Authentication
Privacy Proxy requires clients to authenticate before proxying traffic. This page explains the supported authentication methods and when to use them.
Privacy Proxy supports two authentication methods:
|Method
|Use case
|Privacy level
|Pre-shared key (PSK)
|Proof of concept, testing
|Lower
|Privacy Pass tokens
|Production deployments
|Higher
Pre-shared keys provide a simple way to authenticate during development and proof-of-concept testing. Cloudflare provides a secret key that clients include in each request.
Include the PSK in the
Proxy-Authorization header:
The proxy validates the key and allows the connection if it matches.
PSK authentication has limitations that make it unsuitable for production.
- Shared secret: All clients use the same key, so you cannot revoke access for individual users.
- No rate limiting per user: You cannot enforce per-user quotas or limits.
- Linkability: The proxy can link all requests using the same PSK, which reduces user privacy.
Use PSK only for testing. For production deployments, use Privacy Pass tokens.
Privacy Pass ↗ is a protocol that allows clients to authenticate without revealing their identity. Tokens are cryptographically unlinkable, meaning the proxy cannot correlate different requests from the same user.
Privacy Pass uses a three-party architecture:
- Attester: Verifies that the Client is a legitimate user (for example, has a valid account) and forwards token requests to the Issuer.
- Issuer: Signs blinded tokens without learning which Client requested them.
- Origin (Privacy Proxy): Accepts tokens as proof of authorization.
The Client sends the token request through the Attester to maintain unlinkability. This ensures the Issuer cannot correlate token requests with specific attestation events or Client identities.
The Privacy Proxy validates the token using the Issuer's public key. The proxy learns only that the token is valid, not who it was issued to.
The token issuance process:
- The client proves their identity to the attester (for example, by signing in with an account).
- The attester confirms the client is valid.
- The client generates blinded tokens and sends them to the issuer.
- The issuer signs the blinded tokens and returns them.
- The client unblinds the tokens and stores them.
When making a request:
- The client includes a token in the
Proxy-Authorizationheader.
- The proxy verifies the token signature with the issuer's public key.
- The proxy allows the connection if the token is valid.
Because tokens are blinded during issuance, the issuer cannot link tokens to specific issuance requests. The proxy sees only that a token is valid, not who it was issued to.
Privacy Pass tokens are included in the
Proxy-Authorization header using the
PrivateToken scheme:
For production deployments using Privacy Pass:
- Choose an issuer. Cloudflare can operate a token issuer, or you can integrate with a third-party issuer.
- Configure attestation to define how clients prove their identity before receiving tokens.
- Distribute issuer configuration. Clients need the issuer's public key and endpoint to request tokens.
Contact us ↗ to configure Privacy Pass for your deployment.
In double-hop deployments, authentication occurs at two levels:
Proxy A (which you operate) authenticates users. Common methods include:
- Account credentials (username/password, SSO)
- Privacy Pass tokens issued by your infrastructure
- Client certificates (mTLS)
Proxy B authenticates itself to Proxy A using TLS. Depending on your configuration, this can use:
- Standard TLS certificates
- Raw Public Key (RPK) TLS extension for reduced certificate overhead
- Privacy Pass Working Group ↗ - IETF working group developing the Privacy Pass protocol.
- Supporting the latest version of the Privacy Pass protocol ↗ - Cloudflare blog post on Privacy Pass implementation.
