Frequently asked questions

Route Entry is a free web service that adds access gates to any redirect link. Before visitors reach your destination URL, they can be required to pass a password check, a geolocation filter, a Cloudflare bot challenge, a consent gate, or data capture steps as part of a multi-step flow. Every visit is logged in a real-time analytics dashboard. No account or server infrastructure is required.

Go to the create page, pick a domain and path for your redirect URL, enter your destination URL, add a name, and select which gates to enable. The link is live immediately after creation. You'll receive a management token link - save it somewhere secure, as there's no recovery mechanism if you lose it.

No. There are no user accounts. When you create a redirect, you receive a unique management token that serves as your only credential for that route. You paste this token link into your browser to reach the analytics dashboard and route settings. No email address, phone number, or profile is ever involved.

Yes - completely free. All six gate types, the analytics dashboard, and the geolocation heatmap are available at no cost. There are no paid tiers, no feature-locked upgrades, and no billing unless you exceed 50,000 visitor events per 24-hour window (at which point additional events for that window are dropped, not charged).

Without the management token, you can't access the dashboard, modify gate settings, or disable the route. There's no account recovery because there's no account. The redirect itself continues to work for visitors - it doesn't go offline. If you lose the token permanently, you lose management access to that route.

Six gate types: password (passphrase with configurable attempt limit), geolocation (country allowlist via browser GPS), bot challenge (Cloudflare Turnstile), consent (GDPR-style approval with timestamped logging), IP capture (records visitor IP address), and device capture (browser, OS, device type, preferred language, viewport width). You can combine multiple gates on a single redirect, and the builder shows the supported sequence for the setup you choose.

Yes. Route Entry supports multi-step redirect flows. A typical setup might combine consent, bot challenge, password protection, geolocation filtering, and optional data capture. Each active step runs in sequence, and the visitor must pass the current step before the next one runs.

Route Entry applies gates in a supported sequence based on the steps you enable. Some gates run earlier in the flow by design, while others can be rearranged. The builder shows the sequence before you publish, and visitors move through it top to bottom. A failure at any step stops the visitor there.

The visitor sees a gate-specific denial or error page. For the password gate, they see an error message and can retry up to the configured limit - after which the link blocks them entirely. For geolocation, they see a block page with browser-specific instructions for enabling location access. For consent, they see a declined message. Sessions are still recorded, including the failure events, so you can see exactly where visitors drop off.

The consent gate records explicit visitor approval with a precise timestamp and logs it as part of the session record. Whether this satisfies your specific GDPR obligations depends on your use case and what data you're collecting. We don't provide legal advice. If you're collecting IP addresses or device data, placing a consent gate before those capture steps is strongly recommended to document prior approval.

The overview panel shows total visits, bot challenge pass rate, consent grant rate, and average session duration. A 7-day bar chart breaks down daily visitor counts with bot vs. human classification. Below that is a per-visitor session list. Clicking any session opens a full event timeline with precise timestamps for every gate the visitor hit - every attempt, every capture, every outcome, through to the final redirect.

Sessions are deleted automatically after 30 days. If a route accumulates more than 10,000 sessions, the oldest records are trimmed first regardless of age. Routes that receive no visits for 90 consecutive days are removed entirely, along with all their visitor data. This retention schedule runs automatically - there's no configuration required.

Yes. If you've enabled geolocation filtering or GPS capture on your route, visitor GPS coordinates are plotted on an interactive Leaflet map in your dashboard. Points cluster when zoomed out. Each point shows the accuracy radius reported by the visitor's browser. Up to 2,000 coordinate pairs are displayed per route.

Session events include: session started, password gate shown, password attempt made, password correct, password incorrect, password lockout triggered, geolocation permission requested, geolocation permission granted, geolocation permission denied, geolocation check passed, geolocation check blocked, bot challenge presented, bot challenge passed, bot challenge failed, consent form shown, consent granted, consent denied, IP address captured, device info captured, and redirect executed - among others. The exact events generated depend on which steps are active in your pipeline and how visitors interact with each one.

Only the holder of the management token issued when the route was created. There are no team accounts, no shared dashboards, and no admin interface that can view your data. Anyone with the token link can read, export, and delete visitor session data for that route. Keep the token secure.

No. Your visitor data is processed and stored within Route Entry's own infrastructure. We don't load Google Analytics, Segment, Mixpanel, or any similar tracker on visitor-facing pages. The one third-party integration is Cloudflare Turnstile for the bot challenge gate, which loads a widget from Cloudflare's servers during that specific step.

If you need immediate deletion, contact us at hi@routeentry.com with your route ID. We'll delete the route and all associated visitor sessions promptly. Alternatively, deleting the route from your dashboard removes it and all its data immediately - but that also makes the redirect URL inactive.