Password Protection
Keep a project private—a staging site, client work in progress, an internal tool—by adding an AUTH file (no extension) to the root of the directory you publish. Visitors get a browser login prompt; your files are only served after they authenticate.
kenneth:12345
That's a username and password separated by a colon. Add one account per line for multiple people:
brock:password1
kenneth:password2
kim:password3
Publish as usual and protection is live:
surge
Password protection uses HTTP basic auth and is a paid-plan feature—the CLI prompts you to upgrade on first publish with an AUTH file present. See Plans.
Notes
- The
AUTHfile itself is never served—it's consumed by the platform, not published. - Protection covers the entire project: every path, every asset.
- Serve protected projects over HTTPS (automatic on
surge.shsubdomains, onesurge encryptaway on custom domains) so credentials aren't sent in the clear. - Because
AUTHdeploys with your files, protection is versioned: a preview deploy can carry credentials while production stays open, and removing the file on the next publish removes the prompt.