Your Zomg instance may have Google sign-in enabled. When it is, browser surfaces — the dashboard, system apps, and protected box URLs — use Google sign-in with a session cookie, while the CLI and API use short-lived tokens minted from the same sign-in.
What requires sign-in depends on whether the instance has a Google auth provider configured. With one configured, published app URLs are gated by deployment auth by default — visitors sign in before the page loads — and system routes are gated when the operator turns on system-domain protection. With no auth provider configured, everything stays public.
Sign in from the CLI
Sign in with Google:
This opens a browser, completes Google sign-in, mints a Zomg JWT, and stores it as auth_token in the local profile config.
Signing in also gives you an in-box identity: on your first allowlisted sign-in, Zomg provisions a deployment user named after your email’s localpart, and exec, console, ssh, and dashboard sessions run as that user by default (--root escalates to root). GET /v1/me returns your email and resolved user. The static deployment token carries no user identity and acts as root. See Environment → Users.
Print the stored token for agents and scripts:
The API accepts either the static deployment token or a valid Google-auth JWT:
curl -H "Authorization: Bearer $(zomg auth token)" \
https://api.zomg.ai/v1/projects/<project>/boxes
If browser sign-in succeeds but CLI or API calls fail, run zomg auth signin again and confirm the selected runtime target points at your instance’s API:
zomg target list
zomg auth token --json
What route protection means
Two things decide whether a URL requires sign-in — and nothing else. There is no per-box auth override.
Published apps: gated by default, --public to opt out
Once the instance has a Google auth provider configured, every service you publish is gated by deployment auth: visitors are redirected through Google sign-in before they reach it. Opt a single publish out at publish time with --public:
# Gated (default): sign-in required
zomg service publish my-box web --as app
# Public: anyone with the URL gets in
zomg service publish my-box web --as app --public
--public is a per-publish flag on zomg publish, zomg service publish, and zomg service start. Visibility is a property of the publish, not the box.
System domains: protect_system_domains
The instance’s system API under the instance domain is gated only when the operator enables it:
zomg auth settings --protect-system # require sign-in on the system API
zomg auth settings --no-protect-system # leave it open
This is the single instance-level protection knob (protect_system_domains). It governs only true system ingresses — it does not touch published apps. The dashboard is a published app: its visibility follows the per-publish rule above (gated by default, --public to opt out), not this knob.
If the instance has no Google auth provider configured (missing client ID, client secret, or JWT secret), publishes cannot be gated. They are served public regardless of --public, and the CLI prints a warning at publish time. Ask your instance operator to configure Google auth to gate publishes.
Who can sign in
Which Google accounts are accepted — a workspace domain, a list of allowed emails, or any Google account — is decided by whoever operates the instance. If your account is rejected at sign-in, ask your instance operator to allow your email or domain.