It would be nice if you could allow restricting a domain to only authenticated fly accounts in the deploying organisation (or a list of accounts that are allowed access). This would allow hosting internal tools/dashboards “publicly” with easy access without worrying about someone nefarious accessing them.
Because http_service already acts as a reverse proxy (and terminates TLS), it could check for an auth cookie and do a regular oauth flow if it does not exist.
(Of course the usual edge cases with cross site cookies and whatnot, once solution could be allowing generating a token to pass in the Authorisation: bearer header.)