# Deploy your Application ## What is deployment? When you build an app in Riff, it lives in your builder workspace. Deploying it makes it available to your intended users — whether that is your internal team, stakeholders across your organisation, or specific individuals with defined access. Before you deploy for the first time, Riff provides a set of pre-deployment skills you can run to audit, document, and secure your app. These are not run automatically — you trigger them intentionally as part of your readiness process. Think of them as a structured checklist that produces a documented record of your app before it goes live. ## How to deploy your app Deploying your app takes just a few steps. Here is the full sequence from first click to live app: {% stepper %} {% step %} ### Click Deploy In your Riff workspace, click the Deploy button in the top right corner. This opens the Deploy panel. {% endstep %} {% step %} ### Set your App URL The first time you deploy, you will be prompted to confirm your App URL. This is the public address your users will access. {% endstep %} {% step %} ### Complete the Security Review Before deploying, the platform will show you a Deployment Checks panel. This includes a Security Review section that lists any pages or API endpoints that are currently publicly accessible. You need to review each item and decide whether it should be publicly accessible or protected. This is done by configuring access controls directly in your app — covered in the next section. Once you are satisfied, tick the Reviewed checkbox to confirm.
StatusMeaningWhat to do
WarningPublicly accessibleThis page or endpoint has no access control. Anyone with the URL can reach it. Review whether this is intentional and secure it if not.
SecuredAccess controlledThis page or endpoint requires authentication. No action needed unless you want to change who has access.
If some checks are not passing, you will see a warning at the bottom of the Deploy panel. You can still deploy, but it is strongly recommended to resolve open security flags first. {% endstep %} {% step %} ### Securing pages and endpoints To configure access for each page and API endpoint in your app, go to the Home panel in your workspace. You will see a list of all pages and APIs. Each has a shield icon on the right. |

To secure a page or endpoint:

  1. Open Home — click the Home dropdown in the top bar of your workspace.
  2. Review the list — you will see all Pages and APIs, each with a shield icon on the right.
  3. Toggle the shield — click the shield icon next to each page or endpoint you want to protect. A green shield means it is secured; an amber shield means it is publicly accessible.
  4. Repeat for all items — go through every page and every API listed and confirm the intended access level for each one.
  5. Return to Deploy — once all items are set correctly, go back to the Deploy panel, tick Reviewed, and proceed to deploy.
| | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | As a general rule: any page or endpoint that handles sensitive data, writes to a system, or is intended only for authenticated users should be secured. Publicly accessible items are appropriate only for content that is intentionally open — such as a public-facing landing or status page. {% hint style="info" %} See pre-deployment checks below, you can trigger these skills with the agent prior to deployment. {% endhint %} {% endstep %} {% step %} ### Deploy Once the security review is complete and all checks are passing, click the Deploy button at the bottom of the panel. Your app will go live at the URL you confirmed in Step 2. | The Deploy panel shows when your app was last deployed. Subsequent deployments do not require you to repeat the URL setup — only the security review needs to be re-confirmed if new pages or endpoints have been added. | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | {% endstep %} | | {% endstepper %} | ### Pre-deployment checks Before deploying, you can run the following checks. Each is a skill you invoke from within your Riff workspace. Together they ensure your app is secure, its integrations are documented, and access is correctly configured.
CheckWhat it does
1Security auditScans your codebase for critical vulnerabilities: leaked API keys, hardcoded secrets, missing authorisation checks, and injection risks. Documents HIGH and MEDIUM findings so they can be resolved before going live.
2Integration auditMaps every external service connection in your app — what data is read, what is written, and whether any personal data is involved. Produces a documented record of all integrations and their data flows.
3User rolesConfigures access controls within the app so that each user sees only the data relevant to them. This is especially important when your app is accessed by multiple teams or departments.
4UX checksReviews key screens and flows for usability issues, reducing friction before your users encounter it.
### Security — two layers Riff handles security at two levels, which complement each other: | **Platform security** | **App-level security** | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | | ### Available deployment skills The following skills can be triggered from your Riff workspace as part of your pre-deployment process. Each runs as a structured audit and documents its findings: {% hint style="info" %} To trigger a skill in the agent chat use the / proceeded with the name of the skill listed below. {% endhint %}
SkillWhat it doesCategory
deployment-check-securityScans the full codebase for critical security flaws: leaked API keys, missing auth checks, hardcoded secrets, and SQL injection risks. Reports HIGH and MEDIUM findings only.Security
deployment-check-integrationMaps all external service connections — what data is read and written, which endpoints are accessed, and whether any personal data (PII) is involved. Produces a documented integration record.Security
perform-security-auditA comprehensive end-to-end security review covering authentication, secrets, SQL injection, endpoint authorisation, PII logging, input validation, and error message exposure. Creates tasks for all high and critical findings.Security
implement-user-rolesConfigures role-based access control within the app — ensuring users see only the data relevant to them.Access
implement-ux-checksRuns a usability review across key screens and flows, identifying friction before users encounter it.Quality
## Integration & data flow audit The integration audit is an important step for any app that connects to external services. Before deployment, it produces a clear record of what your app touches — which supports both internal governance and data protection obligations. |

For each integration, the audit captures:

| | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ### Common questions
QuestionAnswer
Are these checks run automatically?No — you trigger them yourself before deploying. They are designed to be run intentionally as part of a first-deployment readiness process.
Do I have to run all of them?No, but it is strongly recommended to run at least the security audit and integration audit before any first deployment, particularly for apps that connect to external services or handle sensitive data.
Can I deploy with unresolved security findings?High and critical findings should be resolved before deployment. The audit creates tasks so nothing is lost or forgotten.
What happens to the audit output?Findings are documented in task comments within your workspace. This gives you a traceable record of what was checked and what was resolved.
What about GDPR and data compliance?The integration audit documents all data flows and PII handling. This output can support your internal data protection records.
What about SSO?SSO (e.g. via Azure Entra) is available on the enterprise plan. Your Customer Success contact will coordinate setup with your IT team.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.riff.ai/features/deploy-your-application.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.