Dashboard hub + access gating
The same Cloudflare edge that gates the dashboards for people also authenticates the robots that read them back.
The dashboard suite started as an unguessable URL plus a noindex tag. That isn't access control. I wanted a real allowlist, and I still needed the scheduled jobs to read the live pages back to confirm a deploy actually landed.
How it works
The hub is a Cloudflare Worker serving the published dashboards, fronted by Cloudflare Access (Zero Trust). One policy, an email allowlist, one-time-PIN login, month-long sessions, and push-to-deploy from GitHub. For the headless read-back, a Cloudflare Access service token stored in the mini's Keychain lets the deploy-verify requests through the gate.
- Key lesson: the login method (the identity provider) is separate from the allowlist, and a missing IdP blocks people before the email list is ever checked.
- Service-token auth for the automated read-back, so a robot can confirm the live build stamp.
- If the token is ever absent, verify is skipped rather than firing a false alarm.
It's live, gating both the custom domain and the workers.dev host under one policy. The obvious next step is a Google Workspace IdP, so the whole company signs in with its existing identity.
One gate, two kinds of user. People log in, agents present a token. The operating layer secures itself the same way it secures me.