The providers
| Provider | Use it when | What you configure |
|---|---|---|
| Direct (built-in) | The target endpoint is already reachable (for example, a Kubernetes cluster with a public API endpoint) | Nothing. Direct is always available and needs no API key. |
| Tailscale | The target is private and you use Tailscale | A Tailscale API access key for your tailnet. |
| Twingate | The target is private and you use Twingate | A Twingate API key and your network subdomain. |
Direct
Direct is the built-in path for targets that are already reachable from where your operators connect. There’s no tunnel to stand up and nothing to configure: break glass connects to the resource’s own endpoint. Every vendor has Direct available automatically, and it can’t be removed. You can disable Direct on the Break Glass page if you want to require a tunnel for every session; re-enable it to allow directly-reachable sessions again.Tailscale
For a private target, break glass stands up a temporary Tailscale subnet router inside your customer’s network so the operator can route to the otherwise-private endpoint for the life of the session. The router is created with single-use, ephemeral keys and removed at session end, so it exists only for that one session. To configure it, add a Tailscale provider on the Break Glass page and supply a Tailscale API access key for your tailnet. Break glass uses the key to provision and later remove the per-session router. Unlike the per-session router keys, this API access key is a standing credential you hold; store and rotate it like any other production API key.The per-session router is temporary, but network-level access control
within your tailnet is governed by your tailnet’s own ACLs, which you
control. Scope your tailnet ACLs to match the access you intend break
glass sessions to have, the same way you would for any device on your
tailnet; don’t assume the integration confines a session within your
tailnet on its own.
Twingate
Twingate is the alternative tunnel provider and plays the same role as Tailscale: break glass stands up a temporary, session-scoped connector into the private network and removes it at session end. To configure it, add a Twingate provider on the Break Glass page and supply a Twingate API key plus your organization’s network subdomain (your{network}.twingate.com tenant). Break glass uses these to
provision and remove the per-session connector.
Adding and managing providers
On the Break Glass page you can:- Add a Tailscale or Twingate provider by supplying its API key (and, for Twingate, your network subdomain). When you add a provider, break glass validates the key against the provider’s API so you find out immediately if it’s missing a required scope, rather than at session time.
- Enable or disable any provider, including the built-in Direct path. A disabled provider can’t be used to resolve a session. Disabling is reversible.
- Remove a Tailscale or Twingate provider you no longer use. Direct is built-in and can’t be removed.
Border0 as a break glass provider is planned
but not yet available.
Related
- How break glass works: where the network-path plane fits in the two-plane model.
- Requesting access: how the network path is resolved and torn down per session.
- Security model: the session-scoping and teardown guarantees for temporary network paths.