Service Tokens

Cloudflare Access controls who can reach your application by evaluating every request for authentication. For many use cases, a user demonstrates they should have access by logging in through an identity provider. Access generates a JSON Web Token (a JWT) that is scoped to that user’s identity to allow them to reach the application.

However, some applications need to be accessible to requests that originate from automated services in addition to human users. With Cloudflare Access, you can create service tokens to allow those automated requests to reach your application.

Creating a service token

Within the Cloudflare Access app, navigate to the “Access Service Tokens” Card. Then, click “Generate a New Service Token”.

srv-generate

In the dialog, give your service token a name. You can name it based on the service using it to help you identify the token in the logs and revoke individually, if needed.

srv-dialog

Once saved, Access will generate the service token Client ID and Client Secret. Access only displays the Client Secret once. You must copy it down or you will need to generate a new token if you lose this secret value. In addition to the ID and Secret, you can view the date created, last updated and expiration dates as well as any applications where the token is in use.

srv-secret

Building a policy for service tokens

Now that you have created a service token, you can create an Access Policy that allows the service that holds that token to reach your application. Go to the Cloudflare Access app and start by clicking “Create Access Policy” in the “Access Policies” card. You can apply this policy to a subdomain or path. For more details about configuring policies, follow the instructions here.

srv-nonid

Once you name your policy, under the “Decision” field, select “Non Identity.” “Non Identity” decision types, like service tokens and client certificates, allow you to create rules for requests that do not use an identity provider login.

srv-tokenname

In your rule, select “Access Service Token” from the drop-down menu. The tokens you have created will preload and you can select which one to include. Click “Save” to finish creating the policy.

Configuring tokens with your service

Cloudflare Access service tokens consist of a Client ID and Client Secret. When a request is made to an application behind our network, the request will submit that ID and Secret pair to Access. If valid, Cloudflare Access will generate a JWT scoped to the service. The request can then proceed using that JWT to demonstrate that it should be allowed to reach the application.

Cloudflare Access expects these values as headers in the request sent to the application. You must name those headers as follows:

CF-Access-Client-Id:

CF-Access-Client-Secret:

Revoking a service token

By default, Cloudflare Access service tokens expire one year after creation. If you need to revoke the token earlier, you can do so in the Service Tokens card.

Note: Clicking “Revoke Existing Tokens” in the Policy configuration window will revoke existing sessions. If the Client ID and Secret are still valid, they can be exchanged for a new token on the next request until the token itself is deleted.

srv-token-row

To revoke a Service Token, click the “x” button on the row of the Service Token you need to delete. In the next screen, confirm you need to delete this token.

Any services using this token will no longer be able to reach the application behind Access.

srv-token-revoke