Unique argo tunnel authentication per host via api

Newbie here. We are experimenting with Argo Tunnels. I see we need to login or put our global PEM file on each server for argo tunnel to start. We want to deploy argo tunnels to multiple customers with unique host names using the API. Is there a way to give them a PEM file that is only good for their host name using the api? For example: customer1.ourservice.net. We want to make sure we don’t allow any customers to use our global pem file to impersonate other host names. It’s not clear how to do this with the API for argo tunnels so that each customer’s argo service runs separately and securely.

try to login once, it will create .pem for *.domain.com wildcard.
You can use the same cert across all your tunnels, as long as you don’t login on the other tunnels.