Skip to content
LinkBrain

Dashboard

The dashboard is a private web page that lists every link with its metadata and lets you act on it by clicking — no need to know a link’s #id. It’s the browser counterpart to the Telegram commands.

It lives on a custom domain (links.<yourdomain>/dashboard) because Cloudflare Access can only path-protect a real zone, not a *.workers.dev route. The Telegram webhook and the public List stay on the workers.dev URL, untouched.

What you can do

Section titled “What you can do”

Each link is a card with controls: set status (unread/reading/read/archived), toggle ⭐ favorite, toggle 🌐 share (adds it to your public List), set a collection, set a reminder date, and 🗑 delete it (the only action that removes data — it also cleans the search index).

Security — two layers

Section titled “Security — two layers”
  1. Cloudflare Access at the edge: only your email can load the page (you log in via Access).
  2. Worker JWT check: the Worker independently verifies the Access token, so even the *.workers.dev/dashboard back-door (which Access doesn’t front) is denied.

It fails closed: until the two secrets below are set, /dashboard returns 403 for everyone.

One-time setup (Cloudflare Access)

Section titled “One-time setup (Cloudflare Access)”

  1. In Cloudflare Zero Trust → Access → Applications, click Add an application → Self-hosted.

  2. Set the application domain to your dashboard host (e.g. links.yourdomain.com) with path /dashboard. Make sure an identity method is enabled — the built-in One-time PIN (email code) is enough.

  3. Add a policy: Action: Allow, Include → Emails → your email address. Save.

  4. Open the application’s settings and copy two values: the Application Audience (AUD) tag and your team domain (https://<team>.cloudflareaccess.com).

  5. Set them as Worker secrets, then they apply live (no redeploy):

    Terminal window
    npx wrangler secret put ACCESS_AUD            # the AUD tag
    npx wrangler secret put ACCESS_TEAM_DOMAIN    # https://<team>.cloudflareaccess.com

Visit https://links.yourdomain.com/dashboard → Access prompts you to log in → the dashboard loads. Confirm https://<your-worker>.workers.dev/dashboard returns 403 (no Access token), and that /webhook and /list still work.

Local development

Section titled “Local development”

There’s no Access in local dev, so .dev.vars sets DEV_NO_AUTH=1 to bypass the check and let you open localhost:8787/dashboard. Never set DEV_NO_AUTH in production — it would make the dashboard public.