I would like to expose one of my rules via a web URL. The automation I will be exposing controls the locks of my property. That being the case, I am worried about someone just randomly hitting the URL I have exposed. Is there a way to require authentication to happen for a URL to be invoked?
Can you clarify how you plan on using the Rule’s HTTP Trigger URL?
Per the HTTP Trigger documentation, the HTTP Trigger URL should be kept private as it includes the key necessary to trigger the rule:
Please keep the HTTP Trigger URL private! Do not post the rule’s HTTP trigger URL publicly or share with anyone you don’t trust as the trigger URL contains a special key that is authorized to execute the associated rule.
Per the ‘Request Parameters’ section of the above article, the URL format for an HTTP Trigger looks something like:
https://trigger.sharptools.io/rule/(rule_id)/key/(auth_key)/
The Rule ID is the unique identifier for your rule. It’s shown in the URL when editing a rule and on the Rule Logs page.
The Auth Key is a unique API Key scoped to a specific Rule ID and only with ‘execute’ permission.
As such, the Auth Key should be treated like a private secret/password/credential and should not be shared. If it ever is inadvertently exposed, you can delete the existing HTTP Trigger from the rule to revoke it. And you can recreate the HTTP Trigger to issue a new Auth Key.
Depending on your use-case, if you want to be able to trigger certain rules and still require standard SharpTools account authentication, then using Dashboard Sharing might be a better fit.
So I am not planning on letting anyone know about the URL. I actually want to make it so I can use a NFC tag to open my door’s smart lock. In order to do that, I have to expose a url that gets opened when I touch the nfc tag. So I really don’t plan on publishing the URL. I am just worried about someone somehow randomly invoking the URL as this might open my door lock without me knowing it. Is this something I should be concerned about?
NFC as Identifier (don’t store URL)
I would treat the NFC tag like a general identifier or kickstart of an action that runs on your phone. Do not encode the rule trigger URL directly into the NFC tag or anyone who has access to the tag will be able to read/copy the URL. Keep the URL securely stored on your phone in your automation action.
Notification of Unlock
You could also setup a notification action in your rule so you would be sure you are aware anytime it’s being run. Alternatively, you could setup a separate rule that any time the door is unlocked, you could get a notification if you were concerned about it.
I set up a lock code based notification when someone in the community asked about how you could use the extra event data, but I mostly just ignore that notification now! 
Defense in Depth
Depending on the automation runner you’re using, you might even be able to POST across a value in the payload to the rule HTTP Trigger. Within the Rule Flow, check for your secret value before conditionally running the unlock command. That adds another layer of defense as POST body values typically aren’t recorded in logs or things of that nature by default.