Team Collaboration Setup Tutorial

Overview

This tutorial guides team leads and organization administrators through setting up a complete team collaboration environment in Jetty. By the end of this tutorial, you'll have a fully configured organization with team members, shared resources, security policies, and best practices documentation.

Estimated Time: 20-30 minutes
Difficulty: Intermediate
Prerequisites:

• Active Jetty account with Team or Enterprise plan
• Account owner or admin privileges
• Basic familiarity with tunnels and the Jetty CLI

What You'll Accomplish

By completing this tutorial, you will:

1. Create and configure your organization
2. Invite and assign roles to team members
3. Set up shared reserved subdomains for team use
4. Configure organization-wide security and data redaction policies
5. Set up billing and subscription management
6. Understand audit logging for compliance and security
7. Document team practices for consistent collaboration
8. Enable your team to work together efficiently with shared tunnel resources

Tutorial Steps

Step 1: Create Your Organization (3-5 minutes)

Organizations are the foundation of team collaboration in Jetty. They provide a shared workspace where team members can collaborate on tunnels, share resources, and work under unified policies.

Instructions

1. Navigate to Organizations

   • Open your Jetty dashboard
   • Click Organizations in the sidebar navigation
   • You'll see a list of organizations you're part of (may be empty if this is your first)

2. Create New Organization

   • Click the + Create Organization button in the top-right corner
   • The creation dialog will appear

3. Configure Organization Details

   Organization Name: Acme Engineering Team
   Description: Development tunnels for the product engineering team
   Primary Region: US East (or closest to your team)
   

4. Submit

   • Review your settings
   • Click Create Organization
   • You'll be redirected to your new organization's dashboard

Naming Best Practices

Choose organization names that are:

• Clear and Professional: "Frontend Development Team" not "Bob's Team"
• Purpose-Driven: Include what the organization does
• Future-Proof: Avoid dates or temporary project names
• Searchable: Use terms your team will recognize

Good Examples:

• "Acme Engineering Team"
• "Marketing Department Tunnels"
• "QA Testing Infrastructure"
• "Mobile App Development"

Avoid:

• "Team 1" (not descriptive)
• "2024 Project" (date-based)
• "Test Org" (sounds temporary)

Region Selection

Your organization's primary region affects:

• Tunnel Performance: Lower latency for team members in that region
• Data Residency: Where tunnel traffic metadata is stored
• Edge Server Location: Geographic location of ingress servers

Recommendations:

• Choose the region closest to most of your team
• If team is distributed globally, choose central location or your production infrastructure region
• Enterprise plans support multi-region deployment

Validation

Your organization appears in the Organizations list
You're listed as Owner in the Members tab
Organization settings are accessible

Step 2: Invite Your First Team Member (2-3 minutes)

Start building your team by inviting your first member. This step introduces you to the invitation workflow and sets the foundation for scaling your team.

Instructions

1. Access Members Tab

   • Within your organization dashboard, click the Members tab
   • You'll see yourself listed as Owner

2. Send Invitation

   • Click Invite Member button
   • Enter the team member's email address: teammate@example.com
   • Select their initial role (we'll cover roles in detail in Step 3)
   • Add optional personal message: "Welcome to the team! Here's access to our development tunnels."
   • Click Send Invitation

3. Track Invitation Status

   • The invitation appears in your Members list with status "Pending"
   • Recipient receives an email with acceptance link
   • Invitation expires in 7 days if not accepted

The Invitation Email

Your team member receives an email containing:

• Your organization name and description
• Who invited them (your name)
• The role they're being assigned
• Secure acceptance link (valid for 7 days)
• Instructions for creating a Jetty account if they don't have one

Acceptance Workflow

When the recipient accepts:

1. They click the acceptance link in the email
2. If they don't have a Jetty account, they create one
3. They confirm joining your organization
4. Their status changes to "Active" in your Members list
5. They immediately gain access to organization resources
6. An audit log entry is created

Tips

• Start Small: Invite 1-2 trusted team members first to test the workflow
• Personal Touch: Include a message explaining the organization's purpose
• Monitor Status: Check back to see when invitations are accepted
• Resend if Needed: Invitations can be resent if they expire or get lost in spam

Troubleshooting

Invitation Not Received?

• Check recipient's spam/junk folder
• Verify email address is correct (no typos)
• Resend from the Members tab
• Contact support if issue persists

Cannot Send Invitation?

• Ensure you have Admin or Owner permissions
• Check your plan's member limit
• Verify you haven't exceeded your subscription tier

Validation

Invitation shows "Pending" status in Members list
Recipient receives invitation email
You can resend or revoke the invitation if needed

Step 3: Assign Roles and Permissions (4-6 minutes)

Role-based access control (RBAC) ensures team members have appropriate permissions for their responsibilities. Understanding and correctly assigning roles is critical for security and operational efficiency.

