Service tokens

You can provide automated systems with service tokens to authenticate against your Zero Trust policies. Cloudflare Access will generate service tokens that consist of a Client ID and a Client Secret. Automated systems or applications can then use these values to reach an application protected by Access.

This section covers how to create, renew, and revoke a service token.

Create a service token

Dashboard

1. In Zero Trust ↗, go to Access > Service Auth > Service Tokens.

2. Select Create Service Token.

3. Name the service token. The name allows you to easily identify events related to the token in the logs and to revoke the token individually.

4. Choose a Service Token Duration. This sets the expiration date for the token.

5. Select Generate token. You will see the generated Client ID and Client Secret for the service token, as well as their respective request headers.

6. Copy the Client Secret.

   Warning

   This is the only time Cloudflare Access will display the Client Secret. If you lose the Client Secret, you must generate a new service token.

Terraform

1. Add the following permission to your cloudflare_api_token ↗:

   • Access: Service Tokens Write

2. Configure the cloudflare_zero_trust_access_service_token ↗ resource:

   resource "cloudflare_zero_trust_access_service_token" "example_service_token" {
   account_id = var.cloudflare_account_id
   name       = "Example service token"
   duration  = "8760h"
   }

3. Output the Client ID and Client Secret to the Terraform state file:

   output "example_service_token_client_id" {
     value     = cloudflare_zero_trust_access_service_token.example_service_token.client_id
   }
   
   output "example_service_token_client_secret" {
     value     = cloudflare_zero_trust_access_service_token.example_service_token.client_secret
     sensitive = true
   }

4. Apply the configuration:

   terraform apply

5. Read the Client ID and Client Secret:

   terraform output -raw example_service_token_client_id

   terraform output -raw example_service_token_client_secret

You can now configure your Access applications and device enrollment permissions to accept this service token. Make sure to set the policy action to Service Auth; otherwise, Access will prompt for an identity provider login.

Connect your service to Access

Initial request

To authenticate to an Access application using your service token, add the following to the headers of any HTTP request:

CF-Access-Client-Id: <CLIENT_ID>

CF-Access-Client-Secret: <CLIENT_SECRET>

For example,

curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_SECRET>" https://app.example.com

If the service token is valid, Access generates a JWT scoped to the application in the form of a CF_Authorization cookie. You can use this cookie to authenticate subsequent requests to the application.

Subsequent requests

After you have authenticated to the application using the service token, add the resulting CF_Authorization cookie to the headers of all subsequent requests:

curl -H "cookie: CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://app.example.com

If you prefer to use a raw header, send the value as cf-access-token:

curl -H "cf-access-token=<CF_AUTHORIZATION_COOKIE>" https://app.example.com

All requests with this cookie will succeed until the JWT expires.

Note

If your Access application only has Service Auth policies, you must send the service token on every subsequent request. You can only use the JWT if the application has at least one Allow policy.

Renew service tokens

Service tokens expire according to the token duration you selected when you created the token.

To renew the service token:

1. In Zero Trust ↗, go to Access > Service auth > Service Tokens.
2. Locate the token you want to renew.
3. To extend the token's lifetime by one year, select Refresh.
4. To extend the token's lifetime by more than a year:
   1. Select Edit.
   2. Choose a new Service Token Duration.
   3. Select Save. The expiration date will be extended by the selected amount of time.

Revoke service tokens

If you need to revoke access before the token expires, simply delete the token.

1. In Zero Trust ↗, go to Access > Service auth > Service Tokens.
2. Delete the token you need to revoke.

Services that rely on a deleted service token can no longer reach your application.

Note

When editing an Access application, selecting Revoke existing tokens revokes existing sessions but does not prevent the user from starting a new session. As long as the Client ID and Client Secret are still valid, they can be exchanged for a new token on the next request. To revoke access, you must delete the service token.

Set a token expiration alert

An alert can be configured to notify a week before a service token expires to allow an administrator to invoke a token refresh.

Expiring Access Service Token Alert

Who is it for?

Access customers who want to receive a notification when their service token is about to expire.

Other options / filters

None.

Included with

Purchase of Access

What should you do if you receive one?

Extend the expiration date of the service token. For more details, refer to Renew your service token.

To configure a service token expiration alert:

1. In the Cloudflare dashboard ↗, go to the Notifications tab.
2. Select Add.
3. Select Expiring Access Service Token.
4. Enter a name for your alert and an optional description.
5. (Optional) Add other recipients for the notification email.
6. Select Save.

Your alert has been set and is now visible in the Notifications tab of the Cloudflare dashboard.

Was this helpful?

What did you like?

Accurate

Easy to understand

Solved my problem

Helped me decide to use the product

Other

What went wrong?

Hard to understand

Incorrect information

Missing the information

Other

Thank you for helping improve Cloudflare's documentation!