# Public endpoints

A protected web app sometimes needs one path that outside systems can call. A private dashboard might receive Stripe events at `/webhooks/stripe`, for example. Public endpoints open only the paths you choose while the rest of the app still requires sign in.

Public endpoint rules live on the Project's **Access** tab and apply to one Service.

## Open the smallest useful path

An endpoint rule can match one exact path or one subtree.

- `/webhooks/stripe` matches that path, with or without a trailing slash.
- `/api/public/*` matches paths below `/api/public/`, but not `/api/public` itself.

A wildcard can appear only at the end of a rule. This keeps a narrow exception from accidentally opening unrelated parts of the app. To make the whole app public, change the Project audience instead.

## Public requests skip Tokay sign in

Anyone who knows a public endpoint can call it. Your code should still verify the caller when the sender provides a verification method.

For webhooks, verify signatures from Stripe, GitHub, or the service sending the request. Prefer an exact path when one endpoint is enough.

## Use a machine token for callers you control

A script, CI job, or internal service should usually authenticate rather than use a public path. A [machine token](machine-tokens.md) lets the caller through Tokay's access layer and records its identity in the access log.
