x7k 42hle pin set
Set a 4-8 digit PIN for a subdomain. Visitors can enter the PIN instead of signing in with SSO.
hle pin set myapp-x7khle pin status
Show whether a PIN is currently active for a subdomain.
hle pin status myapp-x7khle pin remove
Remove the PIN for a subdomain.
hle pin remove myapp-x7khle basic-auth set
Set HTTP Basic Auth on a tunnel. Prompts for username and password (min 8 chars). Replaces any existing credentials.
hle basic-auth set myapp-x7khle basic-auth status
Show whether Basic Auth is active for a tunnel and the configured username.
hle basic-auth status myapp-x7khle basic-auth remove
Remove Basic Auth from a tunnel (makes the tunnel public again, or falls back to SSO/PIN if configured).
hle basic-auth remove myapp-x7khle share create
Create a temporary share link for time-limited access without SSO.
hle share create myapp-x7k --duration 24h --label "demo" --max-uses 5hle share list
List share links for a subdomain.
hle share list myapp-x7khle share revoke
Revoke a share link by ID.
hle share revoke myapp-x7k 3Flags for webhook
| Flag | Type | Default | Description |
|---|---|---|---|
--path | string | required | Webhook path prefix (e.g. /hook/github). Only requests matching this prefix are forwarded |
--forward-to | string | required | Local URL to forward webhooks to |
--label | string | auto-generated | Service label (used for custom zone subdomains) |
--api-key | string | — | API key for tunnel auth. Also checked in HLE_API_KEY env var and config file |
--zone | string | — | Custom zone domain |
Flags for expose
| Flag | Type | Default | Description |
|---|---|---|---|
--service | string | required | Local service URL (e.g., http://localhost:8080) |
--label | string | auto-generated | Service label for the subdomain (e.g., ha, jellyfin, app1) |
--auth | enum | sso | Authentication mode: sso (OIDC) or none (public) |
--api-key | string | — | API key for tunnel auth. Also checked in HLE_API_KEY env var and config file |
--websocket | boolean | enabled | Enable WebSocket proxying. Use --no-websocket to disable |
--allow | string | — | Allow an email to access the tunnel via SSO. Format: email or provider:email. Providers: any (default), google, github, hle. Repeatable. Idempotent |
--verify-ssl | boolean | false | Enable SSL certificate verification for the local service |
--upstream-basic-auth | string | — | Inject Authorization: Basic into every request forwarded to the local service. Format: USER:PASS |
--forward-host | boolean | false | Forward the browser’s Host header to the local service |
Global flags
These flags apply to all commands:
| Flag | Type | Default | Description |
|---|---|---|---|
--version | — | — | Show the client version and exit |
--debug | boolean | false | Enable debug logging to stderr |
Common flags
All commands that talk to the server (tunnels, access, pin, basic-auth, share) accept:
| Flag | Type | Default | Description |
|---|---|---|---|
--api-key | string | — | API key for authentication. Also checked in HLE_API_KEY env var and ~/.config/hle/config.toml |
Flags for access add
| Flag | Type | Default | Description |
|---|---|---|---|
--provider | enum | any | Required auth provider: any, google, github, or hle |
Flags for share create
| Flag | Type | Default | Description |
|---|---|---|---|
--duration | enum | 24h | Link validity: 1h, 24h, or 7d |
--label | string | — | Optional label for the link |
--max-uses | int | unlimited | Maximum number of uses |
Config file
Save your API key in the config file:
api_key = "hle_your_32_char_hex_key"Location: ~/.config/hle/config.toml
The API key is resolved in order: --api-key flag > HLE_API_KEY env var > config file.
Examples
Expose Home Assistant with custom label:
hle expose --service http://localhost:8123 --label haExpose development web app without authentication:
hle expose --service http://localhost:3000 --auth noneExpose and allow specific users in one command:
hle expose --service http://localhost:8123 --label ha --allow user@gmail.com --allow google:friend@gmail.comList your active tunnels:
hle tunnelsAdd a friend to your tunnel’s access list:
hle access add ha-x7k friend@example.comRequire GitHub login for a specific email:
hle access add ha-x7k colleague@work.com --provider githubView and remove access rules:
hle access list ha-x7khle access remove ha-x7k 42Set a PIN for quick access:
hle pin set ha-x7kCreate a temporary share link (expires in 1 hour, max 5 uses):
hle share create ha-x7k --duration 1h --max-uses 5Protect a tunnel with HTTP Basic Auth:
hle basic-auth set ha-x7khle basic-auth status ha-x7kExpose a service that itself requires credentials (inject upstream auth):
hle expose --service http://localhost:8123 --upstream-basic-auth admin:yourpassword