Dear Railway team—lots of images we deploy ship without auth. Today I throw Nginx/Caddy Basic Auth in front just to keep staging/internal tools private. It works, but it’s extra plumbing and easy to forget.

Ask: a simple toggle on each public domain to require Basic Auth or a single access token (works with HTTP/WebSockets; generated + custom domains). Quick creds UI + rotate, and a note to avoid bypass via the generated domain.

Nice-to-have later: OIDC/SSO, IP allowlist, per-path rules.

Not a replacement for real app auth—just a safety gate to prevent accidental exposure. Happy to beta test.