netlify-access-control
Netlify Access Control
"Auth" on Netlify means three different things that are easy to conflate. Picking the wrong one — or stacking two when one would do — is the main source of friction. This skill disambiguates the layers and routes you to the right one. For actually building app-level user auth, see the netlify-identity skill.
The three layers
| Layer | Answers | Who it's for | Plan | How it's configured |
|---|---|---|---|---|
| Netlify Identity | "Who is this user inside my app?" (signups, logins, roles; issues nf_jwt) |
Your app's end users | All plans, free | Dashboard + @netlify/identity code |
| Password Protection (Secure access to sites) | "Can this request even load the site?" | Basic: anyone with a shared password · Team login: Netlify team members | Basic: Pro+ · Team login: Enterprise | Dashboard-only |
| Team / Org SAML SSO (Secure access to Netlify) | "Can you log in to the Netlify dashboard?" (and, with strict mode, pass the site gate) | Netlify team members, via a corporate SAML IdP | Enterprise | Dashboard-only |
These are independent. The nf_jwt cookie is issued by app-level JWT auth: Netlify Identity, or a configured external JWT provider such as Auth0/Okta (the two are mutually exclusive); Password Protection and SAML SSO sessions are separate, with their own lifecycles, and do not populate nf_jwt.
Note on terminology: Netlify's docs file Identity, Password Protection, role-based access, and more under an umbrella called "Secure access to your sites," while SAML SSO lives under "Secure access to Netlify." So "Secure Access" is not one feature — when a user says it, find out whether they mean gating site visitors (Password Protection) or gating dashboard login (SAML SSO).
Why Google causes confusion
The same provider can show up in two unrelated places: