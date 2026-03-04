A remotely-managed tunnel only requires a token to run. Anyone with the token can run the tunnel.

Get the token

To get the token for a remotely-managed tunnel:

Dashboard

API In the Cloudflare dashboard ↗, go to Networking > Tunnels. Go to Tunnels Select your tunnel. Select Add a replica. Copy the cloudflared installation command into a text editor (do not run the command). The token is the eyJ... string. Required API token permissions At least one of the following token permissions is required: Cloudflare One Connectors Write

Cloudflare One Connector: cloudflared Write

Cloudflare Tunnel Write Get a Cloudflare Tunnel token curl "https://api.cloudflare.com/client/v4/accounts/ $ACCOUNT_ID /cfd_tunnel/ $TUNNEL_ID /token" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN "

Rotate a token

Rotate tokens regularly to reduce the risk of compromise. For tunnels with multiple replicas, rotate outside working hours and update replicas in batches.

In the Cloudflare dashboard ↗, go to Networking > Tunnels. Go to Tunnels Select your tunnel. Select Rotate token. After rotating the token, cloudflared cannot establish new connections with the old token. Existing connectors remain active until restarted. Select Add replica and copy the new cloudflared installation command. On each replica, reinstall the cloudflared service using the new token: Terminal window sudo cloudflared service uninstall sudo cloudflared service install <NEW_TOKEN>