> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fermion.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Password Protection

> Learn how to enable password protection for your website to restrict access

Password protection allows you to temporarily restrict access to your site by setting a global password. Users must enter this password before viewing your site or logging in.

***

## Enable Password Protection

You can enable password protection from the **Security** section in **School Settings**.

![](https://67d6ad5ef66ee0901532fd2f.storage.fermion.app/public-uncached/object-store-public-files/uploads/16-11-2025/screenshot-000620@2x.degawa.png)

This will temporarily restrict access to your site by setting a global password. Users must enter this password before viewing your site or logging in.

This feature is ideal for:

* Pre-launch or private institutions
* Testing environments
* Exclusive cohorts or invite-only batches

Once password is set, whenever someone opens your website it would look like this:

![](https://67d6ad5ef66ee0901532fd2f.storage.fermion.app/public-uncached/object-store-public-files/uploads/16-11-2025/screenshot-000621@2x.mlwfev.png)

## How to embed password-protected website inside another app externally?

You might want to password protect your website and embed it externally in a different app.

To do that, you must set a JWT as a cookie named `website-password`. For example, let us assume your website is `lms.example.com` which uses Fermion. In order to securely access it from an external app, do the following:

* Enable password on the website (assume you set password to be `123456`)
* Make a secure HTTPS request to `request-password-enabled-website-access` API endpoint to get a unique embed cookie. This will return you a string that you must use as a cookie. Learn more about calling this API here: [https://docs.fermion.app/api-reference/misc/request-password-enabled-website-access](https://docs.fermion.app/api-reference/misc/request-password-enabled-website-access)
* Embed the website in a webview/iframe in your external app
* Set the cookie `website-password` to have the value of the JWT returned by the API above.

This will make it possible for you to embed your website externally, while making it inaccessible to general public via regular web browsers.
