Give your automated services credentials with Access service tokens

Cloudflare Access secures your internal sites by adding authentication. When a request is made to a site behind Access, Cloudflare asks the visitor to login with your identity provider. With service tokens, you can now extend that same level of access control by giving credentials to automated tools, scripts, and bots.

When users attempt to reach a site behind Access, Cloudflare looks for a JSON Web Token (a JWT) to determine if that visitor is allowed to reach that URL. If user does not have a JWT, we redirect them to the identity provider configured for your account. When they login successfully, we generate the JWT.

When you create an Access service token, Cloudflare generates a unique Client ID and Secret scoped to that service. When your bot sends a request with those credentials as headers, we validate them ourselves instead of redirecting to your identity provider. Access creates a JWT for that service and the bot can use that to reach your application.

Within the Access tab of the Cloudflare dashboard, you’ll find a new section: Service Tokens. To get started, select “Generate a New Service Token.”

You’ll be asked to name the service before Access provides you with a Client ID and Client Secret. The dashboard only displays the Client Secret once, so you’ll need to copy it and keep it in a secure location.

Once the service token has been created, you’ll need to update your Access policies to allow requests from approved services. You can add service tokens to existing rules, or you can create new policies for specific endpoints. Access will list the service tokens you created so you can select which services are allowed.

Give the Client ID and Secret to your service with the following header names:

CF-Access-Client-ID:CF-Access-Client-Secret:

When your service attempts to reach an application behind Access, Cloudflare will look for those headers. If found, we’ll confirm they’re valid and exchange them for a JSON Web Token (JWT), which allows the request to proceed.

The Client ID and Secret pair are valid for one year, at which time you can rotate the tokens. If needed, you can revoke the credentials at any time in the Cloudflare dashboard.

Here at Cloudflare, we keep product statistics in an application we secure behind Access. When team members need to query or review data, they login with our identity provider and Access directs them to the tool.

We built a bot to grab reports of product usage and share them directly in chat. However, the bot needed a way to reach the data behind Access without opening up a security hole in the application, so we gave the bot an Access service token.

Each time a team member asks for the latest update on a product statistic, the bot uses its Client ID and Client Secret to login with Cloudflare Access that it also has permission to reach the application. Now that we gave the chatbot service tokens, the data is available to everyone instantly.

You can get started with Access service tokens today by following our guide here. Our chatbot is just one use case. With service tokens, you can leave IP allowlisting behind and authenticate any automated system that needs to reach something behind Access.