Visitor Access Control

Netlify provides two mechanisms to restrict access to your site.

Password Protection

This feature may not be available on all plans.

Netlify’s password protection blocks complete access to your site to visitors without a password.

To set this global password, go to the Access section in your site’s settings and click the Set Password button. After setting this password, all access to your site will be blocked unless a visitor knows the password you set. To make the site public again, go to the same section and remove the password by clicking the Edit Password button.


If you need multiple passwords for a site, or need to protect just part of your site, you can setup Basic-Auth via Netlify’s custom HTTP header support. We’ve demonstrated a common use case around using this feature to automatically protect specific branch deploys.

Role based access controls with JWT tokens

This feature may not be available on all plans.

Role based access controls allows you to set more granular access to your site, or specific pages. We use JWT tokens, roles, and redirect rules to grant access to those sections.

You can use any third party authentication provider that supports JWT tokens to complement this feature, like Auth0 and Okta. Please note that you cannot authenticate third party JWT tokens if you have Netlify Identity enabled on a site.

Before setting up Netlify’s control, generate a JWT application in your provider of choice. Then, take the application’s client secret, go to your Netlify’s site Access section and click in Set JWT secret. We need this secret to verify the access tokens for your site.

Once you’ve configured your site, go back to your authentication provider and set roles for the Identity users you want to grant access to. For example, you can set specific roles for people in a specific GitHub organization, or with a specific company email.

We use the app_metadata element in the token to read the Identity user roles. The same Identity user can have one or more roles to access different pages in your site. Make sure the app_metadata for your Identity users has this format:

  "app_metadata": {
    "authorization": {
      "roles": ["admin", "editor"]

Use our _redirects file to configure the page access control for your site. There you can set special conditions to restrict role access. For example, you can use a rule like the one below to restrict access to a page only to users with the role admin or with the role editor:

/admin/*	200!	Role=admin,editor

You can read more about these special conditions in our Redirects documentation.

Notice something is incorrect or outdated?

First off, great catch! We appreciate your discovery and want to ensure it gets addressed immediately. Please let us know here.

Want to have a conversation?

Visit the Netlify Community to discuss ideas and questions with your fellow Netlify users.

Want to get started quick?