Skip to content
Logo

Password protection

Password protection restricts access to a site so visitors must enter a password before viewing its content. It works for both anonymous and claimed sites.

How it works

  • When enabled, visitors to the live slug URL see an ATTIM-branded password entry page.
  • Successful unlocks set an HttpOnly cookie scoped to the slug domain.
  • The cookie lasts for the configured accessDurationSeconds, after which the visitor must re-enter the password.
  • Passwords are stored as salted hashes on the server and are never returned by any API.
  • If both password protection and an x402 paywall are enabled, visitors enter the password first, then see the payment flow.

Enabling password protection

During publish (CLI)

npx attim publish ./dist --password my-secret-password --password-access-ttl 86400

On an existing claimed site (CLI)

npx attim password enable my-site my-secret-password --access-ttl 86400

On an existing anonymous site (CLI)

npx attim password enable my-site my-secret-password --claim-token CLAIM_TOKEN --access-ttl 86400

API

curl -X PATCH https://attim.link/api/publish/my-site/password-protection \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"enabled":true,"password":"my-secret-password","accessDurationSeconds":86400}'

For anonymous sites, pass the claim token as X-ATTIM-Claim-Token or include claimToken in the JSON body.

MCP

Use the set_password_protection tool with enabled: true, password, and optional accessDurationSeconds.

Disabling password protection

CLI

npx attim password disable my-site

API

curl -X PATCH https://attim.link/api/publish/my-site/password-protection \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"enabled":false}'

MCP

Use the set_password_protection tool with enabled: false.

Updating the password

Run the enable command again with a new password. The old password stops working immediately.

Access duration

  • accessDurationSeconds controls how long an unlocked session lasts.
  • If omitted, the server uses its default duration.
  • After the cookie expires, the visitor must re-enter the password.

Limitations

  • Password protection is per-site, not per-file.
  • API and agent requests to a password-protected site receive 401 ATTIM_PASSWORD_REQUIRED instead of the password page.
  • Public variables are still substituted into served files; do not use them to store the password.