You might find it useful to have widgets that are not publicly accessible. Widget Construction Set supports private widgets via HTTP Basic Authentication.
Private widgets should be hosted to return an
HTTP 401 unless a valid auth header is provided. A valid auth header is one with the key
Authorization and the value of
Basic d293OnN1Y2hfaGFja2VyIQ== where
d293OnN1Y2hfaGFja2VyIQ== is equal to the Base64 encoded value of
username:password. For more info on HTTP Basic Authentication, check out this MDN document.