← All docs

Login with exe

You can leverage exe.dev's authentication system to identify users accessing your services through the HTTP proxy. This lets you build authorization without managing passwords or e-mails yourself.

The "Login with exe" feature is complementary with Sharing. If a site is public, all users can access it, and the developer can implement their own authorization, including bouncing users through the /__exe.dev/login to require an e-mail address. Private sites always have the authentication headers, because the site must have been shared to be accessed.

Authentication Headers

When a user is authenticated via exe.dev, the following headers are added to requests coming into your VM:

X-ExeDev-UserID: A stable, unique user identifier
X-ExeDev-Email: The user's email address

These headers are only present when the user is authenticated. If your proxy is public, unauthenticated requests will not have these headers.

Special Authentication URLs

The following special URLs are available for authentication flows:

Login: https://vmname.exe.xyz/__exe.dev/login?redirect={path}

Redirects the user to log in, then returns them to the specified path.
Logout: POST https://vmname.exe.xyz/__exe.dev/logout

Logs the user out, removing the cookie for your domain.

Development

If you're using an agent to develop on your exe.dev VM itself, your server might be listening, for example, on http://localhost:8000/, and nothing is providing these headers. Use an http proxy to add the headers for testing. For example:

mitmdump \
  --mode reverse:http://localhost:8000 \
  --listen-port 3000 \
  --set modify_headers='/~q/X-Exedev-Email/user@example.com' \
  --set modify_headers='/~q/X-Exedev-Userid/usr1234'

Example: nginx authorization

The following nginx configuration allows only specified email addresses to access a protected location:

server {
    listen 80;
    server_name _;

    location / {
        # Check if X-ExeDev-Email header matches allowed addresses
        set $allowed "false";
        if ($http_x_exedev_email = "alice@example.com") {
            set $allowed "true";
        }
        if ($http_x_exedev_email = "bob@example.com") {
            set $allowed "true";
        }

        # Return 403 if not allowed
        if ($allowed = "false") {
            return 403 "Access denied. Please log in with an authorized account.";
        }

        # Serve content for authorized users
        root /var/www/html;
        index index.html;
        try_files $uri $uri/ =404;
    }
}

You can leverage exe.dev's authentication system to identify users accessing
your services through the [HTTP proxy](./proxy). This lets you build
authorization without managing passwords or e-mails yourself.

The "Login with exe" feature is complementary with [Sharing](./sharing).
If a site is public, all users can access it, and the developer
can implement their own authorization, including bouncing users through
the /\_\_exe.dev/login to require an e-mail address. Private sites always
have the authentication headers, because the site must have been shared
to be accessed.

## Authentication Headers

When a user is authenticated via exe.dev, the following headers are added to
requests coming into your VM:

- `X-ExeDev-UserID`: A stable, unique user identifier
- `X-ExeDev-Email`: The user's email address

These headers are only present when the user is authenticated. If your proxy
is public, unauthenticated requests will not have these headers.

## Special Authentication URLs

The following special URLs are available for authentication flows:

- **Login**: `https://vmname.exe.xyz/__exe.dev/login?redirect={path}`

Redirects the user to log in, then returns them to the specified path.

- **Logout**: POST `https://vmname.exe.xyz/__exe.dev/logout`

Logs the user out, removing the cookie for your domain.

## Development

If you're using an agent to develop on your exe.dev VM itself, your
server might be listening, for example, on http://localhost:8000/, and
nothing is providing these headers. Use an http proxy to add the
headers for testing. For example:

```
mitmdump \
  --mode reverse:http://localhost:8000 \
  --listen-port 3000 \
  --set modify_headers='/~q/X-Exedev-Email/user@example.com' \
  --set modify_headers='/~q/X-Exedev-Userid/usr1234'
```

## Example: nginx authorization

The following `nginx` configuration allows only specified email addresses to access a protected location:

```nginx
server {
    listen 80;
    server_name _;

location / {
        # Check if X-ExeDev-Email header matches allowed addresses
        set $allowed "false";
        if ($http_x_exedev_email = "alice@example.com") {
            set $allowed "true";
        }
        if ($http_x_exedev_email = "bob@example.com") {
            set $allowed "true";
        }

# Return 403 if not allowed
        if ($allowed = "false") {
            return 403 "Access denied. Please log in with an authorized account.";
        }

# Serve content for authorized users
        root /var/www/html;
        index index.html;
        try_files $uri $uri/ =404;
    }
}
```