slew docs/deploy/access-control

Access control

Every site on slew is public by default. Two more modes gate it — on every domain it serves on, the project subdomain and custom domains alike:

Mode Who gets in Good for
Public Anyone with the link Production sites
Password Anyone with the shared password Client previews, drafts
Org members GitHub sign-in + membership of the owning org Internal tools, team docs, staging

Pick the mode in the Access section of the project's overview in the web console. Changes reach the edge within about 30 seconds.

Password

slew password set "correct horse"
slew ──┐
          └────
'my-site' is password protected — visitors get an unlock screen on every domain it serves on.
Command Effect
slew password Is this site protected?
slew password set <password> Gate the whole site (4–128 characters)
slew password rm Make the site public again
slew share <path> --password <pw> Create a protected temporary share

Visitors get a slew unlock screen and stay unlocked for 12 hours per browser. Changing or removing the password invalidates every outstanding unlock immediately.

A site password keeps casual visitors and crawlers out; it is a shared secret, not per-user auth. Anyone with the password can view the site — rotate it whenever someone should lose access, and put nothing behind it that would hurt if it leaked. When you need real identities, use org members mode instead.

Org members

For projects owned by an organization. Visitors hit a members-only screen with Sign in with GitHub; slew confirms who they are and that they belong to the owning org, then lets them through — no extra accounts, no shared secrets. Access follows the member list: inviting someone grants it, removing them from the org locks them out of the site within a minute.

A personal project can't use this mode — transfer it to your org first (Transfer on the project overview, or POST /projects/:name/transfer).

How gating behaves

  • Everything is gated — pages, assets, server runtimes, APIs your app exposes.
  • Unlocking sets a signed, HTTP-only cookie scoped to that site's hostname, valid for 12 hours.
  • Protected sites stay on the CDN: unlocked visitors are served from the edge with a 5-minute freshness window instead of the usual year-long asset caching. Still fast; revoking access is complete within minutes.
  • Machine clients can pass a password gate by POSTing password=<pw> (form-encoded) to /__slew/unlock on the site and replaying the returned cookie.