Replit Expands Private Publishing to Core and Starter Plans
ReplitReplit has expanded Private Publishing β its network-level access control feature β to Core and Starter plan users, making it accessible to a much wider developer audience. Previously restricted to Pro and Enterprise plans, Private Publishing now lets any Core or Starter subscriber restrict who can access their deployed apps before requests even reach the server. Alongside this, Replit introduced External Access Tokens, bearer credentials that allow automated services, webhooks, CI pipelines, and external integrations to securely reach private apps without exposing them to the public internet. External Access Tokens are available on Core and Pro plans.
Sources & Mentions
1 external resource covering this update
Private Publishing Now Available on Core and Starter Plans
Replit has expanded one of its most important deployment security features to a broader set of developers. Private Publishing β which enforces access control at the network level, blocking unauthorized requests before they ever reach an application's server β is now available to Core and Starter plan subscribers. Previously, this capability was limited to Pro and Enterprise plan users.
Private Publishing gives developers fine-grained control over who can access a deployed Replit app. Publishers can choose between two access modes: Workspace Only, which restricts access to all admins, members, and viewers in a shared workspace, and Only You, which makes an app fully private with the option to explicitly invite individual users or groups. This is especially valuable for internal tools, early-stage prototypes shared with collaborators, and business applications meant for a limited audience.
By enforcing access at the network level, Replit ensures that unauthorized requests are rejected before they reach the application itself β providing a stronger security posture than application-level authentication alone.
External Access Tokens: Secure Machine-to-Machine Access for Private Apps
Alongside the Private Publishing expansion, Replit introduced External Access Tokens β a new credential type that allows trusted external services to access privately published apps without making those apps public. This solves a common friction point: when a private app needs to receive webhooks, integrate with CI/CD pipelines, respond to Slack commands, or accept Stripe payment callbacks, it previously had no clean way to authenticate those automated callers.
External Access Tokens are bearer credentials that external services send with their requests. Replit verifies these tokens at the network edge before forwarding the request to the app. Token management includes several practical controls:
- Environment scoping β tokens can be scoped to either development or production, preventing cross-environment leakage
- Labels β optional identifiers to document what service or purpose each token serves
- Expiration dates β configurable TTLs for temporary or time-limited integrations
- Secure copy-on-creation β tokens are shown only once after creation, following standard secret-management best practices
- Immediate revocation β tokens can be deleted at any time via a single action
Tokens can be passed as HTTP headers (the recommended approach) or as URL query parameters, giving flexibility for different integration patterns.
External Access Tokens are available on Core and Pro plans.
Plan Availability Summary
With this release, the access control landscape for Replit plans looks as follows: Private Publishing (network-level app access control) is now available on Starter, Core, and Pro/Enterprise plans. External Access Tokens (machine-to-machine auth for private apps) are available on Core and Pro/Enterprise plans. This expansion significantly lowers the barrier for developers building internal tools and private applications who want robust security without needing an enterprise subscription.