You cannot leave /login or /admin open to the whole internet, but your handful of users roam between networks and you do not want to run a VPN, roll out SSO, or hand each of them a new account just to reach one page.
Some paths should never face the open internet: the admin login, an internal dashboard, a customer portal's back door. But the people who use them are mobile, so a static IP allowlist breaks constantly, and the obvious heavier answers each carry a tax. A plain IP rule cannot follow a roaming user. A login page open to the world invites credential stuffing against the very thing you are trying to protect.
An exposed authentication endpoint is a magnet. It is where password spraying, credential stuffing, and zero-day attempts against your auth stack all aim. Every defense behind it (rate limits, MFA, lockouts) is load-bearing precisely because the door is reachable. If you can make the page itself invisible to anyone who has not been explicitly invited, you remove the target before the auth logic is ever exercised by a stranger.
Drop a small middleware in front of the page. The first time you invite someone, they click their personal IPAuth bookmark; the middleware marks that browser as a safe browser with a short-lived, signed cookie. From then on, requests with a valid cookie pass and everyone else gets nothing. Because the proof lives in the browser, not the IP, it keeps working when the user moves between networks, which is exactly where plain IP allowlists fall down.
You choose the scope: protect a single path like /login, or the whole app. The check is a signed-token verification against IPAuth's published keys, so the gate holds only the public key, never a shared secret. Reference middleware ships for PHP and FastAPI, the same check drops into nginx or any framework, and if your site is fronted by NOC it can be enforced at the edge with no app code at all. Every authorized browser is visible in your dashboard, and you can revoke any one of them in a click without disturbing the others.
One setup note if a CDN sits in front of your app (Cloudflare, NOC, Fastly): exclude the gated paths and the gate's /_auth/callback from caching, or turn off page caching for the site. A cached gate redirect turns into a redirect loop, and a cached callback turns into intermittent access errors. The deploy guide spells out the exact settings.
This shines for a small group that needs a sensitive page kept off the public internet without the weight of SSO or a VPN: admin panels, internal tools, early-access pages, a login you want invisible to scanners. It is access control, not identity: it proves "this browser was invited," not "this is Alice." When you need verified human identity, audit-grade per-user sessions, or device posture, layer it in front of, or alongside, your real auth. As a first gate that makes the page disappear for everyone uninvited, it is hard to beat on effort.
Register the app, link a group, and the dashboard hands you the gate file and the exact config to turn it on.