Available Roles

Owner

Full control over the organization

Permissions:

• Manage billing and subscriptions
• Create, update, and delete the organization
• Invite and remove any member
• Assign any role including Owner
• Manage all tunnels and resources
• Access all audit logs
• Configure all organization settings

Best For: Organization founders, CTOs, primary account managers
Recommendation: Limit to 1-2 highly trusted individuals

Admin

Administrative access without billing control

Permissions:

• Invite and remove members (except Owners)
• Assign roles up to Admin level
• Manage all tunnels and resources
• Configure organization settings (except billing)
• Access audit logs
• Create and manage reserved subdomains

Best For: Team leads, engineering managers, DevOps leads
Recommendation: Assign to department heads and senior team members

Member

Standard team member with full tunnel creation

Permissions:

• Create and manage own tunnels
• Access shared organization tunnels (view-only)
• Use reserved subdomains
• View organization members
• Access own activity logs

Best For: Developers, designers, QA engineers
Recommendation: Default role for most team members

Viewer

Read-only access for monitoring

Permissions:

• View organization tunnels
• View tunnel traffic and logs (read-only)
• View member list
• No creation or modification rights

Best For: Project managers, stakeholders, external consultants
Recommendation: Use for non-technical team members needing visibility

Assigning Roles

1. Navigate to Members tab in your organization
2. Find the member whose role you want to change
3. Click the role dropdown next to their name
4. Select the new role
5. Confirm the change
6. The member is notified of their role change via email

Principle of Least Privilege

Always assign the minimum role necessary for each person to perform their job:

• Don't: Make all developers Admins "just in case"
• Do: Start everyone as Member, promote as needed
• Don't: Give everyone Owner access for convenience
• Do: Reserve Owner for 1-2 key decision makers
• Don't: Keep elevated permissions after role changes
• Do: Downgrade roles when responsibilities change

Common Team Structures

Small Startup (5 people)

1 Owner    → Founder/CEO
1 Admin    → CTO or Lead Engineer
3 Members  → Developers

Product Team (15 people)

1 Owner     → VP Engineering
2 Admins    → Engineering Managers / Team Leads
10 Members  → Developers, QA Engineers
2 Viewers   → Product Manager, Designer

Agency (Multiple Projects)

2 Owners   → Agency Partners
3 Admins   → Project Leads
X Members  → Developers per project
Y Viewers  → Clients (temporary access)

Regular Role Reviews

Establish a schedule for reviewing role assignments:

• Quarterly Reviews: Check that roles match current responsibilities
• After Team Changes: Update roles when people change positions
• Offboarding: Remove members immediately when they leave
• Onboarding: Start new members as Member, upgrade based on trust

Security Considerations

Owner Role Risks

• Can delete the entire organization
• Can change billing and cancel subscriptions
• Can remove other Owners
• Actions are logged but cannot be prevented

Admin Role Considerations

• Can remove most team members
• Can modify security settings
• Can access all tunnels and logs
• Should be reserved for trusted senior team

Member Access

• Can create unlimited tunnels
• Can use reserved subdomains
• Cannot modify organization settings
• Most secure default for general team

Validation

Each team member has an appropriate role
You have 1-2 Owners maximum
Admins are limited to team leads
Most team members are assigned Member role
Role assignments documented (see Step 8)

Step 4: Create Shared Reserved Subdomains (3-5 minutes)

Reserved subdomains give your team memorable, consistent URLs for shared development, staging, and demo environments. They're professional, predictable, and easy to communicate.

Why Reserved Subdomains Matter

Without Reserved Subdomains:

Developer: "Check out my work at tunnel-x7f2k9m.tunnels.usejetty.online"
Teammate: "Can you resend that? I lost the URL."

With Reserved Subdomains:

Developer: "Check out my work at acme-dev"
Teammate: "Got it, looking now!"

Instructions

1. Navigate to Reserved Subdomains in organization settings
2. Click Reserve New Subdomain
3. Enter subdomain name: acme-dev
4. Add description: "Shared development environment for team demos"
5. Set access: "All Members" or restrict to specific roles
6. Click Reserve

Recommended Subdomains to Reserve

Essential (Start Here):

{org}-dev       → General development and team sharing
{org}-staging   → QA testing and pre-production
{org}-demo      → Client demos and presentations

By Team/Function:

frontend-dev    → Frontend team development
backend-api     → Backend API development
mobile-preview  → Mobile app previews
e2e-testing     → End-to-end test runner

By Client/Project (Agencies):

clienta-preview → Client A project previews
clientb-demo    → Client B demonstrations
project-x-dev   → Project X development

Naming Conventions

Establish patterns for your organization:

Pattern: {project}-{environment}

• webapp-dev, webapp-staging, webapp-prod
• Clear environment separation
• Scales to multiple projects

Pattern: {team}-{purpose}

• frontend-demo, backend-testing, api-integration
• Team ownership clear
• Good for specialized uses

Pattern: {client}-{type}

• acme-preview, widgets-demo, startup-testing
• Client identification
• Professional branding

Best Practices

Keep Names Short: 20 characters or less
Use Hyphens: Web-friendly (acme-dev not acme_dev)
Lowercase Only: Avoid mixed case
No Dates: dev-2024 becomes outdated
Descriptive: Purpose should be obvious

Avoid Generic: test, temp, test123
Avoid Person-Specific: johns-tunnel
Avoid Version Numbers: api-v2

Using Reserved Subdomains

In the CLI:

# List your organization's reserved subdomains
jetty subdomain:list

# Use a reserved subdomain when sharing
jetty share --subdomain acme-dev

# Or assign to an existing tunnel
jetty tunnel:update my-tunnel --subdomain acme-staging

In the Dashboard:

• When creating a tunnel, select from dropdown of reserved subdomains
• Reserved subdomains are highlighted with organization badge
• See which team member is currently using each subdomain

Subdomain Lifecycle

Claiming: When a team member starts a tunnel with a reserved subdomain
In Use: Subdomain points to active tunnel
Released: When tunnel closes, subdomain becomes available again
Reassigned: Another team member can immediately claim it

Team Communication

Document subdomain usage in your team chat:

Alice: Taking acme-dev for PR #234 review
Bob: I'll use acme-staging for QA testing
Carol: Can someone free up acme-demo by 2pm? Client presentation.

