Ashish · field notes
All notes
← back to the system map
LiveInfrastructure2 min read

Dashboard hub + access gating

The same Cloudflare edge that gates the dashboards for people also authenticates the robots that read them back.

The dashboard suite started as an unguessable URL plus a noindex tag. That isn't access control. I wanted a real allowlist, and I still needed the scheduled jobs to read the live pages back to confirm a deploy actually landed.

How it works

The hub is a Cloudflare Worker serving the published dashboards, fronted by Cloudflare Access (Zero Trust). One policy, an email allowlist, one-time-PIN login, month-long sessions, and push-to-deploy from GitHub. For the headless read-back, a Cloudflare Access service token stored in the mini's Keychain lets the deploy-verify requests through the gate.

It's live, gating both the custom domain and the workers.dev host under one policy. The obvious next step is a Google Workspace IdP, so the whole company signs in with its existing identity.

One gate, two kinds of user. People log in, agents present a token. The operating layer secures itself the same way it secures me.

Got an idea? Tell me →More field notes