I’m working on a site that is using Facebook authentication and friends, but I’m not ready for it to be publicly visible. It seems like if I put a password on the site’s directory, Facebook’s calls to my server won’t be able to get in. Is there a way to provide FB with user/psw credentials for the site — just http basic authentication or something comparable, I guess — so that it will be able to get in?

EDIT BASED ON CLARIFICATION AND MORE EXPERIMENTATION:

There are looking to be two parts to this:

• There are no problems with Facebook Connect. When the user visits the page of the protected site, they’re presented with the authentication panel, and they then authenticate (or don’t). If they get it, the connection/login follows, and all’s well, since the connect information is presumably coming back along the same http connection that’s just been authenticated. (I’m a little fuzzy on these parts of http work, but I think that’s mostly correct.)

The REAL problem I’m facing, as I just realized (sorry; early Monday morning / long weekend) is how calls from the realtime API get in. These calls just sort of arrive from out of the blue, and so there’s no authenticated path into the server. @Martey’s point about doing authentication (posted to an earlier version of the question) based on ip address looks promising there, but I’m still wondering if there’s a way to get FB to send along user/psw with that.