Validation

You have 3-5 reserved subdomains for team use
Each subdomain has a clear, descriptive name
Descriptions explain intended purpose
Team members can see subdomains in CLI and dashboard
Subdomain naming convention documented (Step 8)

Step 5: Configure Organization-Wide Settings (5-8 minutes)

Organization settings establish security policies, data handling rules, and communication preferences for your entire team. This is where you define "how we work" at the organization level.

Settings Categories

Security & Access Control

Two-Factor Authentication Policy

Options: Required | Encouraged | Optional
Recommendation: Required for sensitive data, Encouraged for general use

When Required:

• All members must enable 2FA to access organization
• New invitations require 2FA setup before acceptance
• Existing members given 7-day grace period to enable

Session Timeout

Options: 1 hour | 4 hours | 8 hours | 24 hours | Never
Recommendation: 8 hours for dev teams, 1 hour for high-security

Shorter timeouts increase security, longer timeouts improve developer experience.

IP Allowlist

Format: CIDR notation (e.g., 10.0.0.0/8, 192.168.1.1/32)
Use Case: Office-only access, VPN-required environments

Example configuration:

Office Network:    203.0.113.0/24
VPN Range:         10.8.0.0/16
Home Office (CEO): 198.51.100.42/32

Data Redaction & Privacy

Protect sensitive information in tunnel logs and request inspection.

Request Header Redaction

Always redact:

• Authorization: Bearer tokens, Basic auth
• Cookie: Session cookies, authentication
• X-API-Key: Custom API keys
• X-Auth-Token: Authentication tokens

Configuration:

{
  "redactHeaders": [
    "Authorization",
    "Cookie",
    "X-API-Key",
    "X-Auth-Token",
    "Stripe-Signature"
  ]
}

Request Body Redaction

Built-in patterns:

Credit Cards:    \b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b
                 4111-1111-1111-1111 → 4111-****-****-1111

SSN:             \b\d{3}-\d{2}-\d{4}\b
                 123-45-6789 → ***-**-6789

Email:           \b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b
                 user@example.com → u***@example.com

API Keys:        (api[_-]?key|apikey)\s*[:=]\s*['"]?([a-zA-Z0-9_\-]{20,})
                 api_key=sk_live_123 → api_key=[REDACTED]

Custom Redaction Patterns

Add organization-specific patterns:

// Example: Redact internal employee IDs
{
  "name": "Employee ID",
  "pattern": "EMP-\\d{6}",
  "replacement": "EMP-[REDACTED]"
}

// Example: Redact proprietary transaction IDs  
{
  "name": "Transaction ID",
  "pattern": "TXN_[A-Z0-9]{16}",
  "replacement": "TXN_[REDACTED]"
}

Testing Redaction Rules

Before enabling organization-wide:

1. Create test tunnel in personal account
2. Send requests with sample sensitive data
3. Inspect logs to verify redaction works
4. Adjust patterns as needed
5. Enable for organization once validated

Notifications

Configure how your team stays informed about organization events.

Email Notifications

Recommended settings:

New Member Joined        → Admins & Owners (Immediate)
Member Role Changed      → Affected member + Admins (Immediate)
Tunnel Created           → Off (too noisy for active teams)
Reserved Subdomain Used  → Admins (Daily digest)
Billing Changes          → Owners (Immediate)
High Traffic Alert       → Admins (Immediate)

Slack Integration

Setup:

1. Go to Organization Settings → Notifications
2. Click Connect Slack
3. Authorize Jetty app in your workspace
4. Select channel: #dev-tunnels or #engineering
5. Choose events to post

Recommended Slack events:

• Tunnel Created (with who, what, when)
• New Member Joined (welcome message)
• High Traffic Alert (performance monitoring)
• Every Request (too noisy)
• Member Login (privacy concerns)

Example Slack notification:

New Tunnel Created
Alice created acme-dev → localhost:3000
View: https://acme-dev.tunnels.usejetty.online
Dashboard: [View Tunnel]

Webhook Notifications

For custom integrations:

POST https://your-company.com/api/jetty-webhook
Content-Type: application/json

{
  "event": "tunnel.created",
  "organization": "acme-engineering",
  "actor": "alice@example.com",
  "data": {
    "tunnel_id": "tun_abc123",
    "subdomain": "acme-dev",
    "upstream": "localhost:3000"
  },
  "timestamp": "2024-01-15T14:23:45Z"
}

Use cases:

• Update internal dashboards
• Trigger analytics tracking
• Alert external monitoring systems
• Custom workflow automation

Audit Logging

Retention Settings

30 Days  → Minimum (Team plan)
90 Days  → Recommended (Business plan)
1 Year   → Compliance (Business plan)
Forever  → Enterprise plan only

Choose based on:

• Compliance requirements (SOC 2, ISO 27001)
• Investigation needs (how far back to trace issues)
• Storage costs (longer retention = higher costs)

What Gets Logged

Every audit log entry includes:

• Timestamp (UTC)
• Actor (who performed the action)
• Event type (what happened)
• Target (what was affected)
• Details (additional context)
• IP address
• User agent

Example audit log entries:

2024-01-15 14:23:45 | alice@example.com (Admin) 
  → member.role_changed: bob@example.com from Member to Admin

2024-01-15 15:10:22 | bob@example.com (Admin)
  → tunnel.created: acme-dev → localhost:3000

2024-01-15 16:45:33 | carol@example.com (Owner)
  → organization.settings_updated: 2FA policy changed to Required

