Fork me on GitHub

Application Access Reference Documentation

Application Access Reference


Backing up production instances, environments, and/or settings before making permanent modifications is encouraged as a best practice. Doing so allows you to roll back to an existing state if needed.

The following snippet shows the full YAML configuration of an Application Service appearing in the teleport.yaml configuration file:

  # Enables application proxy service.
  enabled: yes
  # Enable debug app that can be used to make sure application access is
  # working correctly. It'll output JWTs so it can be useful for when
  # extending your application.
  debug_app: true
  # This section contains definitions of all applications proxied by this
  # service. It can contain multiple items.
    # Name of the application. Used for identification purposes.
  - name: "grafana"
    # Free-form application description.
    description: "This is an internal Grafana instance"
    # URI and port the application is available at.
    uri: "http://localhost:3000"
    # Optional application public address to override.
    public_addr: ""
    # Rewrites section.
      # Rewrite the "Location" header on redirect responses replacing the
      # host with the public address of this application.
      - ""
    # Disable application certificate validation.
    insecure_skip_verify: true
    # Optional static labels to assign to the app. Used in RBAC.
      env: "prod"
    # Optional dynamic labels to assign to the app. Used in RBAC.
    - name: "hostname"
      command: ["hostname"]
      period: 1m0s


This section shows CLI commands relevant for Application Access.

tsh app ls

Lists available applications.

tsh app ls

tsh app login

Retrieves short-lived X.509 certificate for CLI application access.

tsh app login grafana

tsh app logout

Removes CLI application access certificate.

Log out of a particular app.

tsh app logout grafana

Log out of all apps.

tsh app logout

tsh app config

Prints application connection information.

Print app information in a table form.

tsh app config

Print information for a particular app.

tsh app config grafana

Print an example curl command.

tsh app config --format=curl

Construct a curl command.

curl $(tsh app config --format=uri) \ --cacert $(tsh app config --format=ca) \ --cert $(tsh app config --format=cert) \ --key $(tsh app config --format=key)
--formatOptional print format, one of: uri to print app address, ca to print CA cert path, cert to print cert path, key print key path, curl to print example curl command.
Have a suggestion or can’t find something?