Gate staging without a VPN.

Staging and preview URLs are meant for a handful of people, but they sit on the public internet where anyone, and every crawler, can find them. You want them private without standing up a VPN for a half-built feature.

The problem

staging.mycompany.com exists so QA, a client, or marketing can see work in progress. The trouble is exposure: an unlisted URL is not a private URL. Search crawlers index it, scanners find it, a screenshot leaks it, and now an unfinished feature, real customer data, or a pre-announcement is sitting where anyone can load it. The people who legitimately need it are few and known. The internet that can reach it is everyone.

Why it matters

Staging is where guardrails are thinnest: debug endpoints on, verbose errors, seed data that is often a copy of production, and auth that may be stubbed. It is precisely the environment you least want strangers poking at, and the one most likely to get left wide open because locking it down "properly" feels like more work than the preview is worth. A private-by-default staging environment also keeps unreleased work out of the public record before you are ready.

How teams handle it today

• HTTP basic auth: quick, but the page is still publicly reachable to be challenged, the shared password gets passed around and pasted into chats, and the browser prompt breaks embeds, link previews, and some tooling.
• A hand-kept IP allowlist: the right instinct, but it goes stale the instant anyone works from a new network, and then someone is locked out or you widen it "just for now."
• A VPN: the correct heavy answer. A server, client software on every reviewer's machine, and onboarding for a customer who just wants to click a link. Rarely worth it for a preview.
• Cloudflare Access / a Zero Trust vendor: powerful and clean if you already live there, but it routes your staging through a vendor's identity layer and pulls you into a stack you may not otherwise want.

How IPAuth does it

Give each reviewer their own named pair and auth URL. The staging server runs one script that reads every member's current IP and rebuilds a firewall set (an ipset, an nftables set, or a pf table) that gates ports 80 and 443, default-deny for everyone else. When someone changes networks, they click their own bookmark and they are back in within the poll window. No shared password, no browser prompt, no VPN client, and nothing for you to hand-edit.

Because each person is a separate pair, access is self-service to grant and per-person to revoke. Remove someone from the set and the next sync drops their IP. The URL stays unindexable to anyone whose live IP is not on the list, so crawlers and scanners simply get nothing.

Where it fits, and where it does not

This suits a known, small-to-medium group reviewing non-public environments: QA, a client demo, an internal tool, a marketing review link. If you need anonymous public access with per-user accounts, that is a login system, not an allowlist. But for "let these specific people see this, and no one else," a roving allowlist is lighter than a VPN and tighter than basic auth.