Configuration Walkthrough

1. Navigate to Settings

   • Organization Dashboard → Settings
   • Review each tab: Security, Privacy, Notifications, Audit

2. Start with Security

   • Enable 2FA: Set to "Encouraged" (or "Required" for sensitive teams)
   • Session timeout: 8 hours
   • IP allowlist: Leave empty unless you have office network requirement

3. Configure Data Redaction

   • Header redaction: Enable all defaults
   • Body patterns: Enable credit card, SSN, email, API key redaction
   • Test with sample data before enabling

4. Set Up Notifications

   • Email: Owners get billing alerts, Admins get member changes
   • Slack: Connect and post to #dev-tunnels channel
   • Keep notification volume low to avoid alert fatigue

5. Enable Audit Logging

   • Retention: 90 days minimum
   • Detail level: Full request logging
   • Access: Restrict to Admins and Owners

6. Save and Test

   • Save all settings
   • Test with a non-critical change (e.g., create test tunnel)
   • Verify notifications work
   • Check audit log entries appear

Best Practices

Security First: Configure security settings before inviting many team members
Test Redaction: Validate patterns with sample data before enabling
Minimal Notifications: Only alert on truly important events
Regular Reviews: Revisit settings quarterly as team grows
Document Policies: Include settings rationale in team practices doc (Step 8)

Validation

Security policies configured and appropriate for your team
Data redaction patterns tested and working
Notification channels connected and tested
Audit logging enabled with adequate retention
Settings documented in team practices

Step 6: Set Up Team Billing (4-6 minutes)

Configure billing and subscription management to ensure uninterrupted service for your team. Proper billing setup prevents service disruptions and helps manage costs effectively.

Plan Selection

Team Plan - $49/month

Best for: Small development teams, startups (up to 10 people)

Features:

• Up to 10 team members
• Unlimited tunnels
• 5 reserved subdomains
• Basic audit logging (30 days)
• Email support
• Standard data redaction

Business Plan - $149/month

Best for: Growing companies, agencies (up to 50 people)

Features:

• Up to 50 team members
• Unlimited tunnels
• 25 reserved subdomains
• Extended audit logging (90 days)
• Priority support
• Advanced data redaction (custom patterns)
• Slack/webhook integrations
• SSO support (SAML)

Enterprise Plan - Custom Pricing

Best for: Large enterprises, regulated industries (unlimited members)

Features:

• Unlimited team members
• Unlimited tunnels
• Unlimited reserved subdomains
• Unlimited audit retention
• Dedicated support with SLA
• Custom data redaction rules
• All integrations
• SSO with SCIM provisioning
• Custom regional deployment
• On-premise deployment option

Choosing the Right Plan

Start Small, Scale Up:

• Begin with Team plan for 5-10 people
• Upgrade to Business when you need >10 members or advanced features
• Enterprise when you have >50 members or compliance requirements

Consider Future Growth:

• If planning to hire 5+ people in next 3 months, start with Business
• Annual billing locks in rates even as you grow within limits
• Upgrades are instant and prorated

Billing Setup

1. Navigate to Billing

   • Organization Settings → Billing
   • View current plan and usage

2. Select Plan

   • Click Upgrade or Change Plan
   • Compare features side-by-side
   • Select plan tier
   • Choose billing cycle (monthly or annual)

3. Add Payment Method

   Credit Card: Visa, Mastercard, Amex, Discover
   → Automatic monthly/annual billing
   → Instant activation
   
   Invoice Billing: Business/Enterprise only
   → Emailed invoice with NET 30 terms
   → Requires annual commitment
   → Contact sales to enable
   

4. Review and Confirm

   • Summary of charges
   • Billing cycle start date
   • Next payment date
   • Terms and conditions

5. Configure Billing Settings

   • Billing email: billing@yourcompany.com (use team alias)
   • Backup payment method: Add a second card
   • Usage alerts: Enable to avoid surprise charges
   • Invoice preferences: PDF email and/or dashboard download

Annual vs. Monthly Billing

Monthly Billing:

• Pay month-to-month: $49, $149, etc.
• Flexibility to cancel anytime
• No long-term commitment
• Full monthly rate

Annual Billing (Save 20%):

• Pay for 12 months upfront
• Team: $470/year (save $118)
• Business: $1,430/year (save $358)
• Best value for established teams
• Pro-rated refund if cancel within 30 days

Recommendation: Monthly for first 1-3 months, then switch to annual to save money once you're confident in the platform.

Cost Management

Usage Monitoring:

Dashboard → Billing → Usage
- Current member count: 8/10
- Reserved subdomains: 4/5
- Tunnel hours this month: 520
- Bandwidth used: 12.4 GB

Usage Alerts: Set up alerts at:

• 80% of member limit (e.g., 8/10 members)
• 100% of subdomain reservations
• High bandwidth usage (if overages apply)

Optimization Tips:

• Remove inactive team members promptly
• Archive unused tunnels regularly
• Delete old reserved subdomains
• Review usage monthly

Managing Team Size

Approaching Member Limit?

