Tunnel

The tunnel feature in Bytesalt allows you to test applications running on your local machine or within a private network — such as an internal staging environment — without exposing them to the public internet.

How It Works

When you run a job with the --tunnel flag, the Bytesalt CLI establishes an outbound, encrypted connection to a dedicated Tunnel Host running in the Bytesalt cloud infrastructure. The AI testing agent then routes all requests to your application through this connection.


  ┌─────────────────────────────────────────────────────┐
  │                   Bytesalt Cloud                    │
  │                                                     │
  │   ┌──────────────┐             ┌─────────────────┐  │
  │   │   AI Agents  │────────────►│   Tunnel Host   │  │
  │   └──────────────┘             └────────┬────────┘  │
  │                                         │           │
  └─────────────────────────────────────────┼───────────┘
                                            │
                                 Encrypted tunnel (TLS 1.2+)
                                            │
  ┌─────────────────────────────────────────┼───────────┐
  │   Your Environment                      │           │
  │                                         │           │
  │   ┌──────────────┐             ┌────────┴────────┐  │
  │   │ Private App  │◄────────────│  Bytesalt CLI   │  │
  │   │ (local/stage)│             │                 │  │
  │   └──────────────┘             └─────────────────┘  │
  └─────────────────────────────────────────────────────┘

The CLI always initiates this connection outbound over TLS 1.2+. No inbound ports are required, and no connection is ever made into your network from the outside.

Security Design

The tunnel is built around a zero-trust model. No component has more access than it needs, and every part of the connection is secured end-to-end.

Property	Detail
Transport encryption	All tunnel traffic is encrypted using TLS 1.2+. No data is transmitted in plain text.
Outbound-only	The tunnel client initiates the connection. You do not need to open any inbound firewall ports or change any network rules.
Ephemeral	Tunnels exist only for the duration of a test run. There is no persistent connection left open.
Isolated per job	Each job gets a dedicated tunnel connection. Connections are not shared between jobs or organizations.
No public exposure	Your application is never exposed to the public internet. Only the Bytesalt AI agent, running inside our secured infrastructure, can route traffic through the tunnel.

How to Use It

Pass the --tunnel flag when starting a job:


bytesalt start --tunnel

For the full list of options, see the start command documentation.

Use Cases

Local Development: Test new features and bug fixes on your local machine before deploying.
Private Staging Environments: Run tests against internal staging or QA environments that are not publicly accessible.
CI/CD Pipelines: Integrate Bytesalt into your pipeline to test against a locally running build in a controlled environment.