Route any HTTP request through a saved SSH connection — bastion, jump host, lab gateway,
customer VPN. No ssh -L,
no kubectl port-forward,
no Postman environments that die when your laptop sleeps.
Tunnels you maintain by hand are tunnels that break.
The old way
Forward a port. Hope nothing sleeps.
# 1. Open a tunnel and pray it stays up
ssh -L 8443:api.lab.internal:443 \
user@bastion.corp.example -N -f
# 2. Bend curl into believing localhost is the API
curl --resolve api.lab.internal:8443:127.0.0.1 \
https://api.lab.internal:8443/v1/health
# 3. Re-set up Postman's environment# 4. Reconnect VPN. Goto 1.
· Dies every laptop-sleep, every VPN reconnect.
· Port collisions with the Docker container you forgot you started.
· The teammate fixing it tomorrow has no idea what your local mapping is.
· Postman environments hard-coded to localhost:8443 ship to nobody.
The ShellYard way
Tunnel-via, in one dropdown.
1Open SSH to your bastion. (Already in your Connections sidebar from the first time you used it.)
2In the HTTP client, click the Tunnel via pill — pick the SSH session.
3Send GET https://api.lab.internal/v1/health. The request resolves DNS, headers, TLS, and the body from the bastion's network. Response comes back in the same panel.
Persistent. Save the Tunnel-via on the request,
the environment, or the whole collection. It restores on next launch. Teammates in the
same Shared Space inherit the same routing.
What ships
A real HTTP client. Tunnel routing built in. One window.
Any SSH connection becomes a route.
Bastions, jump hosts, AWS SSM-managed private instances, ProxyJump multi-hops. If your laptop reaches it over SSH, you can route an HTTP request through it.
REST, GraphQL, WebSocket, SSE.
Full HTTP client — methods, headers, body editor, env vars, OAuth2 / Bearer / Basic / API-key presets, response viewer with JSON pretty-print and timing breakdown.
Magellan explains the response.
Attach the response to the AI assistant — get a plain-English summary of a 503 cascade, a long JSON payload, or a confusing CORS error. BYO Anthropic / OpenAI / Gemini / Ollama key. Prompts go direct to the provider, never through us.
Save it next to the SSH session.
Request, response, and explanation drop into a note or runbook in the same Space — alongside the bastion connection that made the call. Next engineer hitting the same problem finds your fix, not your shell history.
Compared to Postman + ssh -L
The differences that matter when the API is private.
Postman + ssh -L
ShellYard
Tunnel lives where?
Detached background SSH process. Invisible to teammates. Dies on sleep.
On the request, the env, or the collection. Restores on next launch.
Endpoint URL in the request
https://localhost:8443 + a --resolve dance for TLS to work.
The real URL — https://api.lab.internal/v1/health. DNS, TLS, headers all resolve remotely.
Share with a teammate
"Run this command, change this env var, hope your port is free." Goto Slack.
They open the same Shared Space. The request, the SSH connection, and the credentials all resolve.
Credentials
Bastion creds in ~/.ssh/config, API creds in a Postman env. Different places. Different rotations.
Both live in the vault — local AES-256-GCM on Free, KMS-wrapped cloud-synced on Pro+.
Postman v2.1 import
N/A
Supported. Bring your existing collections; layer tunnel-via on top.
Yes. Free covers SSH, the HTTP / GraphQL / Realtime client, tunnel-via routing, the 40+ network diagnostic toolkit, and Magellan AI with your own provider key. No credit card. No trial countdown. Pro ($24 / mo) adds persistent HTTP collections, environments, the collection runner, and cloud sync across machines.
Do I need to install an agent on the bastion?
No. ShellYard uses your existing SSH access — same credentials, same `~/.ssh/config`, same jump-host wiring. If your laptop can `ssh user@bastion`, ShellYard can route an HTTP request through it. No server-side install, no proxy daemon, no kernel module.
Does ShellYard see my requests?
No. The request goes from your machine, through the SSH session you opened, to your internal API. There is no ShellYard cloud component in the request path. Your URLs, headers, bodies, and responses never transit our infrastructure. Local Magellan models (Ollama / LM Studio) keep AI traffic on your machine too.
Will it work with my jump host / multi-hop / customer VPN?
Yes. ShellYard supports SSH jump hosts (ProxyJump-style) — open a session that hops through one or more bastions, and route the HTTP request through the final hop. Customer VPN networks, lab subnets, k8s clusters reachable from a bastion, AWS SSM-managed private instances — all the same flow.
Why not just use Postman with `ssh -L`?
You can — for a single endpoint, on one machine, until your laptop sleeps. The problems compound: localhost-mapped Postman environments don't survive `lsof` collisions, every reconnect needs a new tunnel, no teammate can reproduce your setup without your exact port allocation, and the tunnel state lives in a terminal you can't see. ShellYard makes the tunnel part of the request itself — saved with the collection, restored on next launch, visible in the request bar.
macOS, Windows, Linux?
All three. Signed and notarized on macOS (Apple Developer ID). Authenticode-signed on Windows via Azure Trusted Signing. .deb / .rpm / AppImage on Linux.
What about kubectl port-forward?
kubectl port-forward is the same shape of problem as `ssh -L` — it dies when the connection blips, it's invisible to your teammates, and it locks ports on your laptop. If your cluster is reachable from a bastion, ShellYard routes through that bastion's network and you skip port-forward entirely.
Try it on your own internal API in the next five minutes.
Install. Open the SSH connection you already use to reach the API. Click Tunnel via.
Send the request. If it doesn't work the way the rest of this page promises, uninstall — no
account required to try it.