Options:

1. Upgrade Plan: Team (10) → Business (50)
2. Remove Inactive: Offboard members no longer with company
3. Use Viewer Role: Convert non-developers to Viewers (may not count toward limit on some plans)

Exceeding Limits:

• System prevents inviting beyond plan limit
• Must upgrade or remove members to invite more
• Grace period for existing members who push over limit

Payment Failures

What Happens:

1. Payment attempt fails
2. Email sent to billing contact and Owners
3. Retry payment after 3 days
4. Second retry after 7 days
5. Service suspended after 7 days of failed payments

How to Resolve:

• Update payment method immediately
• Add backup payment method
• Contact support if legitimate transaction was declined
• Check card expiration dates quarterly

Grace Period:

• 7 days to resolve payment issues
• Tunnels continue to work during grace period
• Dashboard shows warning banner
• No data lost during grace period

Billing FAQ

Q: Can I change plans mid-month?
A: Yes. Upgrades are prorated and effective immediately. Downgrades take effect at next billing cycle.

Q: What happens if my payment fails?
A: You have 7 days to update payment before service suspension. No data is lost.

Q: Can I get a refund if I cancel?
A: Monthly plans are not refundable. Annual plans are prorated if canceled within 30 days.

Q: Do inactive members count toward my limit?
A: Yes, all invited members (active or pending) count toward your limit.

Q: Can I upgrade from monthly to annual billing?
A: Yes, at any time. You'll receive credit for unused monthly days.

Validation

Appropriate plan selected for team size
Payment method added and validated
Billing email set to team alias
Usage alerts configured
Backup payment method added (recommended)
Billing access restricted to Owners only

Step 7: Review Audit Logs (3-4 minutes)

Audit logs provide transparency, security monitoring, and troubleshooting capability. Understanding how to read and use audit logs is essential for organization administrators.

Accessing Audit Logs

1. Navigate to Organization Settings → Audit Logs
2. View chronological timeline of organization events
3. Filter by date range, event type, actor, or target
4. Export logs for external analysis (Business+ plans)

What's Logged

Authentication Events

 Member login (successful)
 Failed login attempt
Two-factor authentication enabled/disabled
Password reset
API token created/revoked

Why Monitor:

• Detect unauthorized access attempts
• Identify compromised accounts
• Track token usage and potential leaks

Red Flags:

• Multiple failed login attempts from same IP
• Login from unusual geographic location
• Token created and immediately revoked

Member Management Events

Member invited to organization
Member accepted invitation
Member role changed
Member removed from organization
Member account suspended

Why Monitor:

• Track team composition changes
• Audit permission escalations
• Understand offboarding activities

Red Flags:

• Unexpected role promotions (Member → Admin)
• Member removed without documentation
• Rapid invitation of many unknown users

Resource Management Events

Tunnel created, updated, or deleted
Reserved subdomain claimed or released
Custom domain added or verified
Organization settings modified

Why Monitor:

• Understand resource utilization
• Track configuration changes
• Troubleshoot missing resources

Red Flags:

• Mass tunnel deletions
• Unexpected subdomain reservations
• Settings changed by non-admins (shouldn't be possible, but audit confirms)

Billing Events

Payment method added or updated
Plan upgraded or downgraded
Invoice generated
Payment successful
Payment failed

Why Monitor:

• Track financial transactions
• Audit subscription changes
• Detect unauthorized billing modifications

Red Flags:

• Unexpected plan changes
• Multiple failed payment attempts
• Unauthorized payment method updates

Reading Audit Log Entries

Each entry includes detailed context:

Timestamp:    2024-01-15 14:23:45 UTC
Actor:        alice@example.com (Admin)
Event:        member.role_changed
Target:       bob@example.com  
Details:      Role changed from Member to Admin
IP Address:   203.0.113.42
User Agent:   Chrome 120.0 / macOS 14.2
Location:     San Francisco, CA, United States

Common Use Cases

Security Incident Investigation

Scenario: Suspicious activity reported on team member's account

Investigation Steps:

1. Filter logs by affected member email
2. Review all authentication events in suspected timeframe
3. Check for failed login attempts
4. Look for unusual IP addresses or locations
5. Identify any permission changes
6. Review tunnel activity during the period
7. Export logs for security team analysis

Example Findings:

2024-01-15 03:45:12 | bob@example.com
  → login.failed (Invalid password) | IP: 185.220.101.42 (Russia)
  
2024-01-15 03:47:23 | bob@example.com
  → login.failed (Invalid password) | IP: 185.220.101.42 (Russia)
  
2024-01-15 03:50:04 | bob@example.com
  → login.failed (Invalid 2FA code) | IP: 185.220.101.42 (Russia)

Action: Password compromise detected. Force password reset and review 2FA requirements.

Compliance Audits

Scenario: Preparing for SOC 2 Type II audit

Preparation Steps:

1. Export full audit logs for audit period (6-12 months)
2. Filter by critical events: auth, role changes, deletions
3. Generate summary reports:
   • User access reviews (who has what access)
   • Permission change history (escalations and de-escalations)
   • Administrative actions (showing oversight)
4. Demonstrate monitoring: show regular log reviews
5. Provide evidence of incident response (if any incidents occurred)

Auditor Questions Answered:

• "Who has administrative access?" → Filter by role=Admin/Owner
• "How do you track permission changes?" → Show role change events
• "How long do you retain logs?" → Show retention policy and storage
• "Can you detect unauthorized access?" → Show failed login monitoring

Troubleshooting

Scenario: "My tunnel stopped working!"

Debugging Steps:

1. Search logs for tunnel name or subdomain
2. Filter by event types: tunnel., subdomain.
3. Look for deletion, suspension, or configuration changes
4. Identify actor and timestamp
5. Review associated settings modifications
6. Contact actor for context

Example Resolution:

Search: "acme-staging"

Found: 2024-01-15 13:15:34 | carol@example.com (Admin)
  → tunnel.deleted: acme-staging (reason: "Recreating with new config")

Resolution: Carol deleted the tunnel to change configuration. 
Contact Carol to recreate or restore from backup.

