Access Modes

Uplink has four route access modes:

Mode	Where used	Behavior
`private`	`serve` default, `uplink.yaml` default	Owner plus shared emails, identity-gated at the edge
`password`	`serve --auth`, `access: password`	Requires a bearer token; browsers can use the token entry page
`public`	`serve --open`, `access: public`	Anyone with the URL can reach the app
`policy:<name>`	`uplink.yaml`	Uses a named access policy from `access_policies:`

Account-based private and account-list policies require a managed edge because the edge must validate visitor identity. Rule-based policies over CIDRs and tokens can run on self-hosted key-mode edges.