Got a dashboard, admin panel, or internal tool you want online but not open to the world? Just publish it. With Google sign-in configured on your instance, published URLs are gated by deployment auth by default.
zomg service start tools dashboard --port 8080 --publish tools -- node server.js
Anyone hitting https://tools.zomg.ai has to sign in with Google first — no extra step.

Decide who gets in

By default, sign-in is limited to your Google Workspace domain. You can widen or narrow that:
# Allow a whole domain
zomg auth settings --allowed-domain example.com

# Allow specific people
zomg auth settings --allowed-email alice@example.com
Each app picks its own visibility at publish time — keep the sensitive ones gated (the default) and mark a marketing page --public:
zomg service publish tools dashboard --as tools          # gated (default)
zomg service publish site landing --as site --public     # public

Lock down the system API too

Publishes — the dashboard included — are gated by default and follow their own per-publish visibility (--public to opt out). The instance’s system API domain is the one surface governed separately, and it stays public until an instance admin turns on system-domain protection:
zomg auth settings --protect-system

Keep going

Auth

Set up the Google OAuth client and configure who can sign in.

Services

Publish an app and manage it.