Team Accountability

Scenario: Monthly resource usage review

Review Process:

1. Generate report: "All tunnel.created events this month"
2. Group by actor (who created what)
3. Identify most active tunnel creators
4. Review reserved subdomain usage patterns
5. Find unused resources for cleanup

Example Insights:

Tunnels Created (January):
- Alice: 45 tunnels (active developer)
- Bob: 32 tunnels (QA testing)
- Carol: 12 tunnels (occasional demos)
- Dave: 2 tunnels (left 2 weeks into month - cleanup needed)

Reserved Subdomain Usage:
- acme-dev: Used 28 days (high utilization)
- acme-staging: Used 14 days (moderate)
- client-demo: Used 2 days (underutilized - consider releasing)

Filtering and Searching

By Date Range:

Last 7 days | Last 30 days | Last 90 days | Custom range

By Event Type:

All Events
└─ Authentication
   ├─ login.success
   ├─ login.failed
   └─ token.created
└─ Members
   ├─ member.invited
   ├─ member.role_changed
   └─ member.removed
└─ Resources
   ├─ tunnel.created
   ├─ tunnel.deleted
   └─ subdomain.reserved
└─ Billing
   ├─ plan.upgraded
   └─ payment.successful

By Actor:

Filter by: alice@example.com
Shows only events where Alice was the actor

By Target:

Filter by: bob@example.com  
Shows events affecting Bob (invited, role changed, removed, etc.)

Exporting Audit Logs

Available Formats:

• CSV: Excel/spreadsheet analysis
• JSON: Programmatic processing
• PDF: Human-readable reports

Export Process:

1. Apply desired filters
2. Click Export button
3. Select format
4. Choose date range
5. Download file

Use Exported Logs For:

• Long-term compliance archives (beyond retention period)
• Detailed analysis in BI tools
• Security information and event management (SIEM) ingestion
• Incident response documentation
• Internal audit evidence

Best Practices

Regular Review Schedule:

• Daily: Owners/Admins check for critical security events (5 min)
• Weekly: Review member activity and resource changes (15 min)
• Monthly: Generate usage reports and archive exports (30 min)
• Quarterly: Comprehensive access review for compliance (1-2 hours)

Alerting Strategy: Set up automatic alerts (via email/Slack) for:

• Multiple failed login attempts (3+ in 10 minutes)
• Role escalations (Member → Admin, Admin → Owner)
• Organization deletion attempts
• Billing changes or payment failures

Documentation: Maintain an incident log that references audit log entries:

Incident #23 - Unauthorized Access Attempt
Date: 2024-01-15
Audit Log Entry: See logs from 03:45-04:00 UTC
Actor: Unknown (failed attempts on bob@example.com)
Resolution: Forced password reset, enabled 2FA requirement

Access Control: Restrict audit log access to:

• Owners: Full access to all logs
• Admins: Read access to relevant organization logs
• Members: Cannot view organization audit logs
• Viewers: Cannot view organization audit logs

Validation

Audit logs accessible and understandable
Recent events visible and correctly logged
Filtering and search functionality tested
Export capability tested (Business+ plans)
Regular review schedule established
Alert configuration reviewed

Step 8: Create Team Practices Document (6-10 minutes)

Documentation ensures consistent team collaboration. This final step creates a living document that guides team members on how to use Jetty effectively within your organization.

Why Document Team Practices?

Onboarding Efficiency: New team members can self-serve answers to common questions

Consistency: Everyone follows the same patterns and conventions

Knowledge Preservation: Critical information survives team member turnover

Reduced Support Load: Clear documentation reduces repetitive questions

Document Structure

1. Organization Overview

# Jetty Tunnel Practices - Acme Engineering Team

## Organization Details
- **Name:** Acme Engineering
- **Dashboard:** [https://usejetty.online/org/acme-engineering](...)
- **Primary Region:** US East
- **Primary Use:** Development environment sharing and demos

## Team Contacts
- **Owners:** jane@acme.com, john@acme.com
- **Admins:** alice@acme.com (DevOps Lead), bob@acme.com (Backend Lead)
- **Support Channel:** #dev-tunnels on Slack
- **Billing Questions:** billing@acme.com

2. Getting Started

## New Member Onboarding

### Step 1: Accept Invitation
You'll receive an email invitation to join the organization.
Click the link and follow the signup/login process.

