Appearance
Access Control — Restrict to Your GitHub Account
By default anyone with the *.pages.dev URL can read these docs. This page locks the site behind a GitHub login wall so only your GitHub account gets in.
It uses Cloudflare Access (part of Cloudflare Zero Trust — free for personal use, up to 50 users). There is nothing to code — it's entirely dashboard configuration sitting in front of your Pages site. The AI chat keeps working, because once you're logged in your browser session is trusted for /api/chat too.
What you're building
Visitor → GitHub login wall (Cloudflare Access) → allowed? → docs + chat
→ not you? → blockedSteps
1. Turn on Zero Trust (one-time)
In dash.cloudflare.com → left sidebar Zero Trust. If it's your first time it asks you to pick a team name (e.g. kairo-yourname) — this becomes https://<team-name>.cloudflareaccess.com. Choose the Free plan when prompted (card may be required but it won't be charged on Free).
2. Create a GitHub OAuth App
This lets Cloudflare use "Sign in with GitHub."
- GitHub → your avatar → Settings → Developer settings → OAuth Apps → New OAuth App.
- Fill in:
- Application name:
Kairo Docs(anything) - Homepage URL: your
https://<something>.pages.dev - Authorization callback URL:
https://<team-name>.cloudflareaccess.com/cdn-cgi/access/callback(use the exact team name from step 1)
- Application name:
- Register application, then Generate a new client secret. Copy the Client ID and Client Secret — you'll paste them next.
3. Add GitHub as a login method in Cloudflare
Zero Trust → Settings → Authentication → under Login methods, Add new → GitHub. Paste the Client ID and Client Secret from step 2 → Save. Use Test to confirm the GitHub sign-in flow works.
4. Put the wall in front of the site
Zero Trust → Access → Applications → Add an application → Self-hosted.
- Application name:
Kairo Docs - Application domain: enter your Pages host — subdomain = your project (e.g.
kairo-xyz), domain =pages.dev. (Leave the path blank to protect the whole site.) - Identity providers: make sure GitHub is enabled for this app. Continue to policies.
5. Allow only you
Add a policy:
- Policy name:
Only me - Action: Allow
- Include → Emails → the email address on your GitHub account.
Save the policy, then Save the application.
Why email and not "GitHub username"? Cloudflare matches the identity GitHub returns, which is your account email. This is the reliable single-user filter for a personal GitHub account (org-based rules are for teams).
6. Test
Open your *.pages.dev URL in a private/incognito window. You should hit the GitHub login wall; sign in with your account → docs load and chat works. Try a different account (or ask a friend) → blocked.
Fallback: email one-time PIN (no GitHub OAuth App)
If you'd rather not create a GitHub OAuth App, skip steps 2–3. In step 4/5 use the built-in One-time PIN login method and Include → Emails → your email. Cloudflare emails you a code each login. It's not literally "GitHub," but it's the same wall with less setup.
Notes
- No repo changes. Nothing here is committed to Kairo — it's all Cloudflare-side. If you ever migrate hosting, this config doesn't come with it.
- Removing the lock: delete the Access application (Zero Trust → Access → Applications) and the site is public again.
- Chat still needs its key. Access controls who reaches the site; the chat still needs
GEMINI_API_KEYset in Pages (see Running & Deploying).