Hey!
We’ve enabled site-wide password protection via the “Visitor Access” setting in the Netlify dashboard. Everything works as expected, visitors are prompted for a password before accessing the site.
However, we now need to allow third-party services (like a CMS webhook) to POST to our /api/webhook route without being blocked by the password screen.
Is there a way to programmatically bypass or exclude specific routes (e.g. /api/*) from the site-wide password protection feature?
We don’t want to remove the password screen for the whole site, just allow machine-to-machine communication for things like webhook endpoints.
I know we could switch to using Basic Auth via headers and then whitelist certain routes, but we’re wondering if something similar is possible while using Netlify’s built-in password protection instead.
Thanks in advance!