We embedded bokeh server in a flask application. The flask application has its security scheme.
However we find that any user, just typing the bokeh server url can ac