HOSTED SPACES

Public Access Controls

17min
by default a public space does not have any authentication method , but you can choose and set a few space wide password ; public access controls docid\ w7vfvxpmfyspdg0xnzlk1 , where you manually create email + password combos and distribute them to your users; public access controls docid\ w7vfvxpmfyspdg0xnzlk1 , where you enter specific emails or entire domains, and users will authenticate using a link that we send to their email address; public access controls docid\ w7vfvxpmfyspdg0xnzlk1 , where you add specific domains to let users authenticate/create accounts with their e mail address public access controls docid\ w7vfvxpmfyspdg0xnzlk1 , where you can generate private links and share them with your users and teams manage access control per user group via links; public access controls docid\ w7vfvxpmfyspdg0xnzlk1 , where your dev team generates a jwt with a secret key you provide in our ui, then pass it back to us as part of a link this is the easiest to manage, but you will require developer time public access controls docid\ w7vfvxpmfyspdg0xnzlk1 , when you have an external application that can act as a router to your space domain, so the public portal can be acessed only by members setted in providers like google, azure, okta none the default behaviour is set as none, meaning it is available publicly you can change to controls to limit the access for readers everyone with the link will be able to read content links are safe to share because they are cryptographically generated and unguessable when you want to gate the contents to specific readers, try any of the options below guest accounts create guest accounts everyone with the link and a guest account will be able to read the content guest accounts are not charged as seats in archbee private accounts users will be able to authenticate/create an account in your space with their email address/password if you add their email address or their email domain to the list below everyone with the link and a matched account will be able to read the content accounts are not charged as seats in archbee the list of users with active accounts will appear in the 'active accounts' window magic link users will be able to authenticate to your space with their email address if you add their email address or their email domain to the list below everyone with the link and a matched account will be able to read the content accounts are not charged as seats in archbee private links generate private links for specific user groups/teams each user group/team will have their own link to the same documentation and you can manage access control via this links you need to cut access for team 1? delete the private link associated with team 1 how jwt works jwt secret visitor authentication public access control jwt secret go to the spaces settings, and set a jwt secret key that you generate on your server json web key visitor authentication go to the spaces settings, and set a json web key set url a json web key set (jwks) url is a url endpoint where a server publishes its public keys in json format the jwks url typically points to a json document that contains an array of cryptographic keys used for verifying signatures when archbee receives a jwt, it can retrieve the corresponding public key from the jwks url and use it to verify the jwt's signature, ensuring that the token hasn't been tampered with and was indeed issued by a trusted party a jwks url provides a standardized way for clients to obtain the public keys needed to verify jwt signatures in a secure and scalable manner this is a sample jwks json file { &#x9;"keys" \[{ &#x9; "kid" "1234example=", &#x9; "alg" "rs256", &#x9; "kty" "rsa", &#x9; "e" "aqab", &#x9; "n" "1234567890", &#x9; "use" "sig" &#x9;}, { &#x9; "kid" "5678example=", &#x9; "alg" "rs256", &#x9; "kty" "rsa", &#x9; "e" "aqab", &#x9; "n" "987654321", &#x9; "use" "sig" &#x9;}] } generate the jwt token use one of the examples below to generate the jwt token you also need to replace the url with the subdomain of your documentation site const sign = require('jsonwebtoken') sign; exports buildarchbeeloginurl = function() { // optional user credentials that you want to send back to archbee const user = { name 'john', email 'wick', }; //create a signed token out of the user credentials with the //secret you set in archbee const jwttoken = sign(user, '\<archbeejwtsecret>'); //yourdomain is set in the custom domain tab const archbeeurl = 'https //yourdomain com'; //create the complete url containing the signed token that you'll send back to archbee return `${archbeeurl}?jwt=${jwttoken}\&reload`; }; here is an example to generate a jwt token with net https //github com/dragosbulugean/archbee jwt dotnet https //github com/dragosbulugean/archbee jwt dotnet using jwt; using jwt algorithms; using jwt serializers; var payload = new dictionary\<string, object> { { "name", "john wick" }, { "email", "john wick\@matrix com" } }; const string secret = "tw9zagvfcmv6uhjpdmf0zutleq"; ijwtalgorithm algorithm = new hmacsha256algorithm(); // symmetric ijsonserializer serializer = new jsonnetserializer(); ibase64urlencoder urlencoder = new jwtbase64urlencoder(); ijwtencoder encoder = new jwtencoder(algorithm, serializer, urlencoder); var jwttoken = encoder encode(payload, secret); var archbeelink = $"https //docs yourcompany com/?jwt={jwttoken}\&reload"; console writeline($"jwt token {jwttoken}"); console writeline($"archbee link {archbeelink}"); jwt tokens are bypassed on preview/staging saml security assertion markup language saml can be configured for public space access in the same way as for team integration, see saml integration docid\ ajhcf8y3lx 0cxrltonjv for more detailed steps regarding setting up each provider note that just the metadata url is needed as input also, we assume the space is already hosted on a custom domain in this way , the published space link will be routed through the new saml application; thus, only members set up in the provider application can access the public portal how to set up saml as a public access control go to azure services > microsoft entra id > "+add" > app registration select "accounts in this organizational directory only single tenant" and paste the callback url from archbee space settings >public access control > saml into "redirect uri" as in the below image, choosing web auth click on "register" on the newly created app in azure, go to "endpoints" and copy the "federation metadata document" from the azure app to the archbee space settings > public access control > saml into the "set saml metatada url" a unique entity id will be generated in archbee, copy the " api //published " link in your azure app expose an api > add > fill up the url > save it go to your archbee space and re publish it try to access the link and test the saml authentication
🤔
Have a question?
Our super-smart AI,knowledgeable support team and an awesome community will get you an answer in a flash.
To ask a question or participate in discussions, you'll need to authenticate first.



Updated 21 Feb 2025
Doc contributor
Doc contributor
Doc contributor
Doc contributor
Doc contributor
+2
Did this page help you?
PREVIOUS
Hosting Spaces on a sub folder
NEXT
Manage mail templates
Docs powered by Archbee