Private Status Pages

By default, status pages are public — anyone with the link can view them. Private mode lets you restrict access so only authorised visitors can see your page. This is useful for internal IT status pages, customer-specific pages, or any situation where you don’t want information publicly visible.

Enabling Private Mode

Go to Status Pages and open the page you want to restrict
Click Settings in the left menu, then go to the Access section
Toggle Private Status Page to on
Click Access Settings to configure one or more access methods
Click Save Settings

Once enabled, unauthenticated visitors will see a gate page instead of your status page content.

Private status pages are available on paid plans. If the toggle is greyed out, upgrade your plan.

Access Methods

You can enable one or more access methods at the same time. Visitors who pass any single method are admitted — they work as an OR, not AND.

Method	Best for
Password	Simple shared access for a small group
IP Allowlist	Office networks or VPNs
Email Magic Link	Named individuals without a shared account
Azure AD / Microsoft	Company employees via Microsoft work accounts
Google Workspace	Google-based organisations
Generic OIDC	Any OpenID Connect provider (Okta, Auth0, Keycloak, etc.)

Tip: The IP allowlist is checked silently — matching visitors bypass the gate page entirely without any login step.

Password

Set a single shared password that visitors enter to unlock the page.

Setting a password

Open Access Settings
Expand the Password section
Type your chosen password (minimum 4 characters)
Click Save Access Settings

Changing or removing a password

Open Access Settings → Password
Click Change Password to set a new one, or Remove Password to disable it
Save

When you change or remove a password, an email notification is sent to the account owner as a security alert.

Sessions granted by a password last 1 hour. Visitors can log out at any time by visiting /?logout=1 on your status page URL.

IP Allowlist

Automatically admit visitors whose IP address matches an entry in your allowlist — no login required.

Adding IPs

Open Access Settings → IP Allowlist
Toggle Enable IP allowlist on
Enter one IP address or CIDR range per line, for example:
```
203.0.113.42
10.0.0.0/8
192.168.1.0/24
```
Save

Notes

CIDR notation is supported for ranges (e.g. your entire office subnet)
Visitors on an allowed IP are admitted transparently — they never see the gate page
Combine with password or magic links so remote workers who aren’t on the VPN can still access the page

Email Magic Link

Send a one-time login link to an email address. Useful for named external stakeholders you want to grant access without sharing a password.

Enabling magic links

Open Access Settings → Email Magic Link
Toggle Enable email magic link on
Enter the email addresses that are allowed to request a link (one per line)
Optionally enable Also allow team members to automatically include anyone with team access to the status page
Set the link expiry (15 minutes, 30 minutes, or 1 hour)
Save

How visitors use it

Visitor arrives at the gate page and enters their email address
If the email is on the allowlist, they receive an email with a login link
Clicking the link grants a 1-hour session
To prevent email enumeration, the page always says “check your inbox” — even if the address is not on the list

Rate limiting

Each email address is limited to 3 magic link requests per 10 minutes.

Azure AD / Microsoft

Allow employees to sign in using their existing Microsoft work account (Azure Active Directory). No shared password or manual email list required — anyone in your organisation’s Azure AD tenant can authenticate.

This is a paid plan feature and requires registering an application in your Azure AD tenant.

See the full Azure AD setup guide →

Google Workspace

Allow employees to sign in using their Google Workspace account. You can optionally restrict access to a specific hosted domain (e.g. acme.com).

This is a paid plan feature and requires creating an OAuth 2.0 client in Google Cloud Console.

See the full Google Workspace setup guide →

Generic OIDC

Connect any OpenID Connect provider — Okta, Auth0, Keycloak, Ping Identity, and others. The platform automatically discovers endpoints from the standard OIDC discovery document.

This is a paid plan feature.

See the full Generic OIDC setup guide →

Allowed Email Domains

After any SSO login (Azure AD, Google, or OIDC), you can further restrict access by email domain. Enter one domain per line in Access Settings → Allowed Email Domains. Visitors whose email domain is not in the list are denied even after a successful SSO authentication. Leave blank to allow all domains.

Combining Methods

You can enable multiple methods simultaneously. The recommended combinations for common scenarios:

Scenario	Recommended setup
Internal company page (Microsoft)	Azure AD + IP allowlist (office)
Internal company page (Google)	Google Workspace + IP allowlist (office)
Mixed internal/external	Azure AD or Google for employees, magic link for contractors
Enterprise IdP (Okta, Auth0)	Generic OIDC + allowed email domains
Simple team page	Password
Customer-specific page	Magic link with customer email

Session Behaviour

Regardless of which method grants access, sessions work the same way:

Sessions last 1 hour from the time of authentication
Sessions are stored in a browser cookie (sp_auth_<page-id>)
Visitors can log out at any time by adding ?logout=1 to any URL on your status page (e.g. https://status.yourcompany.com/?logout=1)
Closing the browser does not end the session — the cookie persists

Feed Access

RSS and Atom feeds for private pages return 401 Unauthorized to unauthenticated requests. Feed readers that support HTTP authentication are not currently supported — subscribers need to access the page directly.

StatusPage.me Help Center