I think it should be, because @auth means authentication, so needs authenticated user.
In your case I should do differently. def secret(): if not request.client == '127.0.0.1' or not auth.user: redirect(URL('default', 'user', args='login')) return {"": "some cool stuff"}