Console Management
Manage your tunnel directly from the Zihin Console. All operations require an admin or owner role.
Navigate to Management → Connectivity to access tunnel management.
Creating a tunnel
Each organization can have one tunnel. The tunnel covers all on-premise services accessible from your network.
- Click Create Tunnel
- Enter a label (e.g., your company or site name)
- Copy the generated token
The token (ztun_...) is displayed only once. Copy it immediately — it cannot be retrieved later. You will need this token to configure the Tunnel Agent.
After creation, the tunnel appears with status Disconnected until the agent connects.
Monitoring status
The tunnel card displays real-time information:
| Field | Description |
|---|---|
| Status | Connected (agent is online) or Disconnected (agent is offline) |
| Token | Masked identifier (e.g., ztun_55bfc...59d7) — for identification only |
| Agent version | Version of the connected agent |
| Services | List of services registered by the agent (e.g., nocodb, erp) |
| Connected since | When the agent last connected |
Status reflects the last known state from the database. The agent updates its status on connect and disconnect events.
Rotating the token
Token rotation generates a new token while keeping the old one valid for 24 hours (grace period). This allows you to update the agent without downtime.
- Click Rotate Token on the tunnel card
- Confirm the action
- Copy the new token
- Update the agent configuration within 24 hours (see Token rotation)
During the grace period, both old and new tokens are accepted. The Console shows a "Rotation in progress" indicator with the grace period expiration time.
Revoking a tunnel
Revoking a tunnel immediately disconnects the agent and invalidates the token. This action cannot be undone.
- Click Revoke on the tunnel card
- Confirm by typing the tunnel label
- The agent is disconnected and the tunnel is removed
After revocation, you can create a new tunnel. The agent will need to be reconfigured with the new token.
Revocation is instant — the agent loses connection immediately. Only revoke when you intend to permanently disable the tunnel or replace it with a new one.
Permissions
| Role | Can view tunnel | Can manage tunnel |
|---|---|---|
| Owner | Yes | Yes |
| Admin | Yes | Yes |
| Editor | No | No |
| Member | No | No |
Tunnel management is restricted to admin and owner roles because it controls infrastructure access to your on-premise network.