Secure tunnels on your infrastructure, your SSO, your audit log.
Broch is a secure tunneling platform you deploy on your own infrastructure. Authenticated through your SSO, attributed to a specific developer, logged to your own systems. Every request logged, every action audited.
Two ways to get started.
Try it on our server, no card. Or trial the real product — free for 15 days — on your own infrastructure.
Self-Hosted
the real product, free for 15 daysDeploy Broch on your own infrastructure. Your SSO, your audit pipeline, your network — nothing routes through a third party. Start with a 15-day free trial: a card upfront, never charged until day 16, then $10 per seat, flat. Cancel anytime before then.
- Docker on your infrastructure (amd64 + arm64)
- SSO with your OIDC provider (Auth0, Entra ID, Okta)
- Audit events to your SIEM, warehouse, or disk
- Tunnel attribution + admin policy controls
Broch-Hosted Trial
a quick taste, no cardA free 60-day trial on our hosted server — no credit card, no deployment. Install the CLI, create a tunnel, watch your own request stream. Use it to confirm Broch fits before you stand up your own.
- Public test server — runs on our infrastructure
- Try the share command in under two minutes
- See your own live request stream
- Single-user evaluation — no admin, no audit export
Built for security teams. Used by developers.
CLI everywhere
One npm install on macOS, Linux, Windows; the server is one Docker image (amd64 + arm64).
Complete audit trails
Every tunnel creation and HTTP request attributed to the developer who created it. Know who, when, and what traffic flowed through.
Your network, your rules
Deploy on your own infra. Traffic flows directly between your developers and your server — never through a third party.
Your identity provider
Auth0, Entra ID, Okta, any OIDC provider. Every tunnel authenticated through your existing identity layer.
You own the path — and the policy.
Traffic never leaves your network
Your CLI, your tunnel server, your IdP, your service — every hop runs in your infrastructure. No Broch cloud sits in the request path.
- developer → broch-server → localhost, all on your network
- SSO handshake stays between your server and your OIDC
- Audit events to your SIEM, warehouse, or disk
- One outbound call: a periodic license check. Nothing else leaves.
Admins decide what's shared
Share is deny-by-default. Tunnel creation is gated to IdP roles, and you control which targets and which inbound traffic are allowed through.
- Deny by default — no policy, no tunnels
- Gate tunnel creation by IdP role (engineering, contractors…)
- Filter inbound by network CIDR and header rules
- Pin tunnels to registered service targets only
What's coming.
Two things we're building now. No dates — here's the direction.
Simpler deployments
from pull-the-image to one clickA tighter self-hosting guide and one-click cloud marketplace listings — Broch running before you've finished reading the docs.
Broch Access
reach in, not just outShare exposes a local service outward. Access reaches a remote one — a staging database, an internal API — from your CLI, no VPN. Same SSO, same audit log.
01What's the difference between the two free trials?
02What does Broch cost?
03How do I self-host?
04Does Broch support SSO?
05Where is my data stored?
06Can Broch help with our compliance requirements?
07Why not just use a hosted tunneling service?
08How do I give feedback?
Pull the image. Deploy Broch.
$ docker pull ghcr.io/broch-io/broch:latest $ docker run -d --env-file broch.env ghcr.io/broch-io/broch:latest