A website only named people can open

A site that's live on the web but checks who you are at the door — visitors sign in with Google, and only the emails on your list get through. Everyone else hits a login screen and gets bounced. This is the "named people" rung a plain public deploy can't hold, sat in front of a real, clickable site.

Reach for it when the thing has to be online — clickable in any browser, no files to run — but not open to anyone holding the link: a funder-only dashboard, an org-internal tool. Skip it when a public link is fine (plain deploy), or nobody needs to see a finished site and a private repo would do.

Last verified: 2026-06-07 · checked against developers.cloudflare.com and clerk.com · Confidence: high on the Google-login gate and deny-by-default; free-seat numbers aren't on Cloudflare's plans page, so re-check them live.

It allows you to

Name exactly who gets in. The one website option that holds the named-people rung — list the emails, everyone else is refused at a Google login. (Who, and how, in Who can get in.) [confirmed]
Gate a site you've already put online, no app code. The login wall sits in front of your deployed site — files unchanged — so it works over a Vercel, Netlify, or Cloudflare Pages site you already have. [confirmed]
Change who's in without a redeploy. Edit the list in the dashboard; it applies on their next sign-in (an existing session lasts until it expires). [estimate]
Keep it free for a small group — up to 50 people, no per-seat bill. Details: the fine print. [unclear]

Ideal for

A funder-only progress dashboard — a live metrics page you send to three programme officers: they click, sign in with their work Google, and see it; a forwarded link gets a stranger a login screen, not your numbers.
An org-internal tool that has to be online — a grants tracker or rota your team opens in a browser, gated to everyone ending in @your-org.org, so a new hire is in the moment they have an org email and an ex-employee is out the moment they don't.
An unannounced report under review — a draft a named review group reads before launch, where a public link would be a leak waiting to happen. Cloudflare sells this gate to nonprofits. (Cloudflare for nonprofits)

Who can get in

Named people you list. Add the exact emails; each signs in as themselves with Google. A link that travels doesn't help a stranger — they hit the wall. [confirmed]
Or a whole org by domain. Swap the list for emails ending in @your-org.org to bind access to the account, not a hand-kept list. [confirmed]
Cut someone off. Remove their email (or they lose the org domain) and the next load is blocked. (A copy they already saved stays theirs — true everywhere.) [estimate]
Deny-by-default. Nobody gets through unless an Allow rule names them — the failure mode is "locked out", not "wide open". [confirmed]

Which rungs it can hold. Of the five rungs, this holds the two a plain deploy can't: named people and org-only. (Drop the gate and you're back to anyone-with-the-link / public.) → Who can see it? [confirmed]

Handing data to the host. The login wall runs on Cloudflare, which states it does not train AI on customer content — no opt-out to remember. → Can you trust the company?, specifically Cloudflare. [confirmed]

What you do to set it up

Tell Claude Code, in the project for the site you've already deployed:

Put a Google login wall in front of my site with Cloudflare Access (free
tier), and only let these emails in: alice@org.org, bob@org.org. Walk me
through connecting the domain to Cloudflare, adding Google as a login
method, and the Allow policy. Stop and hand me each step I have to click
in a browser or in Google Cloud Console.

Three steps are yours and can't be delegated: make a Cloudflare account, register a Google sign-in app, paste the keys. The full walkthrough and both routes are in Add a login wall to your site.

One catch worth knowing first. The gate only guards a domain that runs through Cloudflare — a raw *.vercel.app URL needs a custom domain pointed there first (a ~10-min step). See the fine print. [confirmed]
One-time prerequisites: set up Claude Code (~10 min once), a site that's already live (Deploy a website, a live link in ~30 sec on the no-account route), and the un-delegable trio above — accounts you most likely already have, plus the ~10-min Google sign-in app (the real cost, see Good to know). Budget ~25 min start to finish the first time. [estimate]
Rather click? The whole thing is a clickable dashboard end to end — Cloudflare's own walkthrough, ~25 min. [estimate]

Want real accounts inside the app instead? → Clerk

Cloudflare Access is a wall around the site. If the login is part of the product — a profile menu, a members area, per-user data — use Clerk instead: drop-in sign-in components your agent wires in, with keys you paste as environment variables. Free to 50,000 monthly users. Same un-delegable trio, same tutorial route. → Add a login wall to your site, Clerk. [confirmed]

What the other person does

Open the link: click it, land on a login screen, Sign in with Google. On your list → they're in, ~1 min the first time, ~5 sec after. Not on your list → refused. [estimate]
No new account to make — they use the Google account they already have; nothing to install, no app to run. [confirmed]
Pay: nothing — viewing a gated site is free for them, always.

Fine for anyone with the link to get in? → a plain deploy is the same site without the login step — no gate to set up.
The login is part of the product — profiles, per-user data, a members area? → put real accounts inside a Fly.io app (or use Clerk, above) instead of a wall around it.
People will build on it, not just look? → a GitHub repo holds named-people and org-only too, and lets them copy and improve the actual files — but hands over files most non-coders can't run.

Sources

Cloudflare Access — policies (Allow action, deny-by-default, Emails / Emails ending in rules) — checked 2026-06-07
Add a self-hosted application to Access — "deny by default", active-zone requirement — checked 2026-06-07
Clerk — Next.js quickstart (env-var keys, drop-in components) — checked 2026-06-07
Pricing, the domain catch, the Google-app setup, and more sources: the fine print
Full setup steps, both routes: Add a login wall to your site

Good to know

Free covers up to 50 people; past 50 the whole team moves to pay-as-you-go (~$7/user/month, billed for all). Pricing changes — re-check cloudflare.com/plans and clerk.com/pricing. [unclear]
Registering the Google sign-in app is the real cost — a one-time ~10-min trip through Google Cloud Console, and the redirect URI must match Cloudflare exactly or the login fails. [confirmed]
More on all three — pricing, the domain catch, the Google-app setup — in the fine print.