Skip to content

Access Control — Restrict to Your GitHub Account

By default anyone with the *.pages.dev URL can read these docs. This page locks the site behind a GitHub login wall so only your GitHub account gets in.

It uses Cloudflare Access (part of Cloudflare Zero Trust — free for personal use, up to 50 users). There is nothing to code — it's entirely dashboard configuration sitting in front of your Pages site. The AI chat keeps working, because once you're logged in your browser session is trusted for /api/chat too.

What you're building

Visitor → GitHub login wall (Cloudflare Access) → allowed? → docs + chat
                                                 → not you? → blocked

Steps

1. Turn on Zero Trust (one-time)

In dash.cloudflare.com → left sidebar Zero Trust. If it's your first time it asks you to pick a team name (e.g. kairo-yourname) — this becomes https://<team-name>.cloudflareaccess.com. Choose the Free plan when prompted (card may be required but it won't be charged on Free).

2. Create a GitHub OAuth App

This lets Cloudflare use "Sign in with GitHub."

  1. GitHub → your avatar → SettingsDeveloper settingsOAuth AppsNew OAuth App.
  2. Fill in:
    • Application name: Kairo Docs (anything)
    • Homepage URL: your https://<something>.pages.dev
    • Authorization callback URL:https://<team-name>.cloudflareaccess.com/cdn-cgi/access/callback (use the exact team name from step 1)
  3. Register application, then Generate a new client secret. Copy the Client ID and Client Secret — you'll paste them next.

3. Add GitHub as a login method in Cloudflare

Zero Trust → SettingsAuthentication → under Login methods, Add newGitHub. Paste the Client ID and Client Secret from step 2 → Save. Use Test to confirm the GitHub sign-in flow works.

4. Put the wall in front of the site

Zero Trust → AccessApplicationsAdd an applicationSelf-hosted.

  1. Application name: Kairo Docs
  2. Application domain: enter your Pages host — subdomain = your project (e.g. kairo-xyz), domain = pages.dev. (Leave the path blank to protect the whole site.)
  3. Identity providers: make sure GitHub is enabled for this app. Continue to policies.

5. Allow only you

Add a policy:

  • Policy name: Only me
  • Action: Allow
  • IncludeEmails → the email address on your GitHub account.

Save the policy, then Save the application.

Why email and not "GitHub username"? Cloudflare matches the identity GitHub returns, which is your account email. This is the reliable single-user filter for a personal GitHub account (org-based rules are for teams).

6. Test

Open your *.pages.dev URL in a private/incognito window. You should hit the GitHub login wall; sign in with your account → docs load and chat works. Try a different account (or ask a friend) → blocked.

Fallback: email one-time PIN (no GitHub OAuth App)

If you'd rather not create a GitHub OAuth App, skip steps 2–3. In step 4/5 use the built-in One-time PIN login method and Include → Emails → your email. Cloudflare emails you a code each login. It's not literally "GitHub," but it's the same wall with less setup.

Notes

  • No repo changes. Nothing here is committed to Kairo — it's all Cloudflare-side. If you ever migrate hosting, this config doesn't come with it.
  • Removing the lock: delete the Access application (Zero Trust → Access → Applications) and the site is public again.
  • Chat still needs its key. Access controls who reaches the site; the chat still needs GEMINI_API_KEY set in Pages (see Running & Deploying).