Password Protection

Keep a project private—a staging site, client work in progress, an internal tool—by adding an AUTH file (no extension) to the root of the directory you publish. Visitors get a browser login prompt; your files are only served after they authenticate.

kenneth:12345

That's a username and password separated by a colon. Add one account per line for multiple people:

brock:password1
kenneth:password2
kim:password3

Publish as usual and protection is live:

surge

Password protection uses HTTP basic auth and is a paid-plan feature—the CLI prompts you to upgrade on first publish with an AUTH file present. See Plans.

Notes

  • The AUTH file itself is never served—it's consumed by the platform, not published.
  • Protection covers the entire project: every path, every asset.
  • Serve protected projects over HTTPS (automatic on surge.sh subdomains, one surge encrypt away on custom domains) so credentials aren't sent in the clear.
  • Because AUTH deploys with your files, protection is versioned: a preview deploy can carry credentials while production stays open, and removing the file on the next publish removes the prompt.