### Step 2: Install the CLI
```bash
curl -fsSL https://usejetty.online/install/jetty.sh | bash

Step 3: Authenticate

jetty auth:login
# Paste your API token when prompted
# Get token from: https://usejetty.online/settings/tokens

Step 4: Verify Organization Access

jetty organization:list
# You should see "Acme Engineering" in the list

Step 5: Create Your First Tunnel

cd ~/projects/my-app
npm run dev  # or your local server command
jetty share --subdomain my-name-dev

3. Naming Conventions

## Tunnel Naming Standards

### Pattern: `{team}-{project}-{environment}`

 **Good Examples:**
- `frontend-webapp-dev` - Frontend team, webapp project, dev environment
- `backend-api-staging` - Backend team, API, staging
- `mobile-app-preview` - Mobile team, app previews

 **Bad Examples:**  
- `test` - Not descriptive
- `alices-tunnel` - Person-specific
- `temp-123` - Temporary naming

### Reserved Subdomains We Use

| Subdomain | Purpose | Owner | Usage |
|-----------|---------|-------|-------|
| `acme-dev` | Shared development | Everyone | Daily development sharing |
| `acme-staging` | QA testing | QA Team | Pre-production testing |
| `acme-demo` | Client demos | Sales/PM | Customer presentations |
| `frontend-dev` | Frontend team | Frontend | Team-specific development |
| `backend-api` | Backend API | Backend | API development and testing |

**Usage Rules:**
- Announce in #dev-tunnels when claiming a shared subdomain
- Release subdomain when done (close tunnel)
- Don't hold reserved subdomains for >24 hours
- Use personal subdomains for long-running work

4. Security & Data Handling

## Security Policies

### Two-Factor Authentication
- **Required** for all team members
- Enable at: https://usejetty.online/settings/security
- Use authenticator app (Authy, Google Authenticator, 1Password)

### API Token Management
- **Never share** API tokens between team members
- **Revoke tokens** when switching machines or if compromised
- **Name tokens** descriptively: "Macbook Pro 2024", "CI Server"
- **Rotate tokens** annually or when team member leaves

### Data to NEVER Tunnel
 Production databases  
 Customer PII without redaction  
 Credit card information  
 Unencrypted passwords or secrets  
 Proprietary trade secrets  

### Safe to Tunnel
 Development environments  
 Test/dummy data  
 Staging environments with fake data  
 Demo applications  
 Internal tools  

### Redaction Rules
Our organization automatically redacts:
- Credit card numbers → **** **** **** 1234
- Social Security Numbers → ***-**-6789
- API keys → [REDACTED]
- Authorization headers → [REDACTED]

**If you need to debug with sensitive data:**
Contact an admin to temporarily adjust redaction rules.

5. Common Workflows

## Daily Development Workflow

### Sharing Work for Team Review
```bash
# Start your local server
npm run dev

# Create tunnel with descriptive name
jetty share --subdomain my-feature-review

# Share in Slack
Post in #dev-channel: "PR #234 ready for review: 
https://my-feature-review.tunnels.usejetty.online"

# Close when done
Press Ctrl+C to close tunnel

QA Testing Workflow

# QA team: claim staging subdomain
jetty share --subdomain acme-staging

# Run tests against staging tunnel
npm run test:e2e -- --baseUrl https://acme-staging.tunnels...

# Leave tunnel open during testing day
# Close at end of day or when tests complete

Client Demo Workflow

# Book the demo subdomain in #dev-tunnels
Message: "Booking acme-demo for client call today 2-3pm"

# Start tunnel 15 minutes before demo
jetty share --subdomain acme-demo

# Verify everything works
curl https://acme-demo.tunnels.usejetty.online

# Close after demo

CI/CD Integration

GitHub Actions

# .github/workflows/preview.yml
- name: Start tunnel for E2E tests
  env:
    JETTY_API_TOKEN: ${{ secrets.JETTY_API_TOKEN }}
  run: |
    jetty share --subdomain ci-testing --daemon
    echo "TUNNEL_URL=https://ci-testing.tunnels..." >> $GITHUB_ENV

