Stacktree
By · Founder, Stacktree · Last updated
how to

Password-protect an HTML page, with a passcode on a private link.

Publish the page, set a password, share the link. Only people with the passcode can open it, and the link is unguessable to begin with. Works for any HTML, including a Claude or Codex artifact you want to share outside its walls.

Start free

How do you password-protect an HTML page?

Publish it to Stacktree and set a password. Anyone opening the link is asked for the passcode before the page renders; the password is stored as a hash, never in plaintext, and it sits on top of an already-unguessable URL. You can set it in the dashboard, at upload, or with set_password over MCP, and add, change, or remove it later without the link changing.

Why a password, when the URL is already unguessable

A Stacktree link is private by default: it lives at a token URL with roughly 128 bits of entropy, is never listed or indexed, and is served with crawler-blocking headers. If you never share the link, nobody finds the page. So why add a password at all?

Because links travel. A URL that is private the moment you create it can still be forwarded, pasted into a shared channel, or left in a browser history on a borrowed machine. A passcode is the second factor for exactly those cases: it means holding the link is not enough, the viewer also has to know a secret you set. For a client deliverable, a quote, an internal report, or anything you would not want opened by whoever the link reaches next, that second layer is the difference between "hard to find" and "needs permission."

How to set it

  • In the dashboard. Open the site, set a password, done. The page now prompts for it before rendering.
  • At publish time. Include a password when you upload the file, so the page is protected from its first second.
  • From an agent, over MCP. Call set_password with the password (or null to clear it). The same agent that published the page can lock it, so the whole flow stays in one place.

However you set it, the password is hashed before storage, so Stacktree never holds the plaintext. Removing or rotating it is a one-line change and never moves the URL.

Password-protecting a Claude or Codex artifact

This is the most common reason people reach for it, and the tools themselves do not cover it. A Claude.ai artifact can be made public, but there is no passcode option, so "shared" means "anyone with the link." Claude Code artifacts and Codex Sites are the opposite, locked to your organization with no password and no external viewer at all.

Hosting closes the gap. Export the artifact to a self-contained HTML file, or have your agent publish it directly, put it on Stacktree, and set a password. Now you can hand a client or a contractor a link plus a passcode, with no Claude or OpenAI seat required to open it, and on your own domain if you want. The page is the same self-contained HTML the artifact already was; you have just added the lock the source tool left out.

Layer it: password, email gate, expiry, burn

A password is one option in a small set you can combine to match the sensitivity of what you are sharing:

  • Password for a shared secret with a person or small group.
  • Email-domain gate for a company audience, where viewers verify a work address by magic link. Mutually exclusive with a password on a single page.
  • Expiry from minutes to never, so a link does not outlive its purpose.
  • Burn after read for a one-time view that deletes itself once opened.
  • End-to-end encryption for the most sensitive pages, where the key lives only in the URL fragment and Stacktree stores ciphertext it cannot read.

A passcode plus a short expiry covers most "share this carefully" situations without any of it being complicated.

FAQ

Frequent questions

How do I password-protect an HTML page? +
Publish the page to Stacktree and set a password on it, either in the dashboard, at upload time, or with the set_password tool over MCP. After that, anyone opening the link is asked for the password before the page renders. The password is stored as a hash, never in plaintext, and it sits on top of the unguessable URL the page already has.
Can you password-protect a Claude or Codex artifact? +
Yes, by hosting the artifact rather than relying on the source tool. Claude.ai artifacts can be made public but have no built-in passcode, and Claude Code and Codex artifacts are org-only with no password option at all. Export the artifact to a self-contained HTML file (or have your agent publish it directly), put it on Stacktree, and set a password. Now anyone with the link and the password can open it, with no Claude or OpenAI account needed.
Is the link still private if I do not set a password? +
Yes. Every Stacktree page already lives at an unguessable token URL (roughly 128 bits of entropy) that is never listed or indexed, so the URL itself is the credential. A password is a second layer for when the link might be forwarded or pasted somewhere you do not control, or when a viewer should prove they know a shared secret, not just hold the link.
Password or email-domain gate, which should I use? +
A password is the simplest: one shared secret, good for a client or a small group. An email-domain gate is stronger for a company audience, it requires viewers to verify an address on a domain you choose (for example @yourco.com) by magic link. The two are mutually exclusive on a single page; pick the one that matches who should get in.
Can I add a password to a page I already published? +
Yes. The password is a setting on the site, not something baked in at upload, so you can add, change, or remove it at any time from the dashboard or with set_password over MCP. The URL does not change when you do.
Can I also make the page expire or self-destruct? +
Yes. On top of a password you can set an expiry (from minutes to never) or mark the page to burn after a single read. Combined, a passcode plus a short expiry is a practical way to share something sensitive that should not outlive the moment.
Keep reading

Related guides

References

Sources and further reading

Share a page only the right people can open.

Publish, set a passcode, send the link. Free to start, no card, works for any HTML.

Sign up free →