When you share a retrospective link, anyone with the link can join by default. Password protection adds an extra layer of security, ensuring only people who know the password can participate.
Setting a Password
How Participants Join
When someone opens a password-protected retro link, they see a password prompt before they can enter the session. They need to type the correct password to proceed. Once entered, they can participate normally for the duration of the session.
The password itself is never stored in plain text on the public side. Manager Toolkit stores a SHA-256 hash of the password and verifies the participant's input against that hash. After a successful unlock, the browser receives a short-lived unlock token that persists for the rest of the browser session, so participants do not have to re-enter the password every time they refresh the page.
While the retro is still locked, the retro name is also hidden from the browser tab title to stop it leaking through screen-share or browser history.
When to Use Password Protection
Password protection is useful when:
- The retro link might be shared more widely than intended, for example in a large Slack channel
- The retrospective covers sensitive topics and you want to limit access
- You are running a retro with external participants and want to ensure only invited people join
For most internal team retros where you control the distribution of the link, password protection is optional. It is most valuable when you cannot fully control who sees the link.
Was this article helpful?