Any way to expose public _and_ private API endpoints from the same service?


I have a service called CoffeeMaker
I want

  • /dispense-coffee to be available publicly
  • /refill-beans to be available privately (other fly apps in the same org can call this api)

Breaking it down further into two apps would be silly. what would be the recommended way as of now?

Is there an issue with exposing /refill-beans publicly, but just locking down access (e.g. enforcing some kind of authorization token for that endpoint)?

Then to access /refill-beans from another app in your org, use the .internal domain plus the authorization token. If your service is behind Cloudflare, you can lock down /refill-beans further by making a page rule to block all requests to that path.

Building some kind of authorization is doable, was just exploring if there’s some way to do it via network. I guess I’ll also try running two ports for the same service - one publicly exposed, and one only for internal routes