Skip to content
§ DEVELOPER INFRASTRUCTURE

Secure tunnels on your infrastructure, your SSO, your audit log.

Broch is a secure tunneling platform you deploy on your own infrastructure. Authenticated through your SSO, attributed to a specific developer, logged to your own systems. Every request logged, every action audited.

flat per-seat pricing one docker image, your infra OIDC SSO — Auth0, Entra ID, Okta per-user attribution, every request share policies (role, network, headers) JSON audit log to your SIEM
~/work/acme-api — broch zsh · 84×24
$ npm install -g @broch/cli
added 1 package in 1.2s
$ broch config set --server https://broch.acme.corp
✓ server set
$ broch auth login
→ opening browser… (sso via your idp)
✓ authenticated as [email protected]
$ broch share api --target http://localhost:3000
✓ tunnel live · https://api-priya.tunnel.acme.corp
api ← GET → 200 / (5ms)
api ← POST → 201 /api/users (12ms)
● connected requests · 2 · uptime · 00:00:07
1 container
your whole footprint
100%
requests attributed to a user
0 hops
traffic through a third party
amd64 · arm64
multi-arch docker

Two ways to get started.

Try it on our server, no card. Or trial the real product — free for 15 days — on your own infrastructure.

AVAILABLE NOW 01 / 02

Self-Hosted

the real product, free for 15 days

Deploy Broch on your own infrastructure. Your SSO, your audit pipeline, your network — nothing routes through a third party. Start with a 15-day free trial: a card upfront, never charged until day 16, then $10 per seat, flat. Cancel anytime before then.

  • Docker on your infrastructure (amd64 + arm64)
  • SSO with your OIDC provider (Auth0, Entra ID, Okta)
  • Audit events to your SIEM, warehouse, or disk
  • Tunnel attribution + admin policy controls
60-DAY TRIAL · NO CARD 02 / 02

Broch-Hosted Trial

a quick taste, no card

A free 60-day trial on our hosted server — no credit card, no deployment. Install the CLI, create a tunnel, watch your own request stream. Use it to confirm Broch fits before you stand up your own.

  • Public test server — runs on our infrastructure
  • Try the share command in under two minutes
  • See your own live request stream
  • Single-user evaluation — no admin, no audit export

Built for security teams. Used by developers.

CLI everywhere

One npm install on macOS, Linux, Windows; the server is one Docker image (amd64 + arm64).

Complete audit trails

Every tunnel creation and HTTP request attributed to the developer who created it. Know who, when, and what traffic flowed through.

Your network, your rules

Deploy on your own infra. Traffic flows directly between your developers and your server — never through a third party.

Your identity provider

Auth0, Entra ID, Okta, any OIDC provider. Every tunnel authenticated through your existing identity layer.

You own the path — and the policy.

Traffic never leaves your network

Your CLI, your tunnel server, your IdP, your service — every hop runs in your infrastructure. No Broch cloud sits in the request path.

  • developer → broch-server → localhost, all on your network
  • SSO handshake stays between your server and your OIDC
  • Audit events to your SIEM, warehouse, or disk
  • One outbound call: a periodic license check. Nothing else leaves.

Admins decide what's shared

Share is deny-by-default. Tunnel creation is gated to IdP roles, and you control which targets and which inbound traffic are allowed through.

  • Deny by default — no policy, no tunnels
  • Gate tunnel creation by IdP role (engineering, contractors…)
  • Filter inbound by network CIDR and header rules
  • Pin tunnels to registered service targets only

What's coming.

Two things we're building now. No dates — here's the direction.

IN PROGRESS 01 / 02

Simpler deployments

from pull-the-image to one click

A tighter self-hosting guide and one-click cloud marketplace listings — Broch running before you've finished reading the docs.

IN PROGRESS 02 / 02

Broch Access

reach in, not just out

Share exposes a local service outward. Access reaches a remote one — a staging database, an internal API — from your CLI, no VPN. Same SSO, same audit log.

Common questions.

More questions? Email [email protected].

01What's the difference between the two free trials?
Two ways to try Broch. The Broch-hosted trial runs on our server — 60 days, no credit card, single-user, no deployment. The self-hosted trial is the real product on your own infrastructure — 15 days free, a card upfront (not charged), then $10 per seat / month.
02What does Broch cost?
The Broch-hosted trial is free for 60 days, no card. Self-hosted is free for 15 days — a card upfront, not charged until day 16 — then $10 per seat / month, billed monthly, cancel anytime. Flat per-seat pricing on the pricing page; no per-tunnel metering.
03How do I self-host?
Self-hosting is the product — that's where the SSO, the audit log, and the network sovereignty live. Deploy on your own infrastructure and start with a 15-day free trial; the Self-Hosting guide walks the full setup end-to-end. The 60-day Broch-hosted trial is a separate, no-deploy evaluation surface.
04Does Broch support SSO?
Yes — any OIDC identity provider (Entra ID, Okta, Auth0, or your own). The Broch server is the sole OAuth client; end users only ever receive a deployment-scoped Broch token, never your IdP's tokens.
05Where is my data stored?
On your infrastructure, in your region. Broch is a container you deploy; traffic is decrypted only on your servers and is never sent to Broch. Broch stores only seat assignments, in your own database.
06Can Broch help with our compliance requirements?
Broch is designed and built with your compliance needs in mind. It runs on your infrastructure, authenticates through your identity provider, and ships a full audit trail to your own SIEM — so your tunneling stays inside your existing SOC 2 or GDPR scope, with you as the data controller. For a control-by-control mapping, email [email protected].
07Why not just use a hosted tunneling service?
Broch runs on your infrastructure, authenticates through your SSO, and writes audit events to your own systems. No third-party data plane.
08How do I give feedback?
Bug reports: [email protected]. Feedback and feature requests: [email protected].

Pull the image. Deploy Broch.

$ docker pull ghcr.io/broch-io/broch:latest
$ docker run -d --env-file broch.env ghcr.io/broch-io/broch:latest