Appearance
sp tunnel
When developers use this: Establish a bidirectional reverse WebSocket tunnel to bridge test execution and replay dispatches from a cloud-hosted control plane (SaaS) down to local services running on your workstation or in isolated private environments.
Synopsis
The sp tunnel command starts a persistent, foreground reverse WebSocket tunnel client.
When you use a cloud-hosted control plane (such as api.softprobe.ai) but your Java application under test runs locally on your laptop, the cloud-hosted scheduler cannot direct HTTP replay traffic to a private address like http://localhost:8080.
By establishing a WebSocket tunnel connection to the SaaS gateway, the scheduler can route replay dispatches through this secure channel down to your machine, where the CLI forwards them locally and replies with response frames.
SaaS Edge Authorization & Header Injection
When tunneling to the SaaS environment (api.softprobe.ai), the WebSocket connection must pass through our secure edge gateway. The sp client automatically handles authentication handshakes by injecting the following custom headers into the WebSocket connection request:
http
Authorization: Bearer <your-token>
X-Tenant-ID: <your-tenant-id>The CLI retrieves these credentials from your active configuration profile or environment variable overrides. If they are missing or invalid, the edge gateway will reject the handshake with a 401 Unauthorized or 403 Forbidden response.
Usage
bash
sp tunnel [flags]Flags
| Flag | Default | Description |
|---|---|---|
--port | 8080 | Local target application port where the Java service is running |
--app | travel-ota | Target application ID (appId) or application name for this tunnel |
--url | — | Override the exact WebSocket gateway URL (e.g., ws://localhost:8092/api/ws/tunnel) |
All Global flags are fully supported, specifically:
--api-url: Used to infer the WebSocket connection URL if--urlis omitted (e.g. convertinghttps://api.softprobe.aitowss://api.softprobe.ai/api/ws/tunnel).--tenant-id: Target Tenant ID (overrides profile config).--token: Auth token (overrides profile config).--profile: Active profile (for config resolution).
Connection Resolution
If the --url flag is not explicitly provided, the CLI automatically infers the secure WebSocket endpoint from your resolved API URL:
- SaaS Cloud: If your API URL points to the cloud (
https://api.softprobe.ai), the CLI connects via secure WebSockets:wss://api.softprobe.ai/api/ws/tunnel?app=<appId> - Self-Hosted HTTP: If the API URL begins with
http://, the scheme is converted to standard WebSocket:ws://<api-host>/api/ws/tunnel?app=<appId> - Self-Hosted HTTPS: If the API URL begins with
https://, the scheme is converted to secure WebSocket:wss://<api-host>/api/ws/tunnel?app=<appId>
SaaS Lifecycle Example
Step 1: Start your local service
Run your Java application with the Softprobe agent attached:
bash
java -javaagent:/opt/softprobe/sp-agent.jar \
-Dsp.app.id=f3e2d1c0b9a87654 \
-jar target/my-local-app.jarStep 2: Establish the Secure Tunnel to SaaS
Start the tunnel client targeting the production SaaS gateway:
bash
sp tunnel \
--app f3e2d1c0b9a87654 \
--port 8080 \
--api-url https://api.softprobe.aiIf you prefer to configure your environment explicitly using environment variables:
bash
export SP_TOKEN="eyJhbGciOiJIUzI1NiIsIn..."
export SP_TENANT_ID="tenant-12345"
sp tunnel --app f3e2d1c0b9a87654 --port 8080 --api-url https://api.softprobe.aiConsole Output:
text
Connecting tunnel to wss://api.softprobe.ai/api/ws/tunnel?app=f3e2d1c0b9a87654...
Forwarding traffic for app 'f3e2d1c0b9a87654' to localhost:8080
✔ Reverse tunnel connected successfully!Once established, inbound replay dispatches from the SaaS scheduler will be printed to your console:
text
[TUNNEL] Received request: POST /api/flights/search (ID: req-abc123)
[TUNNEL] Dispatched response back (Status: 200)