Deploy your Application
A guide to pre-deployment checks and deploying securely on the Riff platform
What is deployment?
When you build an app in Riff, it lives in your builder workspace. Deploying it makes it available to your intended users — whether that is your internal team, stakeholders across your organisation, or specific individuals with defined access.
Before you deploy for the first time, Riff provides a set of pre-deployment skills you can run to audit, document, and secure your app. These are not run automatically — you trigger them intentionally as part of your readiness process. Think of them as a structured checklist that produces a documented record of your app before it goes live.
How to deploy your app
Deploying your app takes just a few steps. Here is the full sequence from first click to live app:
Complete the Security Review
Before deploying, the platform will show you a Deployment Checks panel. This includes a Security Review section that lists any pages or API endpoints that are currently publicly accessible.
You need to review each item and decide whether it should be publicly accessible or protected. This is done by configuring access controls directly in your app — covered in the next section. Once you are satisfied, tick the Reviewed checkbox to confirm.
Status
Meaning
What to do
Warning
Publicly accessible
This page or endpoint has no access control. Anyone with the URL can reach it. Review whether this is intentional and secure it if not.
Secured
Access controlled
This page or endpoint requires authentication. No action needed unless you want to change who has access.
If some checks are not passing, you will see a warning at the bottom of the Deploy panel. You can still deploy, but it is strongly recommended to resolve open security flags first.
Securing pages and endpoints
To configure access for each page and API endpoint in your app, go to the Home panel in your workspace. You will see a list of all pages and APIs. Each has a shield icon on the right.
To secure a page or endpoint:
Open Home — click the Home dropdown in the top bar of your workspace.
Review the list — you will see all Pages and APIs, each with a shield icon on the right.
Toggle the shield — click the shield icon next to each page or endpoint you want to protect. A green shield means it is secured; an amber shield means it is publicly accessible.
Repeat for all items — go through every page and every API listed and confirm the intended access level for each one.
Return to Deploy — once all items are set correctly, go back to the Deploy panel, tick Reviewed, and proceed to deploy.
As a general rule: any page or endpoint that handles sensitive data, writes to a system, or is intended only for authenticated users should be secured. Publicly accessible items are appropriate only for content that is intentionally open — such as a public-facing landing or status page.
See pre-deployment checks below, you can trigger these skills with the agent prior to deployment.
Deploy
Once the security review is complete and all checks are passing, click the Deploy button at the bottom of the panel. Your app will go live at the URL you confirmed in Step 2.
The Deploy panel shows when your app was last deployed. Subsequent deployments do not require you to repeat the URL setup — only the security review needs to be re-confirmed if new pages or endpoints have been added.
Pre-deployment checks
Before deploying, you can run the following checks. Each is a skill you invoke from within your Riff workspace. Together they ensure your app is secure, its integrations are documented, and access is correctly configured.
Check
What it does
1
Security audit
Scans your codebase for critical vulnerabilities: leaked API keys, hardcoded secrets, missing authorisation checks, and injection risks. Documents HIGH and MEDIUM findings so they can be resolved before going live.
2
Integration audit
Maps every external service connection in your app — what data is read, what is written, and whether any personal data is involved. Produces a documented record of all integrations and their data flows.
3
User roles
Configures access controls within the app so that each user sees only the data relevant to them. This is especially important when your app is accessed by multiple teams or departments.
4
UX checks
Reviews key screens and flows for usability issues, reducing friction before your users encounter it.
Security — two layers
Riff handles security at two levels, which complement each other:
Platform security
App-level security
Secrets stored in platform vault — never in code
Authentication managed via the platform identity layer
SSO integration supported (e.g. Azure Entra)
Data does not leave your workspace
No API keys or secrets in application code
All API endpoints have authorisation checks
User roles control data visibility
PII handling documented per integration
Available deployment skills
The following skills can be triggered from your Riff workspace as part of your pre-deployment process. Each runs as a structured audit and documents its findings:
To trigger a skill in the agent chat use the / proceeded with the name of the skill listed below.
Skill
What it does
Category
deployment-check-security
Scans the full codebase for critical security flaws: leaked API keys, missing auth checks, hardcoded secrets, and SQL injection risks. Reports HIGH and MEDIUM findings only.
Security
deployment-check-integration
Maps all external service connections — what data is read and written, which endpoints are accessed, and whether any personal data (PII) is involved. Produces a documented integration record.
Security
perform-security-audit
A comprehensive end-to-end security review covering authentication, secrets, SQL injection, endpoint authorisation, PII logging, input validation, and error message exposure. Creates tasks for all high and critical findings.
Security
implement-user-roles
Configures role-based access control within the app — ensuring users see only the data relevant to them.
Access
implement-ux-checks
Runs a usability review across key screens and flows, identifying friction before users encounter it.
Quality
Integration & data flow audit
The integration audit is an important step for any app that connects to external services. Before deployment, it produces a clear record of what your app touches — which supports both internal governance and data protection obligations.
For each integration, the audit captures:
Which secrets and service accounts are in use
Every instance of the connection in the codebase
What data is read from the service, and what is written back
Which endpoint, table, or dataset is accessed
Whether any personal data (PII) is involved — and if so, whether it is necessary
How PII is stored and handled within the system
Common questions
Question
Answer
Are these checks run automatically?
No — you trigger them yourself before deploying. They are designed to be run intentionally as part of a first-deployment readiness process.
Do I have to run all of them?
No, but it is strongly recommended to run at least the security audit and integration audit before any first deployment, particularly for apps that connect to external services or handle sensitive data.
Can I deploy with unresolved security findings?
High and critical findings should be resolved before deployment. The audit creates tasks so nothing is lost or forgotten.
What happens to the audit output?
Findings are documented in task comments within your workspace. This gives you a traceable record of what was checked and what was resolved.
What about GDPR and data compliance?
The integration audit documents all data flows and PII handling. This output can support your internal data protection records.
What about SSO?
SSO (e.g. via Azure Entra) is available on the enterprise plan. Your Customer Success contact will coordinate setup with your IT team.
Last updated
Was this helpful?