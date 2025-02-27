Tunnel permissions
A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel.
To get the token for a remotely-managed tunnel:
- In Zero Trust ↗, go to Networks > Tunnels.
- Select a
cloudflaredtunnel and select Edit.
- Copy
cloudflaredinstallation command.
- Paste the installation command into any text editor. The token value is of the form
eyJhIjoiNWFiNGU5Z...
Make a
GET request to the Cloudflare Tunnel token endpoint. The token value can be found in the
result:
Cloudflare recommends rotating the tunnel token at a regular cadence to reduce the risk of token compromise. You can rotate a token with minimal disruption to users as long as the tunnel is served by at least two
cloudflared replicas. To ensure service availability, we recommend performing token rotations outside of working hours or in a maintenance window.
To rotate a tunnel token:
-
Refresh the token on Cloudflare:
- In Zero Trust ↗, go to Networks > Tunnels.
- Select a
cloudflaredtunnel and select Edit.
- Select Refresh token.
- Copy the
cloudflaredinstallation command for your operating system. This command contains the new token.
-
Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret:
-
Make a
PATCHrequest to the Cloudflare Tunnel endpoint:
-
Copy the
tokenvalue shown in the output.
After refreshing the token,
cloudflaredcan no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic.
-
On half of your
cloudflaredreplicas, update
cloudflaredto use the new token. For example, on a Linux host:
-
Restart
cloudflared:
-
Confirm that the service started correctly:
While these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas.
-
Wait 10 minutes for traffic to route through the new connectors.
-
Repeat steps 2, 3, and 4 for the second half of the replicas.
The tunnel token is now fully rotated. The old token is no longer in use.
If your tunnel token is compromised, we recommend taking the following steps:
-
Refresh the token using the dashboard or API. Refer to Step 1 of Rotate a token without service disruption.
-
Delete all connections between
cloudflaredand Cloudflare:
This will clean up any unauthorized connections and prevent users from connecting to your network.
-
On each
cloudflaredreplica, update
cloudflaredto use the new token. For example, on a Linux host:
-
Restart
cloudflared:
-
Confirm that the service started correctly:
The tunnel token is now fully rotated. The old token is no longer in use.
Minimum permissions needed to create, delete, and configure tunnels for an account:
Additional permissions needed to route traffic to a public hostname: