PIN Gate Deployment Tracker¶
Live tracking document for PIN gate rollout across nominate.ai properties.
Current Status¶
Deployed: 2026-01-03 Health Check: 19/19 endpoints healthy Localhost Exemption: Active (cbauth v1.x)
Protected Sites¶
All *.nominate.ai sites are now behind PIN gate authentication.
| Site | Status | Notes |
|---|---|---|
| ai.nominate.ai | Protected | Health endpoint bypassed |
| auth.nominate.ai | Protected | Auth service itself |
| catchall.nominate.ai | Protected | Fallback teaser |
| cdn.nominate.ai | Protected | |
| districts.nominate.ai | Protected | |
| docs.nominate.ai | Protected | Was already protected |
| files.nominate.ai | Protected | |
| intel.nominate.ai | Protected | |
| ky04.nominate.ai | Protected | Tenant frontend |
| ky04api.nominate.ai | Protected | Tenant API |
| mi20.nominate.ai | Protected | Tenant frontend |
| mi20api.nominate.ai | Protected | Tenant API |
| models.nominate.ai | Protected | |
| project.nominate.ai | Protected | Health endpoint bypassed |
| ruralamfm.nominate.ai | Protected | |
| surveys.nominate.ai | Protected | |
| testsite.nominate.ai | Protected | Tenant frontend |
| testsiteapi.nominate.ai | Protected | Tenant API |
| www.nominate.ai | Protected | Was already protected |
Exceptions/Bypasses¶
Endpoints that bypass PIN authentication:
| Site | Path | Reason | Date Added |
|---|---|---|---|
| project.nominate.ai | /api/health |
Monitoring endpoint | 2026-01-03 |
| ai.nominate.ai | /api/v1/health |
Service health check | 2026-01-03 |
Issues & Fixes Log¶
2026-01-03¶
Issue: Health endpoint blocked by PIN gate (project.nominate.ai)
Impact: External monitoring tools couldn't access /api/health
Fix: Added location block for /api/health without auth_request
Status: Resolved
Issue: CBAI health endpoint blocked by PIN gate (ai.nominate.ai)
Impact: Dev team's Python client getting 302 redirects on /api/v1/health
Fix: Added location block for /api/v1/health without auth_request
Status: Resolved
Issue: Service-to-service calls via /etc/hosts getting PIN blocked Impact: Services calling each other via domain names (resolving to 127.0.0.1) were blocked Fix: Auth service updated to exempt localhost requests from PIN requirement Status: Resolved (cbauth update)
Adding New Bypasses¶
To add a bypass for a specific endpoint:
# Add BEFORE the main location / block
location = /path/to/bypass {
proxy_pass http://127.0.0.1:PORT;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Then test and reload:
Testing Checklist¶
After any changes, verify:
-
sudo nginx -tpasses -
curl -s https://project.nominate.ai/api/healthreturns JSON - All 19 endpoints healthy
- Browser access shows PIN prompt
- After PIN entry, all sites accessible
Last updated: 2026-01-03