- name: Run E2E tests
  run: npm run test:e2e -- --baseUrl $TUNNEL_URL

##### 6. Troubleshooting

```markdown
## Common Issues & Solutions

### Issue: "Tunnel not connecting"
**Symptoms:** CLI shows "Connecting..." but never succeeds

**Solutions:**
1. Check local server is running: `curl localhost:3000`
2. Verify firewall isn't blocking: `jetty status`
3. Check network connectivity: `ping usejetty.online`
4. Try different port: `jetty share --port 3001`
5. Check for VPN issues
6. Contact #dev-help if persists

### Issue: "Subdomain already in use"
**Symptoms:** Error: "acme-dev is currently claimed"

**Solutions:**
1. Check #dev-tunnels to see who's using it
2. Ask them if they're done: "@user are you still using acme-dev?"
3. Use a different subdomain: `jetty subdomain:list`
4. Create personal subdomain: `jetty share --subdomain yourname-dev`

### Issue: "Authentication failed"
**Symptoms:** CLI rejects API token

**Solutions:**
1. Regenerate token: https://usejetty.online/settings/tokens
2. Re-authenticate: `jetty auth:logout && jetty auth:login`
3. Check token wasn't copied with extra spaces
4. Verify organization access with admin

### Issue: "SSL/TLS errors"
**Symptoms:** Browser shows certificate warnings

**Solutions:**
1. This shouldn't happen with Jetty tunnels (auto-SSL)
2. Clear browser cache and retry
3. Try different browser
4. Contact support - may be certificate provisioning issue

## When to Escalate

**Contact Admins** (alice@acme.com, bob@acme.com):
- Need role change or permissions
- Reserved subdomain requests
- Organization settings questions

**Contact Owners** (jane@acme.com, john@acme.com):
- Billing or subscription issues
- Need to add/remove team members
- Major policy changes

**Contact Jetty Support** (support@usejetty.online):
- Platform bugs or outages
- Feature requests
- Technical issues admins can't resolve

7. Best Practices

## Team Best Practices

### Communication
 Announce when claiming shared reserved subdomains  
 Tag relevant people when sharing tunnel URLs  
 Document long-running tunnels (>24 hours) in project tracker  
 Use descriptive names so teammates understand context  

### Resource Management
 Close tunnels when done - don't leave them running indefinitely  
 Release reserved subdomains for others to use  
 Delete old tunnels you're no longer using  
 Review your tunnels monthly and clean up  

### Security
 Enable 2FA on your account  
 Keep API tokens secure and private  
 Report suspicious activity immediately  
 Follow data handling guidelines  
 Log out on shared machines  

### Performance
 Close tunnels when not actively using them  
 Use appropriate regions for your location  
 Monitor tunnel traffic for unusual patterns  
 Report performance issues to admins  

8. Support & Resources

## Getting Help

### Internal Support
- **Slack:** #dev-tunnels (general questions)
- **Slack:** #dev-help (technical issues)
- **Email:** devops@acme.com (admin team)

### Jetty Resources
- **Documentation:** https://usejetty.online/docs
- **Support:** support@usejetty.online
- **Status Page:** https://status.usejetty.online
- **Community:** https://discord.gg/jetty

### Related Internal Docs
- [Development Environment Setup](...)
- [Code Review Process](...)
- [Production Deployment Guide](...)

Sharing Your Document

Where to Publish:

1. Team Wiki: Confluence, Notion, GitHub Wiki
2. Shared Drive: Google Docs, Dropbox Paper
3. Internal Docs Site: If you have one
4. Jetty Organization: Link in organization description field

How to Share:

• Pin in Slack #dev-tunnels channel
• Include in new hire onboarding checklist
• Link from project README files
• Reference in engineering handbook
• Present at team meeting

Keeping It Updated:

• Assign an owner (usually an admin)
• Review quarterly or after major changes
• Accept feedback and suggestions from team
• Version the document (add "Last Updated" date)
• Notify team when significant changes are made

Template Resources

Simple Template (Markdown):

# [Team Name] Jetty Practices

## Quick Start
[Installation and setup steps]

## Naming Conventions  
[Your patterns]

## Reserved Subdomains
[Your list]

## Security Rules
[Your policies]

## Troubleshooting
[Common issues]

## Contacts
[Who to ask]

Comprehensive Template (Notion/Confluence): Use the full structure outlined above with:

• Embedded videos or screenshots
• Inline code blocks
• Collapsible sections
• Table of contents
• Search functionality

Validation

Document created and accessible to all team members
All sections completed with your organization's details
Real examples from your team's usage included
Linked from Jetty organization description
Shared in team communication channels
Owner assigned for ongoing maintenance
Team members aware of the document and where to find it

Tutorial Complete

What You've Accomplished

You've successfully set up a complete team collaboration environment:

Organization created with clear purpose and structure
Team members invited and assigned appropriate roles
Shared resources established with reserved subdomains
Security policies configured to protect sensitive data
Billing setup to ensure uninterrupted service
Audit logging enabled for transparency and compliance
Team practices documented for consistency and onboarding

Your team is now ready to collaborate effectively with Jetty!

Next Steps

1. Complete Team Onboarding

• Invite remaining team members
• Share team practices document
• Schedule onboarding sessions if needed
• Collect feedback on organization setup

2. Integrate with Your Workflows

• Set up CI/CD integrations (GitHub Actions, GitLab CI, etc.)
• Connect monitoring and alerting tools
• Configure webhook notifications for internal systems
• Integrate with project management tools

3. Advanced Features

• Configure custom domains for branded tunnel URLs
• Set up path-based routing rules
• Implement advanced redaction patterns
• Enable enterprise SSO if available

4. Establish Ongoing Practices

• Schedule monthly usage reviews
• Review audit logs weekly
• Update team practices document quarterly
• Collect team feedback and iterate on policies

Support Resources

Documentation:

• Team Management Guide
• Two-Factor Authentication
• Billing & Subscriptions
• Audit Logging

Community:

• Discord Community
• GitHub Discussions
• Feature Requests

Support:

• Email: support@usejetty.online
• Dashboard: Use chat widget (bottom right)
• Status: https://status.usejetty.online

Share Your Feedback

We'd love to hear about your team collaboration setup experience:

• How long did it take?
• What was confusing or unclear?
• What would make it better?
• What's missing from this tutorial?

Send feedback: Tutorial Feedback Form

Appendix

Role Permission Matrix

CLI Quick Reference

# Authentication
jetty auth:login                    # Authenticate with API token
jetty auth:logout                   # Log out
jetty auth:status                   # Check authentication status

# Organization Management
jetty organization:list             # List your organizations
jetty organization:switch acme      # Switch to organization
jetty organization:info             # Show current org details

# Subdomain Management
jetty subdomain:list                # List reserved subdomains
jetty subdomain:status acme-dev     # Check subdomain availability

# Tunnel Creation
jetty share                         # Quick share (random subdomain)
jetty share --subdomain acme-dev    # Use reserved subdomain
jetty share --port 3000             # Specify port
jetty share --daemon                # Run in background

# Tunnel Management
jetty tunnel:list                   # List your tunnels
jetty tunnel:info tun_abc123        # Get tunnel details
jetty tunnel:delete tun_abc123      # Delete tunnel
jetty tunnel:logs tun_abc123        # View tunnel logs

# Status & Debugging
jetty status                        # Check CLI and connection status
jetty version                       # Show CLI version
jetty update                        # Update to latest version

Common Error Messages

Glossary

Organization: A shared workspace for team collaboration
Reserved Subdomain: Pre-claimed subdomain name for team use
Tunnel: Secure connection from public URL to local development server
Audit Log: Record of all actions taken in the organization
Role: Set of permissions assigned to team members
Owner: Highest privilege role with billing and deletion access
Admin: Administrative role without billing access
Member: Standard team member with tunnel creation
Viewer: Read-only access to organization resources
2FA: Two-factor authentication for enhanced security
RBAC: Role-based access control system

Tutorial Version: 1.0.0
Last Updated: 2024-01-15
Feedback: Share your experience