Manage the access allowlist¶
GitMCloud controls who can connect through a single allowlist. This same gate is what GitM's first-run wizard checks, so it governs onboarding for both the browser app and the SolidWorks add-in.
How it works¶
The allowlist is a list of GitHub org/user names. GitMCloud checks it, case-insensitively, against the owner of the repository being connected. It runs at the connect step of the wizard and on every auto-reconnect at app load.
Fail-closed: if the allowlist is empty or missing from both sources, nobody can connect, including you.
Allowlist sources (priority order)¶
GitMCloud reads the allowlist from two sources and uses the first one that has entries:
| Priority | Source | How to update | Takes effect |
|---|---|---|---|
| 1 | Firestore config/allowlist |
Firebase Console (see below) | Instantly |
| 2 | ALLOWED_OWNERS env var |
Vercel dashboard | After ~30s redeploy |
If FIREBASE_SERVICE_ACCOUNT is configured and Firestore has a config/allowlist document,
that takes precedence. The env var is the fallback if Firebase is not configured or the Firestore
document doesn't exist yet.
Set or update the allowlist in Firestore (recommended)¶
Requires
FIREBASE_SERVICE_ACCOUNTto be set in Vercel. See Deploy GitMCloud.
- Go to console.firebase.google.com → your project → Firestore Database.
- If the
configcollection doesn't exist yet: - Click the home icon (🏠) in the breadcrumb to go to the database root.
- Click + Start collection.
- Collection ID:
config→ Next. - Document ID:
allowlist. - Add a field: name
owners, type Array, then add each GitHub org/user name as a string item. - Click Save.
- If the
config/allowlistdocument already exists: - Navigate to it (root →
config→allowlist). - Click the
ownersfield to edit the array, or + Add field if it's missing. - Add or remove string items as needed.
- Click Update.
- Changes take effect immediately — no redeploy needed.
Example document structure:
config / allowlist
owners: ["suchahit", "acme-engineering", "widgets-co"]
Names are matched case-insensitively, so ACME-Engineering and acme-engineering are equivalent.
Set or update the allowlist via env var (fallback / legacy)¶
If Firestore is not configured, GitMCloud falls back to the ALLOWED_OWNERS environment variable.
- Vercel → the GitMCloud project → Settings → Environment Variables.
- Add or edit
ALLOWED_OWNERS, e.g.:ALLOWED_OWNERS=suchahit,acme-engineering,widgets-co - Save. Vercel redeploys automatically (~30 seconds).
Add a customer / team¶
Firestore (instant): Add their GitHub org or username to the owners array in config/allowlist and save.
Env var (requires redeploy): Append to ALLOWED_OWNERS and save in Vercel.
After the allowlist is updated (either way), their accounts can connect in both GitMCloud and the GitM add-in.
Remove access¶
Remove the owner from the allowlist (Firestore or env var). Because the check runs on every reconnect, access is revoked on their next page load.
Expected result¶
- Allowlisted owners connect normally; everyone else is blocked at the access step in both tools.
Troubleshooting¶
| Symptom | Cause | Fix |
|---|---|---|
| Everyone (including you) is blocked | Allowlist empty in both Firestore and env var | Add at least one owner to Firestore config/allowlist or set ALLOWED_OWNERS |
| A just-added owner still can't connect | Typo in the name, or env var redeploy not finished | Check spelling (must be exact GitHub login); wait ~30s for env var redeploys |
| Removed someone but they still have access | They had a live session | The next reconnect re-runs the check and blocks them |
| Firestore change has no effect | FIREBASE_SERVICE_ACCOUNT not set in Vercel |
Without it, GitMCloud can't read Firestore; it falls back to the env var |
Known limitations¶
- The allowlist is per owner (org or user), not per individual GitHub user within an org. Everyone with GitHub access under an allowlisted owner can connect.
- If both Firestore and the env var are configured, Firestore always wins. To force the env
var, delete or empty the
config/allowlistdocument in Firestore.
Because this controls onboarding for both GitMCloud and GitM, treat it as the central access control for the whole product. See also Prepare GitMCloud before installing.