Local HTTP. Public HTTPS. No account system.

portlight

A small Go binary that exposes local services through public HTTPS URLs you control. Built for previews, webhooks, demos, and coding agents.

Install portlight Agent guide

$ portlight expose --port 3000 --json
{"status":"ready","url":"https://demo.portlight.616.pub"}

Downloads

Install once. Keep it current with one command.

Choose your platform build, place it on your PATH, then run portlight update whenever you need the latest release.

Loading release metadata... SHA-256 verified downloads

macOS

Apple Silicon and Intel builds.

Auto install

Release metadata is loading.

Manual downloads

Windows

PowerShell-friendly executable builds.

Auto install

Release metadata is loading.

Manual downloads

Linux

Static binary builds for servers and CI.

Auto install

Release metadata is loading.

Manual downloads

Already installed? portlight update uses the same release metadata and verifies SHA-256 before replacing the binary.

Agent workflows

Give the agent a URL it can actually use.

Agents often need a browser-visible URL for a local app, callback, or preview server. portlight skill prints a concise runbook covering JSON ready output, cleanup, TTL supervision, and name conflicts.

$ portlight skill
$ portlight expose --port 3000 --json

Default server is https://portlight.616.pub.
The tunnel lifetime is the CLI process lifetime.
Use timeout, CI job limits, or a watchdog process for TTL.
Kill the expose process to close the public URL.

Abstract agent workflow routed from a terminal to browser and webhook targets

Core use cases

Temporary public URLs without changing the local app.

portlight keeps the operating model small: one binary, one token, wildcard HTTPS at the reverse proxy, and no database.

Development previews

Share a local web app from the machine where it is already running.

Webhook testing

Receive provider callbacks against a local HTTP service during development.

Short demos

Request a readable name for a temporary demo URL, then release it on exit.

Scripted runs

Use --json so CI or agents can parse the ready URL safely.

How it works

The public server forwards each request over an active worker connection.

Keep the Go server private on localhost. Let Caddy or another reverse proxy handle wildcard DNS, HTTPS, and public routing.

Run the server

PORTLIGHT_TOKEN=<long-random-token>
portlight server --listen 127.0.0.1:8789 \
  --public-base https://portlight.616.pub

Expose a port

portlight expose --port 3000 --json

Use the URL

https://name.portlight.616.pub
routes to http://127.0.0.1:3000

Deploy shape

Small by design. Secure by defaulting to your own proxy.

The public tunnel URLs are anonymous by default, so expose only services you intend to share. Protect control endpoints with PORTLIGHT_TOKEN and keep the server behind localhost.

Production checklist

Base and wildcard DNS point to the server.
Caddy terminates HTTPS and proxies to 127.0.0.1:8789.
PORTLIGHT_TOKEN is long, random, and out of logs.
Docker or systemd restarts the server if it exits.

Current limits

HTTP only.
Browser WebSocket/HMR is not supported yet.
No persistent aliases or account dashboard.
Names exist only while the CLI is connected.