Skip to content
Cloudflare Docs

Tunnel tokens

A remotely-managed tunnel only requires a token to run. Anyone with the token can run the tunnel.

Get the token

To get the token for a remotely-managed tunnel:

  1. In the Cloudflare dashboard, go to Networking > Tunnels.

    Go to Tunnels

  2. Select your tunnel.

  3. Select Add a replica.

  4. Copy the cloudflared installation command into a text editor (do not run the command). The token is the eyJ... string.

Rotate a token

Rotate tokens regularly to reduce the risk of compromise. For tunnels with multiple replicas, rotate outside working hours and update replicas in batches.

  1. In the Cloudflare dashboard, go to Networking > Tunnels.

    Go to Tunnels

  2. Select your tunnel.

  3. Select Rotate token. After rotating the token, cloudflared cannot establish new connections with the old token. Existing connectors remain active until restarted.

  4. Select Add replica and copy the new cloudflared installation command.

  5. On each replica, reinstall the cloudflared service using the new token:

    Terminal window
    sudo cloudflared service uninstall
    sudo cloudflared service install <NEW_TOKEN>

Rotate a compromised token

If your tunnel token is compromised, immediately rotate the token, then force-disconnect all existing connections:

Required API token permissions

 At least one of the following token permissions is required:
  • Cloudflare One Connectors Write
  • Cloudflare One Connector: cloudflared Write
  • Cloudflare Tunnel Write
Clean up Cloudflare Tunnel connections
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections" \
  --request DELETE \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

Then reinstall the cloudflared service on all replicas using the new token.