My company has a few Anvil apps, all for internal use, all private and all require authentication. I have not assigned any custom domain and (so far) working with the anvil.app domain doesn’t bother me.
The only annoying thing is that sometimes refreshing the page doesn’t work, it says “This application is private.”
Making the app public would solve the problem, but would it also make the app less safe?
Hi Stefano,
This is a good question. As always, we have tried to strike the right balance between security and ease of use here. When you load a private Anvil app, the access key (on the end of the URL) is verified and then removed from the URL. This is so that it doesn’t get leaked to third parties via referrer headers on requests for, e.g., external images. The authorisation is stored in your session, and so you can refresh the app for as long as your session remains alive. After some period of inactivity (currently around 30 mins), sessions are removed, and so you need to use the full private URL of the app to load it again. That means pressing Refresh will not work after this point.
We are keen to hear feedback on whether people think this is a good trade-off for private apps. Please do leave your thoughts below.
To answer your final question, making the app public just allows anyone to access the front-end. As long as your Data Tables have suitable permissions, and your Server Functions verify that users are logged in, this is entirely safe.
I hope that helps!
Ah so this explains why I have to keep clicking the link I emailed myself after a few when I try to reload the page 
I’m not sure the right answer but would be nice to have some way that it’s private based on the link so you can save it as a shortcut.
Like I can’t even use private app as mobile apps cause of this so I’m better off making it public and putting auth in front of it.
Curious others thoughts as well it’s a interesting topic
On the mobile side you have to use a public app to be able to bookmark it, refresh it, etc. I found that out with a simple home budgeting app I made for family use.
That does mean adding in a layer of authentication into the app that you might not otherwise think to include, but I think that’s a good thing. Depending on the secrecy of a URL for security isn’t a substitute for the app itself providing authentication and authorization.
You can create a link to a private app by manually typing the whole url, including the key, into the link. For example for a Windows shortcut you would need to right click on it and edit its properties.
You cannot create it by accessing the page and then saving the bookmark, because by the time you try to save it the key is gone.
When I want to bookmark a private app on my phone, I email myself the link from the Publish dialog - then I can open the email on my phone and copy the link to my bookmarks.
You can also see all your apps and open them by logging into https://anvil.works on your phone, so you can copy the link from there!