Access Control
Configure authentication modes to control how users access your AI app -- from fully open to restricted by email.
Access Control lets you decide who can use your AI app and how they authenticate. Choose from four modes ranging from fully open to restricted by email whitelist.
The Four Auth Modes
| Mode | Consumer Experience | Best For |
|---|---|---|
| Open | No authentication needed. Users chat anonymously. | Public-facing apps, demos, wide accessibility |
| Encouraged | Signup form shown but dismissible. Users can chat as guests. | Capturing user data while preserving open access |
| Required | Users must sign in before chatting. | Apps with sensitive content or user-specific features |
| Restricted | Users must sign in with a pre-approved email. | Enterprise/internal apps, team-only access |
Configuring Access Control
1
Go to your app’s Build page → Access tab.
2
Choose from the four radio buttons: Open, Encouraged, Required, or Restricted.
3
If you selected Restricted, specify:
- Allowed Domain — An email domain filter (e.g.,
yourcompany.com). Only emails matching this domain can access the app. - Allowed Emails — A comma-separated list of specific email addresses that are allowed.
How Each Mode Works
Open Access
User visits your app
→ No auth card shown
→ Greeting fires immediately
→ User chats anonymouslyUsers get instant access with zero friction. Optionally, you can use the collectEmail tool in your system prompt to capture emails during the conversation without requiring formal signup.
Encouraged Sign-up
User visits your app
→ Signup form shown (dismissible)
→ User can sign up OR dismiss and chat as guest
→ Either way, conversation starts immediatelyThe signup form appears as the first message in chat. Users who dismiss it see a small banner (“Sign in to save your progress”) but can still chat freely. Good for capturing contact info without blocking access.
Required Sign-up
User visits your app
→ Signup form shown (not dismissible)
→ Chat input disabled until authenticated
→ User signs up or logs in
→ Greeting fires and chat becomes activeUsers must create an account or log in before they can send any messages. The chat input is disabled until authentication completes.
Restricted Access
User visits your app
→ Signup form shown (not dismissible)
→ Chat input disabled
→ User signs up with email
→ Email checked against whitelist/domain
→ If approved: access granted
→ If not: "Email not allowed" errorSame as Required, plus email validation. Only pre-approved emails or emails matching your allowed domain can access the app.
HIPAA Compliance
When HIPAA mode is enabled in the Access tab, the auth mode is automatically restricted:
- Open and Encouraged modes are disabled
- Only Required or Restricted modes are available
- This ensures all interactions are authenticated for compliance
In-Chat Authentication
Authentication happens directly in the chat interface — there’s no separate login page. Users see a multi-view auth card that supports:
- Signup with email and password
- Login for returning users
- OTP verification via email code
- Forgot password and reset flow
The auth card appears as a synthetic assistant message, keeping users in the conversation flow.
Redirect After Signup
For all auth modes, you can optionally set a redirect URL. After successful signup, the user is redirected to that URL before returning to chat. Useful for:
- Onboarding flows
- Terms of service acceptance
- Payment pages
- Custom welcome experiences
Use Cases
| Mode | Scenario |
|---|---|
| Open | Public FAQ bot, product demos, marketing chatbot |
| Encouraged | Lead generation bot, free tool with optional account |
| Required | Customer support portal, user-specific features, memory-enabled apps |
| Restricted | Internal company tool, client portal, team workspace |