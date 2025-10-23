You can configure a self-hosted Access application to manage access to specific IPs or hostnames on your private network.

Note This feature replaces the legacy private network app type.

Prerequisites

Add your application to Access

In Zero Trust ↗, go to Access > Applications. Select Add an application. Select Self-hosted. Enter any name for the application. In Session Duration, choose how often the user's application token should expire. Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to Session management. If the application is non-HTTPS or you do not have TLS decryption turned on, the session is tracked by the WARP client per application.

Users can now connect to your private application after authenticating with Cloudflare Access.

Authentication flow

HTTPS applications

If Gateway TLS decryption is turned on and a user is accessing an HTTPS application on port 443 , Cloudflare Access will present a login page in the browser and issue an application token to your origin. This is the same cookie-based authentication flow used by self-hosted public apps.

If Gateway TLS decryption is turned off, session management is handled in the WARP client instead of in the browser.

Non-HTTPS applications

The WARP client manages sessions for all non-HTTPS applications. Users will receive an Authentication required pop-up notification from the WARP client. When the user selects the notification, WARP will open a browser window with your Access login page.

Ensure that your operating system allows notifications for WARP. Your device may not display notifications if focus, do not disturb, or screen sharing settings are turned on. To turn on client notifications on macOS devices running DisplayLink software, you may have to allow system notifications when mirroring your display. For more information, refer to the macOS documentation ↗.

Order of precedence

Access vs Gateway policies

By default, Cloudflare will evaluate Access application policies after evaluating all Gateway network policies. To evaluate Access applications before or after specific Gateway policies:

Create the following Gateway network policy: Selector Operator Value Action Access Private App is Present Allow Update the policy's order of precedence using the dashboard or API.

Note Users must pass the policies in your Access application before they are granted access. The Gateway Allow policy is strictly for routing and connectivity purposes.

Private hostname vs private IP