Tunnel permissions
A remotely-managed tunnel only requires the tunnel token to run. Anyone with access to the token will be able to run the tunnel.
To get the token for a remotely-managed tunnel:
- In Zero Trust ↗, go to Networks > Tunnels.
- Select a
cloudflared
tunnel and select Edit. - Copy
cloudflared
installation command. - Paste the installation command into any text editor. The token value is of the form
eyJhIjoiNWFiNGU5Z...
Make a GET
request to the Cloudflare Tunnel token endpoint. The token value can be found in the result
:
{ "success": true, "errors": [], "messages": [], "result": "eyJhIjoiNWFiNGU5Z..."}
data "cloudflare_zero_trust_tunnel_cloudflared_token" "tunnel_token" { account_id = var.cloudflare_account_id tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.example_tunnel.id}
If your host machine is not managed in Terraform or you want to install the tunnel manually, you can output the token value to the CLI.
Example: Output to CLI
- Output the tunnel token to the Terraform state file:
output "tunnel_token" {value = data.cloudflare_zero_trust_tunnel_cloudflared_token.tunnel_token.tokensensitive = true}
- Apply the configuration:
Terminal window terraform apply - Read the tunnel token:
Terminal window terraform output -raw tunnel_tokeneyJhIj...
Alternatively, pass data.cloudflare_zero_trust_tunnel_cloudflared_token.tunnel_token.token
directly into your host's Terraform configuration or store the token in your secret management tool.
Example: Store in HashiCorp Vault
resource "vault_generic_secret" "tunnel_token" { path = "kv/cloudflare/tunnel_token"
data_json = jsonencode({ "TUNNEL_TOKEN" = data.cloudflare_zero_trust_tunnel_cloudflared_token.tunnel_token.token })}
Cloudflare recommends rotating the tunnel token at a regular cadence to reduce the risk of token compromise. You can rotate a token with minimal disruption to users as long as the tunnel is served by at least two cloudflared
replicas. To ensure service availability, we recommend performing token rotations outside of working hours or in a maintenance window.
To rotate a tunnel token:
-
Refresh the token on Cloudflare:
- In Zero Trust ↗, go to Networks > Tunnels.
- Select a
cloudflared
tunnel and select Edit. - Select Refresh token.
- Copy the
cloudflared
installation command for your operating system. This command contains the new token.
-
Generate a random base64 string (minimum size 32 bytes) to use as a tunnel secret:
Terminal window openssl rand -base64 32AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg= -
Make a
PATCH
request to the Cloudflare Tunnel endpoint:Terminal window curl --request PATCH \https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \--header 'Content-Type: application/json' \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--data '{"name": "Example tunnel","tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg="}'{"success": true,"errors": [],"messages": [],"result": {"id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415","account_tag": "699d98642c564d2e855e9661899b7252","created_at": "2024-12-04T22:03:26.291225Z","deleted_at": null,"name": "Example tunnel","connections": [],"conns_active_at": null,"conns_inactive_at": "2024-12-04T22:03:26.291225Z","tun_type": "cfd_tunnel","metadata": {},"status": "inactive","remote_config": true,"token": "eyJhIjoiNWFiNGU5Z..."}} -
Copy the
token
value shown in the output.
After refreshing the token,
cloudflared
can no longer establish new connections to Cloudflare using the old token. However, existing connectors will remain active and the tunnel will continue serving traffic. -
On half of your
cloudflared
replicas, updatecloudflared
to use the new token. For example, on a Linux host:Terminal window sudo cloudflared service install <TOKEN> -
Restart
cloudflared
:Terminal window sudo systemctl restart cloudflared.service -
Confirm that the service started correctly:
Terminal window sudo systemctl status cloudflaredWhile these replicas are connecting to Cloudflare with the new token, traffic will automatically route through the other replicas.
-
Wait 10 minutes for traffic to route through the new connectors.
-
Repeat steps 2, 3, and 4 for the second half of the replicas.
The tunnel token is now fully rotated. The old token is no longer in use.
If your tunnel token is compromised, we recommend taking the following steps:
-
Refresh the token using the dashboard or API. Refer to Step 1 of Rotate a token without service disruption.
-
Delete all connections between
cloudflared
and Cloudflare:Terminal window curl --request DELETE \https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"This will clean up any unauthorized connections and prevent users from connecting to your network.
-
On each
cloudflared
replica, updatecloudflared
to use the new token. For example, on a Linux host:Terminal window sudo cloudflared service install <TOKEN> -
Restart
cloudflared
:Terminal window sudo systemctl restart cloudflared.service -
Confirm that the service started correctly:
Terminal window sudo systemctl status cloudflared
The tunnel token is now fully rotated. The old token is no longer in use.
Minimum permissions needed to create, delete, and configure tunnels for an account:
Additional permissions needed to route traffic to a public hostname:
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark