Access Control Overview

Private is the default. A route is only public when you choose --open or access: public.

Use private for human access controlled by identity and share lists. Use password for webhook-style or simple shared-secret access. Use public for demos and callbacks that must be reachable by anyone with the URL. Use policy:<name> when a service needs a reusable account list or CIDR/token rule.

The edge evaluates a single compiled policy per route before proxying.