# Access Control

Configure authentication modes to control how users access your AI app -- from fully open to restricted by email.

---

Access Control lets you decide who can use your AI app and how they authenticate. Choose from four modes ranging from fully open to restricted by email whitelist.

## The Four Auth Modes

| Mode | Consumer Experience | Best For |
|------|---------------------|----------|
| **Open** | No authentication needed. Users chat anonymously. | Public-facing apps, demos, wide accessibility |
| **Encouraged** | Signup form shown but dismissible. Users can chat as guests. | Capturing user data while preserving open access |
| **Required** | Users must sign in before chatting. | Apps with sensitive content or user-specific features |
| **Restricted** | Users must sign in with a pre-approved email. | Enterprise/internal apps, team-only access |

## Configuring Access Control


  **1.** 
    <strong>Open Access Settings</strong>

    Go to your app's **Build** page → **Access** tab.
  


  **2.** 
    <strong>Select an Auth Mode</strong>

    Choose from the four radio buttons: Open, Encouraged, Required, or Restricted.
  


  **3.** 
    <strong>Configure Restrictions (Restricted Mode Only)</strong>

    If you selected Restricted, specify:
    - **Allowed Domain** -- An email domain filter (e.g., `yourcompany.com`). Only emails matching this domain can access the app.
    - **Allowed Emails** -- A comma-separated list of specific email addresses that are allowed.
  


## How Each Mode Works

### Open Access

```
User visits your app
  → No auth card shown
  → Greeting fires immediately
  → User chats anonymously
```

Users get instant access with zero friction. Optionally, you can use the `collectEmail` tool in your system prompt to capture emails during the conversation without requiring formal signup.

### Encouraged Sign-up

```
User visits your app
  → Signup form shown (dismissible)
  → User can sign up OR dismiss and chat as guest
  → Either way, conversation starts immediately
```

The signup form appears as the first message in chat. Users who dismiss it see a small banner ("Sign in to save your progress") but can still chat freely. Good for capturing contact info without blocking access.

### Required Sign-up

```
User visits your app
  → Signup form shown (not dismissible)
  → Chat input disabled until authenticated
  → User signs up or logs in
  → Greeting fires and chat becomes active
```

Users must create an account or log in before they can send any messages. The chat input is disabled until authentication completes.

### Restricted Access

```
User visits your app
  → Signup form shown (not dismissible)
  → Chat input disabled
  → User signs up with email
  → Email checked against whitelist/domain
  → If approved: access granted
  → If not: "Email not allowed" error
```

Same as Required, plus email validation. Only pre-approved emails or emails matching your allowed domain can access the app.

## HIPAA Compliance

When **HIPAA mode** is enabled in the Access tab, the auth mode is automatically restricted:

- **Open** and **Encouraged** modes are disabled
- Only **Required** or **Restricted** modes are available
- This ensures all interactions are authenticated for compliance

## In-Chat Authentication

Authentication happens directly in the chat interface -- there's no separate login page. Users see a multi-view auth card that supports:

- **Signup** with email and password
- **Login** for returning users
- **OTP verification** via email code
- **Forgot password** and reset flow

The auth card appears as a synthetic assistant message, keeping users in the conversation flow.

## Redirect After Signup

For all auth modes, you can optionally set a **redirect URL**. After successful signup, the user is redirected to that URL before returning to chat. Useful for:

- Onboarding flows
- Terms of service acceptance
- Payment pages
- Custom welcome experiences

## Use Cases

| Mode | Scenario |
|------|----------|
| **Open** | Public FAQ bot, product demos, marketing chatbot |
| **Encouraged** | Lead generation bot, free tool with optional account |
| **Required** | Customer support portal, user-specific features, memory-enabled apps |
| **Restricted** | Internal company tool, client portal, team workspace |