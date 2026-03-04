Tunnel tokens
A remotely-managed tunnel only requires a token to run. Anyone with the token can run the tunnel.
To get the token for a remotely-managed tunnel:
In the Cloudflare dashboard ↗, go to Networking > Tunnels.Go to Tunnels
Select your tunnel.
Select Add a replica.
Copy the
cloudflaredinstallation command into a text editor (do not run the command). The token is the
eyJ...string.
At least one of the following token permissions
is required:
Required API token permissions
Cloudflare One Connectors Write
Cloudflare One Connector: cloudflared Write
Cloudflare Tunnel Write
Rotate tokens regularly to reduce the risk of compromise. For tunnels with multiple replicas, rotate outside working hours and update replicas in batches.
Select Rotate token. After rotating the token,
cloudflaredcannot establish new connections with the old token. Existing connectors remain active until restarted.
Select Add replica and copy the new
cloudflaredinstallation command.
On each replica, reinstall the
cloudflaredservice using the new token:
Rotate a compromised token
If your tunnel token is compromised, immediately rotate the token, then force-disconnect all existing connections:
Then reinstall the
cloudflared service on all replicas using the new token.