Authenticate with panel disabled

When I disable the panel in the config …


return [
    'panel' => false

… is there still a way to authenticate?

We are displaying additional content to Kirby users which – of course – do not work when there is no session.

You can do a front end login - see here.

So I guess there is no way without a custom login page then?

You could try to authenticate as some user or the almighty without actually logging in using impersonate(), not sure if that works or not.

I just migrated a Kirby 2 website to Kirby 3 that has a similar functionality. The client wanted to have a suppliers list that’s only accessible upon request. When someone requests access to it, he send them a link with a token:

I added a simple plugin that leverages the route:before hook to check if the token matches and authenticate an unprivileged user (without panel access) created just for this purpose.

'route:before' => function ($route, $path, $method) {
    if (preg_match('/^suppliers/', $path) && ! kirby()->user()) {
        if (get('token') === site()->token()->value())) {
                ->loginPasswordless(['long' => true]);

In Kirby 3 I also had to use impersonate() because loginPasswordless() didn’t affect the current request, only subsequent ones. I also tweaked the session config to last 30 days.

By going with this approach, once users get access via token and are authenticated, they can come back later using the normal URL and see the protected content without hunting for the token again.