LoginStart Free

SSO & Access Control

Restrict who can access your deployed apps with Telbase access protection. Add email-based login, Google, Microsoft, or GitHub sign-in with a single command. Visitors must authenticate before they can reach your app.

What Access Protection Does

Access protection adds an authentication gate in front of your deployed app, powered by Cloudflare Access. When enabled, visitors see a login page before they can reach any page of your app.

Separate from your app's auth
Access protection is independent of any authentication your app has internally. It protects the entire app at the network level — unauthenticated requests never reach your code. Think of it as a locked front door for your deploy URL.

This is ideal for internal tools, prototypes, and staging environments where you want to limit access to your team or specific people.

Enabling Access Control

1

Choose an identity provider

Pick how users will authenticate. Email code (onetimepin) works immediately with no setup. Google, Microsoft, and GitHub require Cloudflare Zero Trust configuration.

2

Enable access protection

Run the enable command from the CLI or toggle it in the dashboard under Settings → Access Control.

bash
# Enable with email code authentication
telbase access enable onetimepin

# Verify it's active
telbase access status
3

Test the login

Visit your app's URL. You should see a login page asking for authentication before you can access the app.

Identity Providers

The simplest option. Users enter their email address and receive a one-time code. No external setup required.

bash
telbase access enable onetimepin

Combine with domain restrictions to limit which email addresses can request a code.

Domain Restrictions

Restrict access to users with email addresses from specific domains. Only matching emails can authenticate, regardless of the identity provider.

bash
# Allow only company.com emails
telbase access domain add company.com

# Add multiple domains
telbase access domain add company.com partner-org.com

# List allowed domains
telbase access domain list

# Remove a domain
telbase access domain remove partner-org.com
Domain restrictions + email code
When using email code with a domain restriction, only emails matching the allowed domains can request a login code. This is the fastest way to restrict access to your organization without any SSO configuration.

Email Allowlist

Allow specific email addresses to access your app, even if they don't match any domain restriction. Useful for contractors, partners, or external reviewers.

bash
# Allow a specific email
telbase access allow [email protected]

# List allowed emails
telbase access users

# Remove an allowed email
telbase access remove [email protected]

Session Management

Authenticated users receive a session that lasts 24 hours by default. After the session expires, they must re-authenticate.

bash
# Set custom session duration
telbase access enable onetimepin --session 8h

# Revoke all active sessions (force re-login)
telbase access revoke

# List active sessions
telbase access users

Session duration accepts values like 1h, 8h, 24h, 7d, or 30d.

Cloudflare Zero Trust Setup

Required for Google, Microsoft, and GitHub
Email code authentication works out of the box. Google, Microsoft, and GitHub identity providers require additional configuration in your Cloudflare Zero Trust dashboard before they can be used with Telbase.

To configure an external identity provider:

  1. Log in to your Cloudflare Zero Trust dashboard at one.dash.cloudflare.com
  2. Go to Settings → Authentication → Login methods
  3. Add the identity provider (Google, Azure AD, or GitHub) and follow the setup wizard
  4. Once configured in Cloudflare, enable it in Telbase with telbase access enable google (or the appropriate provider)

The email code provider (onetimepin) is preconfigured and does not require any Cloudflare setup.

Next Steps