A user wrote to our private support forum with a question:
I was wondering if there is any way that we could make [our storymaps] password protected.
It seemed worth sharing the answer publicly:
Rather than engineering privacy controls into StoryMapJS, we recommend that you embed your storymaps on pages that are controlled by a system of your own choosing.
Embedding a storymap using the "iframe" method which is most straightforward in our authoring tool would not be enough, unless you were confident that the obscurity of the URL to the map was adequate security. This is not an uncommon strategy, as Google Drive, for example, offers "anyone with the link may [view/edit]" privacy controls.
If that is not adequate (which may well be the case), then you must use the "advanced" method to embed a storymap on a page. This allows you to serve the storymap data and the page which presents it only to people who have authorized access to your server, no matter how you control that authorization.
Note that you should not use our authoring tool if this level of control is important to you, as the authoring tool, by design, publishes documents for anyone who knows the URL to find.
It is possible in principle that we could adjust the authoring tool to allow you to create and export the data needed for the "advanced" method, and for us to keep that data private. This is not a high priority at the time, but if we hear from enough people that it's important, we might schedule the feature to be built.