Skip to main content
Discover how teams and individuals use Private Connect to solve common infrastructure access challenges.

Team Collaboration

Onboard Teammates Instantly

Clone a teammate’s environment in 30 seconds instead of 2 hours of setup

Debug Production Together

Share access to staging databases and services for collaborative debugging

Give Contractors Access

Time-limited access with instant revocation, no VPN provisioning

Clone Team Environments

New developers get the exact same setup as their teammates

Development Workflows

Same Setup, Anywhere

Your .env stays the same whether at office, home, or traveling

Project-Based Environments

Config files that auto-connect services when you cd into a project

Test Webhooks Locally

Receive Stripe, GitHub, and other webhooks on your local machine

Monitor Internal Services

Quick health checks of internal dashboards from anywhere

Remote Access & AI Tools

Access Your Home Lab

Reach Raspberry Pi, NAS, self-hosted services without exposing ports

Secure OpenCode Access

Access OpenCode on VPS from laptop without exposing ports publicly

Secure OpenClaw Access

Access OpenClaw gateway securely from phone, laptop, any device

Access from exe.dev VMs

Give AI agents on exe.dev access to private infrastructure

Infrastructure & DevOps

CI/CD to Private Infra

GitHub Actions deploying to private servers without bastion hosts

Virtual Kubernetes Clusters

Multicluster API servers with distributed nodes, no VPN required

Open-Source Contributors

Let contributors hit your prod API without sharing secrets

Share with Family Abroad

Give family access to home services with long-lived secure shares

Onboard Teammates Instantly

The old way:
  1. “Join the VPN”
  2. “Add these entries to /etc/hosts”
  3. “Here’s the SSH key for the bastion”
  4. “Forward ports 5432, 6379, and 8080”
  5. “Oh, you’re on Windows? Let me find the other instructions…”
With Private Connect: 
# New teammate's first day
connect clone sarah
# → Found sarah's environment:
# →   ● staging-db → localhost:5432
# →   ● redis → localhost:6379
# →   ● user-api → localhost:8080
# →   ● payment-service → localhost:8081
# →
# → ✓ Cloned 4 service(s) from sarah
# → Generated: .env.pconnect
# →
# → Ready to code.
Time saved: 2 hours → 30 seconds

Debug Production Together

Two engineers need to look at the same staging database to debug an issue. 
# Alice (already connected)
connect share --name "staging-debug"
# → Share code: k8m3n5

# Bob
connect join k8m3n5
# ✓ staging-db → localhost:5432
# ✓ redis → localhost:6379

# Both now have identical environments
# "I see the bug on row 4521" — "Me too, looking at it now"
No more “can you SSH into prod and run this query for me?”

Same Setup, Anywhere

Your .env stays the same whether you’re at the office, home, or a café. 
# .env (never changes)
DATABASE_URL=postgres://localhost:5432/myapp
REDIS_URL=redis://localhost:6379
API_URL=http://localhost:8080

# Morning: run this once
connect dev

# Your app connects to localhost
# Private Connect routes to the real services
npm run dev
Switch between home/office/travel without touching configuration.

CI/CD to Private Infrastructure

GitHub Actions deploying to servers that aren’t publicly accessible. 
# .github/workflows/deploy.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Connect to private infra
        run: |
          curl -fsSL https://privateconnect.co/install.sh | bash
          connect up --api-key ${{ secrets.PRIVATECONNECT_KEY }}
          connect reach deploy-server
          
      - name: Deploy
        run: |
          # deploy-server is now at localhost:22
          rsync -avz ./dist/ localhost:/var/www/app/
No bastion hosts. No VPN configurations. No firewall rules.

Access Your Home Lab

Raspberry Pi, NAS, or self-hosted services — reach them without exposing ports. 
# On your home server (runs 24/7)
connect daemon install
connect expose localhost:8096 --name jellyfin
connect expose localhost:8080 --name homeassistant
connect expose 192.168.1.50:445 --name nas

# From anywhere in the world
connect reach jellyfin
# → http://localhost:8096 — your media server

connect reach nas
# → localhost:445 — your NAS shares
No dynamic DNS. No port forwarding. No security exposure.

Secure Remote Access to OpenClaw

Running OpenClaw on a VPS? Access the gateway securely from your phone, laptop, or any device. The problem: OpenClaw’s gateway binds to 127.0.0.1:18789 for security. The docs warn: never expose it publicly. But you want to use it from WhatsApp on your phone. The solution: 
# On your VPS where OpenClaw runs
connect daemon install
connect expose localhost:18789 --name openclaw

# From your phone or laptop (anywhere)
connect reach openclaw
# → Gateway available at localhost:18789
# → WhatsApp/Telegram connects as if OpenClaw were local
FeaturengrokTailscaleSSH TunnelPrivate Connect
Public URLYes (risky)NoNoNo
Multi-deviceLimitedYesManualYes
PersistentPaidYesNoYes
Setup time2 min10 min5 min2 min

Secure Remote Access to OpenCode

Running OpenCode on a VPS or GPU server? Access it securely from your laptop without exposing ports. The problem: OpenCode’s server binds to 127.0.0.1:4096 for security. Setting --hostname 0.0.0.0 exposes you to brute-force attacks. The solution: 
# On your VPS where OpenCode runs
opencode serve                                    # Stays on localhost
connect daemon install
connect expose localhost:4096 --name opencode

# From your laptop (anywhere)
connect opencode
opencode attach http://localhost:4096             # Works as if local

Access Private Services from exe.dev VMs

Running AI agents on exe.dev? Give them secure access to your private infrastructure — databases, APIs, internal services — without exposing them publicly. The problem: exe.dev has great HTTPS proxies for exposing services, but your agent needs to access private infrastructure that isn’t publicly exposed. The solution: 
# On your private server (home, office, AWS)
connect daemon install
connect expose localhost:5432 --name prod-db
connect expose localhost:8080 --name internal-api

