RSS Give your automated services credentials with Access service tokens

RSS Feed

Dec 23, 2018
RSS Feed submitted a new Article:

Give your automated services credentials with Access service tokens


Cloudflare Access secures your internal sites by adding authentication. When a request is made to a site behind Access, Cloudflare asks the visitor to login with your identity provider. With service tokens, you can now extend that same level of access control by giving credentials to automated tools, scripts, and bots.

Authenticating users and bots alike

When users attempt to reach a site behind Access, Cloudflare looks for a JSON Web Token (a JWT) to determine if that visitor is allowed to reach that URL. If user does not have a JWT, we redirect them to the identity provider configured for your account. When they login successfully, we generate the JWT.

When you create an Access service token, Cloudflare generates a unique Client ID and Secret scoped to that service. When your bot sends a request with those credentials as headers, we validate them ourselves instead of redirecting to your identity provider. Access creates a JWT for that service and the bot can use that to reach your application.

Getting started

Within the Access tab of the Cloudflare dashboard, you’ll find a new section: Service Tokens. To get started, select “Generate a New Service Token.”


You’ll be asked to name the service before Access provides you with a Client ID and Client Secret. The dashboard only displays the Client Secret once, so you’ll need to copy it and keep it in a secure location.


Once the service token has been created, you’ll need to update your Access policies to allow requests from approved services. You can add service tokens to existing rules, or you can create new policies for specific endpoints. Access will list the service tokens you created so you can select which services are allowed.

Give the Client ID and Secret to your service with the following header names:


When your service attempts to reach an application behind Access, Cloudflare will look for those headers. If found, we’ll confirm they’re valid and exchange them for a JSON Web Token (JWT), which allows the request to proceed.

The Client ID and Secret pair are valid for one year, at which time you can...

Read more about this article here...