Managing User Sessions


JWTs are JSON web tokens, an open standard for securely sharing user information in the form of JSON object. JWTs are digitally signed using a secret and hence the information can be verified and trusted.

What does JWT contain?

JWT contain the following three segments sepearted by dots.

  • Header
  • Payload
  • Signature

A typical JWT looks like this:


  "alg": "RS256",
  "kid": "9338abe1baf2fe492f646a736f25afbf7b025e35c627be4f60c414d4c73069b8",
  "typ": "JWT"

The header contains the algorithm used to encode, kid which is the key identifier to identify the key used to sign tokens and type of the token.


  "aud": [
  "email": "[email protected]",
  "exp": 1519418214,
  "iat": 1519331815,
  "iss": "",
  "nonce": "1d8083f708a47982296f2d9896d70f207a27938f026540c392b903e5fdf4d6e9",
  "sub": "ca639bb9-26ab-42e5-b9bf-3aea27b331fd"
The payload contains the actual claim i.e user information we are trying to pass to the application.

  • aud uniquely identifies the application to which the JWT is issued. In our case, say it is
  • email contains the email address of the authenticated user
  • sub contains the unique identifier of the authenticated user
  • iss The issuer would be your application’s Cloudflare Access Domain URL.
  • iat and exp are the issuance and expiration timestamps.
  • nonce is the session identifier


Signature is generated by taking the encoded header, the encoded payload, the algorithm specified in the header and signing them using the Cloudflare Access private key. The users can validate the token using the public key.

Cloudflare includes the JWT with all authenticated requests in two places

  • As a response header Cf-Access-Jwt-Assertion
  • As a cookie CF_Authorization.

For more information on JWT refer

User Identity

After a visitor authenticates to Cloudflare Access, all subsequent requests to the application server will contain a Cf-Access-Authenticated-User-Email header with the authenticated user.

For example: Cf-Access-Authenticated-User-Email: [email protected]

This allows you to identifiy the user who has currently logged in. It is, of course, critical to ensure that only Cloudflare can send requests to your origin if you rely on this header.

Session Duration

Based on your security requirements, you may wish to allow users to have longer or shorter sessions than the default. The longer your user’s sessions, the less frequently they’ll need to login, but the longer a session will remain valid if the user doesn’t log out.

Session duration can be set on the configuration page of your Access Policies:

Session Duration

If necessary, you can always revoke all active tokens on a policy manually.