Service tokens

Cloudflare Access secures your application by evaluating each request for authentication. A great many users authenticate using an identity provider (IdP). For these users, Cloudflare generates a JSON Web Token (JWT) that is scoped to the applications they are authorized to access.

Cloudflare Access also supports service tokens for applications that service automated requests, such as those generated by other applications and services. Cloudflare Access service tokens or mutual TLS (mTLS) authentication are ideal for these use cases.

Create a service token

Create a service token from the Cloudflare dashboard as follows:

  1. Open the Cloudflare Access app and scroll down to the Access Service Tokens card.
  2. Click Generate a New Service Token.

Access Service Token card

  1. In the Generate A New Service Token dialog, provide a name for your token.

The name allows you to easily identify events related to the token in the logs and to revoke the token individually. 1. Click Generate token.

Generate a New Service Token window

Once the operation completes, the dialog lists the details of your new service token—Client ID, Client Secret, date created, last updated, expiration date, and applications where the token has been used.

  1. Click the Copy button to save the Client Secret to your clipboard.

This is the only time Access displays the Client Secret! If you lose the Client Secret, you must generate a new service token.

Generate a New Service Token Dialog

Once you close the Generate A New Service Token dialog, the Access Service Tokens panel displays the new service token.

Access Service Tokens panel

Build a policy for service tokens

Once you create a service token, you can build an Access policy for the token to define how Cloudflare evaluates requests from the token holder.

  1. In your Cloudflare dashboard, select the Access app, scroll to the Access Policies card, and click Create Access Policy.

Create Access Policy Button

  1. In the Create Access Policy window, enter an Application Name, typically the name of the token holder application/service.

  2. Review the Application Domain.

You can optionally supply a subdomain and/or a path. This example specifies api for the subdomain. Keep in mind that only one policy can apply to a given URL at a time.

The Session Duration defines the maximum length of an authenticated session. When the session expires, the user must log in again to continue.

Create Access Policy Window

  1. In the Policies section, name your policy and select _Non-Identity _from the Decision drop-down list.

The Non-Identity option allows you to create rules for requests, such as those using a service token, that do not use an identity provider to authenticate.

Non-Identity option

  1. In the Include section of the policy, select Access Service Token from the drop-down list and then select the name of a service token from the drop-down list on the right.

The list automatically displays available tokens.

Access Service Token

  1. Click Save to create the policy.

Once saved, the policy displays in the Access Policies list. Use the expander arrows to display more details.

Access Policies List

Configure your service for tokens

Cloudflare Access service tokens consist of a Client ID and Client Secret. When a request is made to an application behind our network, the request will submit them both to Access. If the service token is valid, Cloudflare Access generates a JWT scoped to the service. The request then proceeds, using the JWT to demonstrate its permissions to reach the application.

Cloudflare Access expects both values as headers in the request sent to the application. Name them as follows:

  • CF-Access-Client-Id: <Client ID>
  • CF-Access-Client-Secret: <Client Secret>

Revoke service tokens

By default, Cloudflare Access service tokens expire one year after they’re created. If you need to revoke access earlier, simply delete the token.

To delete a service token from the Access app, scroll to the Service Tokens card, find the token you want to delete, and click the delete .

Delete Access Service Tokens

When revoking service tokens, keep in mind:

  • Services that rely on a deleted service token can no longer reach your application.
  • Clicking Revoke Existing Tokens when editing a policy in the Edit Access Policy dialog revokes existing sessions but does not revoke access.

As long as the Client ID and Client Secret are still valid, they can be exchanged for a new token on the next request. To revoke access, you must delete the service token.

Revoking Tokens

Extend service token lifetime

You can extend the lifetime of a service token from the Access Service Tokens card in the Access app.

To extend the lifetime of a token for one year:

  1. Locate the token in the list and click Refresh .

Refresh Service Tokens

  1. Click Refresh in the Confirm window.

Confirmation Dialog