By setting the access key (PUBLIC or PRIVATE) in the environmental settings with a PostgreSQL connection string (plus a table name separated by a | pipe) it is possible to restrict access. The access control list (ACL) table must be stored in a PostgreSQL database.
If set to PRIVATE a login is required to open the application or access any endpoint. If set to public login is optional for routes which are not restricted for administrator. Admin routes are not available if no ACL is provided. Without the admin route all changes to the settings need to be done in the code repository or database.
An ACL must have following table schema:
create table if not exists users("_id" serial not null,email text not null,password text not null,verified boolean,approved boolean,admin boolean,verificationtoken text,approvaltoken text,failedattempts integer default 0,password_reset text,api text);