# On your exe.dev VM
curl -fsSL https://privateconnect.co/install.sh | bash
connect up
connect prod-db
connect internal-api

# Your agent can now access:
# → localhost:5432 (database)
# → localhost:8080 (internal API)
Also great for:
  • Cross-VM private communication (two exe.dev VMs talking without public URLs)
  • Team collaboration on exe.dev environments
  • Integrating with exe.dev’s Shelley/AGENTS.md system

Virtual Kubernetes Clusters

Running a multicluster or virtual Kubernetes API server (e.g. kplane-dev/apiserver) with nodes in different regions? They need to talk bidirectionally without a VPN. The solution: 
# On the API server host
connect expose localhost:6443 --name k8s-api

# On each node (any region/cloud)
connect reach k8s-api --port 6443
# → Use localhost:6443 as the API server; no VPN required
Control plane and nodes stay private; Private Connect routes traffic by name. Works with path-based multicluster API servers and distributed worker nodes.

Give Contractors Temporary Access

External developer needs to test against your staging API for a week. 
# Create a time-limited share
connect share --expires 7d --name "acme-contractor"
# → Share code: p4r7n3r

# Contractor uses the code
connect join p4r7n3r
# ✓ staging-api → localhost:8080
# Access expires automatically in 7 days
Revoke anytime: 
connect share --revoke p4r7n3r
No VPN account to provision. No credentials to rotate. No access to revoke manually.

Let Open-Source Contributors Hit Your Prod API

Contributors need to run your frontend locally, but it requires your production API. The old way means sharing secrets, setting up local databases, or maintaining a separate dev environment. With Private Connect: 
# Maintainer creates a public link
connect link api --expires 30d --methods GET,POST --paths /api/v1
# → https://abc123xyz.privateconnect.co
Contributor just uses it: 
# .env.local (no secrets!)
API_URL=https://abc123xyz.privateconnect.co

# Run frontend
bun dev
# → Auth works, API calls work, no setup required
  • Real API, real data (or staging)
  • No CLI installation
  • No account creation
  • No secrets on their machine
  • Auth flows work naturally
# Read-only access
connect link api --methods GET

# Specific paths only
connect link api --paths /api/public,/health

# Rate limited
connect link api --rate-limit 100

# Revoke anytime
# (from web dashboard or API)
Perfect for: open-source projects, contractor onboarding, demo environments.

Monitor Internal Services

Check if internal dashboards are responding, from anywhere. 
# Quick health check
connect reach grafana --check
# ✓ DNS OK
# ✓ TCP OK  
# ✓ HTTP 200 OK
# ✓ Latency: 45ms

# Actually connect and open it
connect reach grafana
open http://localhost:3000

Test Webhooks from Stripe, GitHub, etc.

Local development needs to receive webhooks from external services. 
# Expose your local server with a public URL
connect expose localhost:3000 --name webhook-test --public
# → https://abc123.privateconnect.co

# Use that URL in Stripe/GitHub webhook settings
# Webhooks hit your local machine
Like ngrok, but integrated with your team’s service mesh.

Project-Based Environments

Every project knows what services it needs. 
# my-app/pconnect.yml
services:
  - name: staging-db
    port: 5432
  - name: redis
    port: 6379
  - name: user-service
    port: 8081
  - name: payment-service
    port: 8082

cd my-app
connect dev
# ✓ Connected: staging-db, redis, user-service, payment-service

npm run dev
# App works. All services available at localhost.
Clone a repo, run connect dev, start coding. That’s it.
Config file can be pconnect.yml, pconnect.yaml, or pconnect.json

Share with Family Abroad

Family in another country? Give them access to your home services (Jellyfin, NAS, Home Assistant) by name. 
# You (at home): expose services, then create a long-lived share
connect expose localhost:8096 --name jellyfin
connect expose 192.168.1.50:445 --name nas
connect share --expires 90d --name "Family abroad"
# → Share code: x7k9m2

# Family (abroad): one-time setup, then join
connect up
connect join x7k9m2
connect reach jellyfin   # → http://localhost:8096
Revoke anytime: connect share --revoke x7k9m2

Clone Team Environments

Zero-friction environment switching. 
# One-time setup
eval "$(connect shell-init)"  # Add to ~/.zshrc

# Now it just works
cd ~/projects/backend
# → 📦 Found pconnect.yml - connecting...
# → ✓ staging-db, redis, user-service

cd ~/projects/frontend
# → 📦 Found pconnect.yml - connecting...
# → ✓ api-gateway, auth-service

# Your prompt shows what's connected
~/projects/backend (3 services) $
No more “which terminals have my tunnels running?”

Quick Reference

# Always-on access
connect daemon install      # Set it and forget it

# Project-based
connect dev                 # Connect from pconnect.yml

# Collaboration
connect share               # Share your environment
connect join <code>         # Join teammate's environment

# Public links (no account needed)
connect link <service>      # Create public URL for a service

# Ad-hoc access
connect reach <service>     # Connect to any service
connect proxy               # All services via subdomains

Private Connect vs. Alternatives

ScenarioVPNSSH TunnelsPrivate Connect
Onboard new dev2+ hours30+ min30 seconds
Share environmentNot possibleComplexOne command
Works from anywhereSometimesFragileAlways
Revoke accessIT ticketFind & delete keysInstant
Audit who accessedLimitedNoneBuilt-in
Setup on new machineReinstall clientCopy keysRun connect up
Public link (no account)Not possibleNot possibleconnect link

Build docs developers (and LLMs) love

Get started for freeTalk to us