Public endpoints

A protected web app sometimes needs one path that outside systems can call. A private dashboard might receive Stripe events at /webhooks/stripe, for example. Public endpoints open only the paths you choose while the rest of the app still requires sign in.

Last updated

Public endpoint rules live on the Project's Access tab and apply to one Service.

Open the smallest useful path

An endpoint rule can match one exact path or one subtree.

  • /webhooks/stripe matches that path, with or without a trailing slash.
  • /api/public/* matches paths below /api/public/, but not /api/public itself.

A wildcard can appear only at the end of a rule. This keeps a narrow exception from accidentally opening unrelated parts of the app. To make the whole app public, change the Project audience instead.

Public requests skip Tokay sign in

Anyone who knows a public endpoint can call it. Your code should still verify the caller when the sender provides a verification method.

For webhooks, verify signatures from Stripe, GitHub, or the service sending the request. Prefer an exact path when one endpoint is enough.

Use a machine token for callers you control

A script, CI job, or internal service should usually authenticate rather than use a public path. A machine token lets the caller through Tokay's access layer and records its identity in the access log.