Skip to content

Tunnel permissions

A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel.

View the tunnel token

To get the token for a remotely-managed tunnel:

  1. In Zero Trust, go to Networks > Tunnels.
  2. Select a cloudflared tunnel and select Edit.
  3. Copy cloudflared installation command.
  4. Paste the installation command into any text editor. The token value is of the form eyJhIjoiNWFiNGU5Z...

Rotate a token without service disruption

Cloudflare recommends rotating the tunnel token at a regular cadence to reduce the risk of token compromise. You can rotate a token with minimal disruption to users as long as the tunnel is served by at least two cloudflared replicas. To ensure service availability, we recommend performing token rotations outside of working hours or in a maintenance window.

To rotate a tunnel token:

  1. Refresh the token on Cloudflare:

    1. In Zero Trust, go to Networks > Tunnels.
    2. Select a cloudflared tunnel and select Edit.
    3. Select Refresh token.
    4. Copy the cloudflared installation command for your operating system. This command contains the new token.

    After refreshing the token, cloudflared can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic.

  2. On half of your cloudflared replicas, update cloudflared to use the new token. For example, on a Linux host:

    Terminal window
    sudo cloudflared service install <TOKEN>
  3. Restart cloudflared:

    Terminal window
    sudo systemctl restart cloudflared.service
  4. Confirm that the service started correctly:

    Terminal window
    sudo systemctl status cloudflared

    While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas.

  5. Wait 10 minutes for traffic to route through the new connectors.

  6. Repeat steps 2, 3, and 4 for the second half of the replicas.

The tunnel token is now fully rotated. The old token is no longer in use.

Rotate a compromised token

If your tunnel token is compromised, we recommend taking the following steps:

  1. Refresh the token using the dashboard or API. Refer to Step 1 of Rotate a token without service disruption.

  2. Delete all connections between cloudflared and Cloudflare:

    Terminal window
    curl --request DELETE \
    https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \
    --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

    This will clean up any unauthorized connections and prevent users from connecting to your network.

  3. On each cloudflared replica, update cloudflared to use the new token. For example, on a Linux host:

    Terminal window
    sudo cloudflared service install <TOKEN>
  4. Restart cloudflared:

    Terminal window
    sudo systemctl restart cloudflared.service
  5. Confirm that the service started correctly:

    Terminal window
    sudo systemctl status cloudflared

The tunnel token is now fully rotated. The old token is no longer in use.

Account-scoped roles

Minimum permissions needed to create, delete, and configure tunnels for an account:

Additional permissions needed to route traffic to a public hostname: