× press ESC to close

Netlify builds, deploys, and hosts your front end.

Netlify provides two mechanisms to restrict access to your site.

These features are available in our Paid plans.

Password Protection

Netlify’s password protection blocks complete access to your site to visitors without a password.

To set this global password, go to the Access section in your site’s dashboard and click the Set Password button. After settings this password, all access to your site will be blocked unless a visitor knows the password you set. To make the site public again, go to the same section and remove the password by clicking the Edit Password button.

If you need multiple passwords for a site, or need to protect just part of your site, you can setup Basic-Auth via Netlify’s custom HTTP header support.

Role based access controls with JWT tokens

Role based access controls allows you to set more granular access to your site, or specific pages. We use JWT tokens, roles and redirect rules to grant access to those sections.

You can use any third party authentication provider that support JWT tokens to complement this feature, like Auth0 and Stormpath.

Before setting up Netlify’s control, generate a JWT application in your provider of choice. Then, take the application’s client secret, go to your Netlify’s site Access section and click in Set JWT secret. We need this secret to verify the access tokens for your site.

Once you’ve configured your site, go back to your authentication provider and set roles for the users you want to grant access to. For example, you can set specific roles for people in a specific GitHub organization, or with a specific company email. We use the app_metadata element in the token to read the user roles. The same user can have one or more roles to access different pages in your site. Make sure the app_metadata for your users has this format:

{
  "app_metadata": {
    "authorization": {
      "roles": ["admin", "editor"]
    }
  }
}

Use our _redirects file to configure the page access control for your site. There you can set special conditions to restrict role access. For example, you can use a rule like the one below to restrict access to a page only to users with the role admin or with the role editor:

/admin/*	200!	Role=admin,editor

You can read more about these special conditions in our Redirects documentation.


Notice something is incorrect or outdated?

First off, great eye! We appreciate your discovery and want to ensure it gets addressed immediately. Please let us know here.

Want to get started quick?