I am trying to look for away to block Sync Gateway sessions from being created using the public API. I only want to allow sessions from being created through my custom middleware server using the admin API.

How does databases.foo_db.allow_empty_password work?

Do it allow users to create sessions with a empty password?

Do you mean you don’t want users to be able to authenticate to SG at all? Then how will they replicate?

I have a custom application server and sync gateway server. I want the user to be able to enter password once and be authenticated with both.

My goal was to have the user authenticate with the application server, then the application server creates a session on behalf of the the user using the /{db}/_session admin API. The application server then response with set-cookie headers that will give access to SG to replicate.

Sounds reasonable. I think you asked this question in another thread too? Is there a reason for both threads?