Who can open your app

Project access rules let you protect internal web apps without adding authentication code to each application. You choose the audience once for the Project, and Tokay handles sign in before a request reaches its web apps.

Last updated

These controls live on the Project's Access tab.

New web apps start public

Anyone with the URL can open a new web app. This keeps a first deployment usable for a public site, demo, or API without requiring access configuration.

Change the audience to Specific people when the app becomes an internal tool or a client facing application.

Audience rules can describe the real group

The available rules can be combined.

  • Anyone in the Workspace admits Tokay teammates.
  • Approved email domains admit anyone who can receive email at a domain such as @yourcompany.com.
  • Specific invited people admit individual addresses for clients or contractors.

Before saving, Tokay explains whether current visitors will lose access or whether the app is becoming available to anyone with the URL.

Visitors sign in by email

A visitor who is not signed in enters an email address and receives a magic link. After confirmation, Tokay returns them to the original app.

There is no password or separate Tokay account to create. Sign-in covers the Project, so a visitor can open sibling web apps allowed by the same audience without repeating the flow.

Add a logo and short message from the Access tab when the sign in page should identify the application or company.

Access changes take effect within seconds

Removing an invited person or narrowing the audience invalidates their current access. You do not need to wait for the existing session to expire.

The access log explains who got through

The people view records invited visitors, who signed in, denied requests, Workspace access, and machine token calls. Each row shows the identity, the rule that allowed or denied access, and recent activity.

Use this page to answer who can reach the Project's apps and who has used them.

Public paths and machine callers use explicit exceptions

A protected web app can open a specific route for a webhook or public API. See Public endpoints.

Scripts, CI jobs, and other machine callers should use Machine tokens so the request is authenticated and attributable.