Skip to main content

Public vs Private Apps

Every app you build has a visibility setting that controls who can access it.
VisibilityWho Can AccessBest For
PublicAnyone with the linkMarketing sites, portfolios, public tools
PrivateOnly workspace members + OptiSigns displaysInternal dashboards, sensitive data, company tools

Changing Visibility

1

Open Project Settings

In the Power Editor, click the gear icon next to your project name, or go to Settings tab.
2

Find Content Visibility

Scroll to Project Information and look for Content Visibility.
3

Select Your Setting

Choose Public or Private. Your choice takes effect after your next publish.
Changing from public to private doesn’t revoke access immediately. Publish again to apply the new setting.

Securely Display on OptiSigns Screens

If you’re using OptiSigns digital signage, your private apps can display on screens without exposing them to the public internet.

How It Works

  1. Private apps stay private — they’re only accessible through authenticated OptiSigns hardware
  2. No public URLs — viewers can’t bookmark or share a direct link to your content
  3. Workspace-level control — manage which screens can display your apps

Setting Up OptiSigns Display

1

Generate Your API Key

Go to Workspace Settings → API Keys and click Generate Key.You’ll see a Key ID and Secret. Save the secret now — you won’t see it again.
2

Connect in OptiSigns

In your OptiSigns account, add the API key to link your workspace.
3

Add Your App to a Screen

Browse your OptiDev apps from within OptiSigns and add them to your playlist.
Your API key works for all apps in your workspace. You only need to set this up once.

Adding Auth to Your App

Want users to log in before accessing your app? OptiDev Cloud includes built-in authentication — no coding required.

What You Get

  • Email/password login — users create accounts with their email
  • Social login — let users sign in with Google (more providers coming soon)
  • User management — see who signed up, disable accounts, reset passwords

Enabling Authentication

1

Activate OptiDev Cloud

In your project, go to Settings → OptiDev Cloud and click Activate.This takes about 2-3 minutes the first time (instant after that).
2

Configure Auth Providers

Once active, click the Auth tab. Toggle on the login methods you want:
  • Email — users sign up with email and password
  • Phone — users sign up with phone number (SMS verification)
  • Google — one-click Google sign-in
3

Control Signups

Toggle Disable Signup if you want to manually add users instead of allowing self-registration.
After enabling auth, your app needs login UI. Ask the Agent: “Add a login page using OptiDev Cloud Auth” — it handles the rest.

Managing Users

Once auth is enabled, the Users tab shows everyone who signed up. From here you can:
  • See when users last signed in
  • Disable or delete accounts
  • View user metadata

Run Security Review on Your App

Before publishing, it’s good practice to review your app for common security issues.

Pre-Publish Checklist

Is your app Public when it should be Private? Double-check in Project Settings before publishing.
Go to Settings → Secrets and verify:
  • API keys are marked as Sensitive (hidden from logs)
  • No test credentials left in production
  • Database passwords aren’t visible to collaborators who shouldn’t see them
If your app has login:
  • Try accessing protected pages without signing in
  • Verify logout actually logs users out
  • Test password reset if enabled
Review Settings → Connections for any services your app uses. Make sure:
  • Test/sandbox connections aren’t used in production
  • Unused connections are removed

Ask the Agent for Help

Not sure if something is secure? Ask Claude directly:
“Review my app for security issues before I publish”
The Agent will scan your code for common problems like exposed credentials, missing auth checks, or insecure API calls.

For Developers

Visibility Implementation

  • Visibility stored in projects.visibility column (PUBLIC | PRIVATE)
  • Private projects require workspace membership or valid OptiSigns hardware token
  • Setting change requires republish — cached CDN content isn’t invalidated automatically

OptiSigns Integration

  • API keys are workspace-scoped, stored with AES-256-GCM encryption
  • Key pair: keyId (public identifier) + secret (one-time display)
  • Hardware authentication uses HMAC signature validation

OptiDev Cloud Auth

  • Built on Supabase Auth with session pooler (port 5432)
  • Environment variables injected: VITE_SUPABASE_URL, VITE_SUPABASE_PUBLISHABLE_KEY
  • Supports JWT verification, row-level security policies
  • Auth state managed client-side via @supabase/supabase-js

Secrets Security

  • All secrets encrypted at rest with AES-256-GCM
  • Three visibility levels: Visible, Masked (first/last 4 chars), Sensitive (hidden)
  • 64KB total budget per project for environment variables

What’s Next?

Single Sign-On

Set up enterprise SSO with your company’s identity provider.

OptiDev Cloud

Learn more about database, auth, and backend features.