Protect Docs With Access

Recommended path

Use Cloudflare Access, not an app-level password page.

The site can stay static while Cloudflare puts an identity gate in front of docs.mementropy.com.

The short version

Good now

Self-hosted Access app with One-time PIN for a short list of trusted email addresses.

Better later

Switch to a real identity provider and group-based policies when more people need access.

Setup paths

Solo

1. Create an Access application for docs.mementropy.com.
2. Use One-time PIN as the login method.
3. Add an Allow policy for only the email addresses you trust.
4. Set a session duration short enough that a shared machine does not effectively become public access.

Team

1. Create the Access application for docs.mementropy.com.
2. Connect Google, GitHub, Okta, or another identity provider.
3. Allow a known group or domain rather than broad public identities.
4. Keep machine access separate with service tokens if automation shows up later.

Do not forget the alternate URLs

1. Enable preview deployment access in the Pages project so branch preview URLs are not public.
2. Protect docs.mementropy.com with a self-hosted Access application.
3. Redirect the production *.pages.dev hostname to docs.mementropy.com so the default public hostname is not the main entry point.

“Password protected” is not the best mental model here.

Access is stronger when it is treated as an identity policy in front of the hostname. One-time PIN is the lightest version of that, not the long-term goal.