Public Access

What is Public Access?

The Public access policy is the most permissive policy tier available in Horizon. When a circuit is set to Public, no authentication or identity verification is performed on incoming requests. Any person, web browser, API client, script, crawler, or automated system on the internet can send requests to the circuit's domain, and those requests are forwarded to the backend service - provided they pass the other configured security layers (IP filtering, country blocking, and bot detection). No login prompt, credential check, or user tracking is applied at the access policy level. This is fundamentally different from the Project Members and Specific Users policies, which require the requester to authenticate with Mutexer credentials before the request is processed.

When to Use

Public access is appropriate when the backend service is intentionally designed to be accessible to anyone on the internet. Common use cases include public-facing monitoring dashboards or status pages that display operational metrics for external stakeholders, REST APIs that are consumed by third-party applications or integration partners who do not have Mutexer accounts, public documentation or knowledge bases hosted on devices, and static content or download servers. In all of these cases, the service is intended to be open, and requiring authentication would defeat the purpose.

Security Considerations

Setting a circuit to Public means that the service is accessible to the entire internet, which dramatically increases the attack surface compared to authenticated policies. Even though the other security layers still apply - IP rules still filter by source address, country blocks still enforce geographic restrictions, and bot detection still identifies known scanners - the lack of identity verification means that any human or automated system not caught by these layers can interact with the backend service. For this reason, it is strongly recommended to enable bot and scanner blocking on all public circuits, configure IP whitelisting if the set of expected consumers is known (for example, if only specific partner IPs should access a public API), and ensure that the backend service itself is hardened against abuse. All requests to public circuits are logged in full detail, including the source IP and geolocated country, providing complete audit visibility even without identity information.

DANGER

Public circuits have no identity verification. Any person or automated system on the internet can send requests to the service. Ensure the backend service is designed for public exposure, enable all available security layers, and monitor the request logs for unexpected traffic patterns.