You built a Flask (or FastAPI) app. It does something useful — it enriches leads, generates reports, talks to an internal API. You want your team to be able to use it from a URL, but only your company's employees.
Here are your options, ranked by how fast they actually work.
Option 1: Workshop (30 seconds)
Workshop is a CLI deploy tool built specifically for internal company apps. It hosts your Flask app on Cloudflare's edge, gates it behind company email auth, and gives you a URL you can paste in Slack.
npm install -g @getworkshop/cli
workshop login
cd your-flask-project
workshop init # detects Python, asks for entry command
workshop deploy
When running workshop init, it will ask for your entry command. For Flask:
gunicorn app:app --bind 0.0.0.0:$PORT
For FastAPI:
uvicorn main:app --host 0.0.0.0 --port $PORT
Choose company domain access mode. Deploy. Done.
Option 2: Railway + roll your own auth (~2 hours)
Railway will host your Flask app without an AWS setup. But it's public by default. You'd need to add Flask-Login or integrate Google OAuth yourself, then add domain restriction logic. For a quick internal tool, this is usually 2-4 hours of work that defeats the purpose of vibe coding it in the first place.
Option 3: Fly.io + manual SSO
Fly.io is excellent for containerized Python apps. Same problem as Railway — it's public by default. You'd need Authelia or a similar auth proxy in front of it. Another hour of config you probably don't want to do.
Environment variables and secrets
Workshop proxies your environment variables securely. Set them from the dashboard or CLI:
workshop secret set OPENAI_API_KEY=sk-...
workshop secret set DATABASE_URL=postgresql://...
Your Flask app reads them via os.environ as normal. Keys never appear in the bundle or browser.
Scheduled Flask scripts
If your app is a cron job rather than a web server, use the cron field in workshop.config.json:
{
"name": "my-report",
"runtime": "python",
"entry_cmd": "python generate_report.py",
"cron": "0 8 * * 1-5"
}
This runs your script at 8am every weekday. Failure alerts go to your email.