Password Protection / Basic-Auth


We are building a site that has support for incoming webhooks (that are handled by a function) and Netlify CMS for content editing.

The issue now is that we need to pasword protect the site during the development, but if we use:
a) normal “Password Protection” -> the webhooks can’t get to the functions
b) Basic-Auth (defined in netlify.toml) -> Netlify CMS can’t access the /.netlify/identity

I’m currently trying to figure out if it is possible to use the basic auth (for = "/*) but somehow allow the /.netlify path. Any help with this would be appreciated.

Check out Redirects, which should allow you to:

  • use 200! “empty” redirect for /.netlify/* and /admin paths, so they’re always available (by “empty” I mean no path to redirect to),
  • below that, use role-bases redirect for /* (also “empty” redirect, as shown in the docs,
  • after that, a 401! to /admin, so they can log into Identity, which will allow them to see the site (if the role is correct).

So I think it would look something like this:

/.netlify/*			200!
/admin/*			200!
/*				200!	Role=admin
/*		/admin	401!	

Remember to activate Identity for this site, invite a user, assign them a role, and that should work beautifully. Unauthorized users

I haven’t tested this solution yet, but it should work fine, and I’ll be testing something similar in the next few days, so let me know if this doesn’t work, and I’ll get back to you after I figure it out.


thanks for your help, @mack-ludwin!

Thanks for the reply!

I tried to set up the redirects like in your example, but it seems that those empty redirects are not allowed. I tried to deploy them in _redirects and in netlify.toml files, but both will result to failed build. also says “target URL is missing”.

I agree that empty redirects won’t work (except for the Role rule). Have you tried just leaving those empty redirect rules out. Those shouldn’t be necessary.