Best Way to Restrict Deployed App Access to Specific External Replit Users (for Feedback Testing)?

Deployments
1

Hey peeps!

I’m looking for advice on the best way to manage access for external testers for an app I’m developing and deploying on Replit.

My Goal: I want to deploy my app and allow a select group of external individuals (not on my Replit team) to access the live, deployed application for feedback. Critically:

  • They should only have view/interaction access to the deployed app itself.
  • They should NOT have any access to the codebase, the Repl environment, or anything within my Replit Teams account.
  • I want to avoid setting up a full, custom authentication system (like email/password with database, etc.) within the app at this early stage to maintain development speed.

Current Situation & What I’m Exploring: Currently, I’m just gating my app behind a simple, shared password that I’ve coded directly into the app. This works, but I’d ideally like to leverage Replit’s built-in user authentication if possible.

My Question for the Community:

  1. Is there a Replit platform feature that allows me to specify a list of “allowed external Replit users” (e.g., by their Replit username or email) who can access a specific deployed application after logging in with their own Replit accounts? Essentially, a Replit-managed allow-list for app viewers, separate from Repl collaborators.

  2. If a direct feature like that doesn’t exist, what’s the recommended “Replit-native” way to achieve this? I understand I can use replit.web.auth (or the user details passed in headers like X-Replit-User-Name) to identify a logged-in Replit user within my app’s code.

  • If this is the best path, is the typical approach to simply hardcode a list of allowed Replit usernames in my app’s backend code and check against that?
  • Are there any examples or best practices for this specific scenario (external testers, leveraging Replit login, minimal custom auth code)?

My main objective is to quickly get feedback from trusted external testers by restricting access to only them, without the overhead of full auth development right now and ensuring they can’t see any of the underlying code or my Replit account details.

Thanks in advance for any insights or suggestions!

2

Ah, I think this is solved with viewers? It’s a little unclear if I add them, what apps they’ll be able to see… I want the default to be they don’t see any, and I can add them to an app. Anyone have an idea of how this works?