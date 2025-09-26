Deploy WARP on headless Linux machines
This tutorial explains how to deploy the Cloudflare WARP client on Linux devices using a service token and an installation script. This deployment workflow is designed for headless servers - that is, servers which do not have access to a browser for identity provider logins - and for situations where you want to fully automate the onboarding process. Because devices will not register through an identity provider, identity-based policies and logging will be unavailable.
Fully automated deployments rely on a service token to enroll the WARP client in your Zero Trust organization. You can use the same token to enroll multiple devices, or generate a unique token per device if they require different device profile settings.
To create a service token:
In Zero Trust ↗, go to Access > Service Auth > Service Tokens.
Select Create Service Token.
Name the service token. The name allows you to easily identify events related to the token in the logs and to revoke the token individually.
Choose a Service Token Duration. This sets the expiration date for the token.
Select Generate token. You will see the generated Client ID and Client Secret for the service token, as well as their respective request headers.
Copy the Client Secret.
-
Make a
POSTrequest to the Access Service Tokens endpoint:
At least one of the following token permissions is required:
Required API token permissions
Access: Service Tokens Write
Copy the
client_idand
client_secretvalues returned in the response.
Add the following permission to your
cloudflare_api_token↗:
Access: Service Tokens Write
Configure the
cloudflare_zero_trust_access_service_token↗ resource:
Get the Client ID and Client Secret of the service token:
Example: Output to CLI
- Output the Client ID and Client Secret to the Terraform state file:
- Apply the configuration:
- Read the Client ID and Client Secret:
Example: Store in HashiCorp Vault
Device enrollment permissions determine the users and devices that can register WARP with your Zero Trust organization.
To allow devices to enroll using a service token:
In Zero Trust ↗, go to Settings > WARP Client.
In Device enrollment permissions, select Manage.
In the Policies tab, select Create new policy. A new tab will open with the policy creation page.
For Action, select Service Auth.
-
For the Selector field, you have two options: you can either allow all service tokens (
Any Access Service Token) or specific service tokens (
Service Token). For example:
Rule Action Rule type Selector Value Service Auth Include Service Token
<TOKEN-NAME>
Save the policy.
Go back to Device enrollment permissions and add the newly created policy to your permissions.
Select Save.
You can use a shell script to automate WARP installation and registration. The following example shows how to deploy WARP on Ubuntu 24.04.
In a terminal, create a new
.shfile using a text editor. For example:
Press
ito enter insert mode and add the following lines:
-
If you are using Debian or RHEL / CentOS, modify the
warp()function so that it installs the correct WARP package ↗ for your OS.
-
Modify the values in the
mdm()function:
- For
auth_client_idand
auth_client_secret, replace the string values with the Client ID and Client Secret of your service token.
- For
organization, replace
your-team-namewith your Zero Trust team name.
- (Optional) Add or modify other WARP deployment parameters according to your preferences.
- For
Press
esc, then type
:xand press
Enterto save and exit.
To install WARP using the example script:
Make the script executable:
Run the script:
WARP is now deployed with the configuration parameters stored in
/var/lib/cloudflare-warp/mdm.xml. Assuming
auto_connect is configured, WARP will automatically connect to your Zero Trust organization. Once connected, the device will appear in Zero Trust ↗ under My Team > Devices with the email
non_identity@<team-name>.cloudflareaccess.com.
