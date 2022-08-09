When Cloudflare sends a request to your origin, the request will include an application token as a Cf-Access-Jwt-Assertion request header and as a CF_Authorization cookie.

Cloudflare signs the token with a key pair unique to your account. You should validate the token with your public key to ensure that that the request came from Access and not a malicious third party.

​​ Access signing keys

The public key for the signing key pair is located at https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/certs .

By default, the Access rotates the signing key every 6 weeks. This means you will need to programmatically or manually update your keys as they rotate. Previous keys remain valid for 7 days after rotation to allow time for you to make the update.

You can also manually rotate the key using the API External link icon Open external link . This can be done for testing or security purposes.

As shown in the example below, https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/certs contains two public keys: the current key used to sign all new tokens, and the previous key that has been rotated out.

keys : both keys in JWK format

: both keys in JWK format public_cert : current key in PEM format

: current key in PEM format public_certs : both keys in PEM format { "keys": [ { "kid": "1a1c3986a44ce6390be42ec772b031df8f433fdc71716db821dc0c39af3bce49", "kty": "RSA", "alg": "RS256", "use": "sig", "e": "AQAB", "n": "5PKw-...-AG7MyQ" }, { "kid": "6c3bffef71bb0a90c9cbef3b7c0d4a1c7b4b8b76b80292a623afd9dac45d1c65", "kty": "RSA", "alg": "RS256", "use": "sig", "e": "AQAB", "n": "pwVn...AA6Hw" } ], "public_cert": { "kid": "6c3bffef71bb0a90c9cbef3b7c0d4a1c7b4b8b76b80292a623afd9dac45d1c65", "cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " }, "public_certs": [ { "kid": "1a1c3986a44ce6390be42ec772b031df8f433fdc71716db821dc0c39af3bce49", "cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " }, { "kid": "6c3bffef71bb0a90c9cbef3b7c0d4a1c7b4b8b76b80292a623afd9dac45d1c65", "cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- " } ] }

Avoid key rotation issues Validate tokens using the external endpoint rather than saving the public key as a hard-coded value.

Do not fetch the current key from public_cert , since your origin may inadvertently read an expired cached value. from an outdated cache. Instead, match the kid value in the JWT to the corresponding certificate in public_certs .

​​ Verify the JWT manually

To verify the token manually:

Copy the JWT from the CF_Authorization cookie or from the Cf-Access-Jwt-Assertion request header. Go to jwt.io External link icon Open external link . Select the RS256 algorithm. Paste the JWT into the Encoded box. Get the kid value located in the Header box. Get your public key: Go to https://<your-team-name>/cdn-cgi/access/certs . Under public_certs , locate the entry with the kid value you found in Step 5. Copy the cert value. In the Verify Signature box, paste the cert value into the Public Key field. Ensure that the signature says verified.

You can now trust that this request was sent by Access.

​​ Programmatic verification

You can run an automated script on your origin server to validate incoming requests. The provided sample code gets the application token from a request and checks its signature against your public key. You will need to insert your own team domain and Application Audience (AUD) tag into the sample code.

​​ Get your AUD tag

In the Zero Trust dashboard External link icon Open external link , go to Access > Applications. Select Edit for your application. On the Overview tab, copy the Application Audience (AUD) Tag.

You can now paste the AUD into your token validation script.

​​ Golang example

package main import ( "context" "fmt" "net/http" "github.com/coreos/go-oidc/v3/oidc" ) var ( ctx = context . TODO ( ) teamDomain = "https://test.cloudflareaccess.com" certsURL = fmt . Sprintf ( "%s/cdn-cgi/access/certs" , teamDomain ) policyAUD = "4714c1358e65fe4b408ad6d432a5f878f08194bdb4752441fd56faefa9b2b6f2" config = & oidc . Config { ClientID : policyAUD , } keySet = oidc . NewRemoteKeySet ( ctx , certsURL ) verifier = oidc . NewVerifier ( teamDomain , keySet , config ) ) func VerifyToken ( next http . Handler ) http . Handler { fn := func ( w http . ResponseWriter , r * http . Request ) { headers := r . Header accessJWT := headers . Get ( "Cf-Access-Jwt-Assertion" ) if accessJWT == "" { w . WriteHeader ( http . StatusUnauthorized ) w . Write ( [ ] byte ( "No token on the request" ) ) return } ctx := r . Context ( ) _ , err := verifier . Verify ( ctx , accessJWT ) if err != nil { w . WriteHeader ( http . StatusUnauthorized ) w . Write ( [ ] byte ( fmt . Sprintf ( "Invalid token: %s" , err . Error ( ) ) ) ) return } next . ServeHTTP ( w , r ) } return http . HandlerFunc ( fn ) } func MainHandler ( ) http . Handler { return http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) { w . Write ( [ ] byte ( "welcome" ) ) } ) } func main ( ) { http . Handle ( "/" , VerifyToken ( MainHandler ( ) ) ) http . ListenAndServe ( ":3000" , nil ) }

​​ Python example

pip install the following: