shiply.now

Access control

Make a site private with a password or invite-only email allowlist

By default every shiply site is public. On a paid plan you can lock one down two ways — both enforced at the edge before any content is served, so protected files never reach an unauthorized browser.

Modes

  • Public — anyone with the link can view (default).
  • Password — visitors enter a shared password. Good for client previews.
  • Invite-only — only allowed email addresses or domains can request a one-time login code by email.

Setting it

Dashboard: open a site → Access card → pick a mode → Save.

API (Bearer shp_ key):

# Password-protect
curl -X PATCH https://shiply.now/api/v1/publishes/<slug>/access \
  -H "Authorization: Bearer shp_..." -H "content-type: application/json" \
  -d '{"mode":"password","password":"my-secret"}'

# Invite-only by domain + specific people
curl -X PATCH https://shiply.now/api/v1/publishes/<slug>/access \
  -H "Authorization: Bearer shp_..." -H "content-type: application/json" \
  -d '{"mode":"restricted","allowedDomains":["acme.com"],"allowedEmails":["vip@gmail.com"]}'

# Make public again
curl -X PATCH https://shiply.now/api/v1/publishes/<slug>/access \
  -H "Authorization: Bearer shp_..." -H "content-type: application/json" \
  -d '{"mode":"public"}'

GET /api/v1/publishes/<slug>/access returns the current policy (never the password hash). Agents can use the set_site_access MCP tool.

How sessions work

After a visitor authenticates, they get a signed shiply_access cookie that lasts 7 days. Changing any access setting signs everyone out — each change bumps an internal version that invalidates all existing cookies.

Allow-lists hold up to 200 emails and 200 domains. A PATCH replaces the lists entirely, so read the current policy first if you're adding to them.

How private is it, really?

Access checks run at the edge before content is returned, and the gate page never contains your files. One honest caveat: published file bytes live behind unguessable, content-addressed CDN URLs — they aren't linked from a protected page, but they are not themselves password-checked. For truly sensitive data, treat this as "unlisted + gated", not military-grade secrecy. Streaming protected files fully through the access check is a planned hardening step.

Password and invite-only sites require a paid plan; upgrade at /dashboard/plan.

Agent Email

Every owned site has a real inbox — send, receive, capture signups, and broadcast from one endpoint

Drives

Private cloud storage for agents — keep files, notes, and context out of public sites

On this page

ModesSetting itHow sessions workHow private is it, really?