Cloudflare Access secures your application by evaluating each request for authentication. A great many users authenticate using an identity provider (IdP). For these users, Cloudflare generates a JSON Web Token (JWT) that is scoped to the applications they are authorized to access.
Cloudflare Access also supports service tokens for applications that service automated requests, such as those generated by other applications and services. Cloudflare Access service tokens or mutual TLS (mTLS) authentication are ideal for these use cases.
Create a service token from the Cloudflare dashboard as follows:
The name allows you to easily identify events related to the token in the logs and to revoke the token individually. 1. Click Generate token.
Once the operation completes, the dialog lists the details of your new service token—Client ID, Client Secret, date created, last updated, expiration date, and applications where the token has been used.
This is the only time Access displays the Client Secret! If you lose the Client Secret, you must generate a new service token.
Once you close the Generate A New Service Token dialog, the Access Service Tokens panel displays the new service token.
Once you create a service token, you can build an Access policy for the token to define how Cloudflare evaluates requests from the token holder.
In the Create Access Policy window, enter an Application Name, typically the name of the token holder application/service.
Review the Application Domain.
You can optionally supply a subdomain and/or a path. This example specifies api for the subdomain. Keep in mind that only one policy can apply to a given URL at a time.
The Session Duration defines the maximum length of an authenticated session. When the session expires, the user must log in again to continue.
The Non-Identity option allows you to create rules for requests, such as those using a service token, that do not use an identity provider to authenticate.
The list automatically displays available tokens.
Once saved, the policy displays in the Access Policies list. Use the expander arrows to display more details.
Cloudflare Access service tokens consist of a Client ID and Client Secret. When a request is made to an application behind our network, the request will submit them both to Access. If the service token is valid, Cloudflare Access generates a JWT scoped to the service. The request then proceeds, using the JWT to demonstrate its permissions to reach the application.
Cloudflare Access expects both values as headers in the request sent to the application. Name them as follows:
CF-Access-Client-Id: <Client ID>
CF-Access-Client-Secret: <Client Secret>
By default, Cloudflare Access service tokens expire one year after they’re created. If you need to revoke access earlier, simply delete the token.
To delete a service token from the Access app, scroll to the Service Tokens card, find the token you want to delete, and click the delete ✕.
When revoking service tokens, keep in mind:
As long as the Client ID and Client Secret are still valid, they can be exchanged for a new token on the next request. To revoke access, you must delete the service token.
You can extend the lifetime of a service token from the Access Service Tokens card in the Access app.
To extend the lifetime of a token for one year: