Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Temporary authentication

With Cloudflare Access, you can require that users obtain approval before they can access a specific application. The administrator will receive an email notification to approve or deny the request. Unlike a typical Allow policy, the user will have to request access at the end of each session. This allows you to define the users who should have persistent access and those who must request temporary access.

​​ Set up temporary authentication

  1. In Zero Trust, go to Access > Applications.
  2. Choose an application and select Edit.
  3. Choose the Allow policy you want to configure and select Edit.
  4. Under Additional settings, turn on Purpose justification.
  5. Turn on Temporary authentication.
  6. Enter the Email addresses of the approvers. (Note: your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your App Launcher Access policy.)
  7. Save the policy.

Temporary authentication is now enabled for users who match this policy. You can optionally add a second Allow policy for users who should have persistent access. Be sure the policy order is set to allow persistent users through.

​​ Temporary authentication requests

When a user accesses the application, they will be prompted to enter a purpose justification and submit an access request. The request is automatically emailed to approvers. Alternatively, the user can manually present the approval link to approvers.

Temporary authentication request page shown to users

Approvers will receive a request similar to the example below. The approver can then grant access for a set amount of time, up to a maximum of 24 hours.

Temporary authentication approval page shown to administrators