Subscribe to receive notifications of new posts:

Give your automated services credentials with Access service tokens

2019-02-07

2 min read

Cloudflare Access secures your internal sites by adding authentication. When a request is made to a site behind Access, Cloudflare asks the visitor to login with your identity provider. With service tokens, you can now extend that same level of access control by giving credentials to automated tools, scripts, and bots.

Authenticating users and bots alike

When users attempt to reach a site behind Access, Cloudflare looks for a JSON Web Token (a JWT) to determine if that visitor is allowed to reach that URL. If user does not have a JWT, we redirect them to the identity provider configured for your account. When they login successfully, we generate the JWT.

When you create an Access service token, Cloudflare generates a unique Client ID and Secret scoped to that service. When your bot sends a request with those credentials as headers, we validate them ourselves instead of redirecting to your identity provider. Access creates a JWT for that service and the bot can use that to reach your application.

Getting started

Within the Access tab of the Cloudflare dashboard, you’ll find a new section: Service Tokens. To get started, select “Generate a New Service Token.”

You’ll be asked to name the service before Access provides you with a Client ID and Client Secret. The dashboard only displays the Client Secret once, so you’ll need to copy it and keep it in a secure location.

Once the service token has been created, you’ll need to update your Access policies to allow requests from approved services. You can add service tokens to existing rules, or you can create new policies for specific endpoints. Access will list the service tokens you created so you can select which services are allowed.

Give the Client ID and Secret to your service with the following header names:

CF-Access-Client-ID:CF-Access-Client-Secret:

When your service attempts to reach an application behind Access, Cloudflare will look for those headers. If found, we’ll confirm they’re valid and exchange them for a JSON Web Token (JWT), which allows the request to proceed.

The Client ID and Secret pair are valid for one year, at which time you can rotate the tokens. If needed, you can revoke the credentials at any time in the Cloudflare dashboard.

A chatbot with service tokens

Here at Cloudflare, we keep product statistics in an application we secure behind Access. When team members need to query or review data, they login with our identity provider and Access directs them to the tool.

We built a bot to grab reports of product usage and share them directly in chat. However, the bot needed a way to reach the data behind Access without opening up a security hole in the application, so we gave the bot an Access service token.

Each time a team member asks for the latest update on a product statistic, the bot uses its Client ID and Client Secret to login with Cloudflare Access that it also has permission to reach the application. Now that we gave the chatbot service tokens, the data is available to everyone instantly.

What’s next?

You can get started with Access service tokens today by following our guide here. Our chatbot is just one use case. With service tokens, you can leave IP allowlisting behind and authenticate any automated system that needs to reach something behind Access.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
SecurityCloudflare Access

Follow on X

Cloudflare|@cloudflare

Related posts

October 23, 2024 1:00 PM

Fearless SSH: short-lived certificates bring Zero Trust to infrastructure

Access for Infrastructure, BastionZero’s integration into Cloudflare One, will enable organizations to apply Zero Trust controls to their servers, databases, Kubernetes clusters, and more. Today we’re announcing short-lived SSH access as the first available feature of this integration. ...

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...

October 06, 2024 11:00 PM

Enhance your website's security with Cloudflare’s free security.txt generator

Introducing Cloudflare’s free security.txt generator, empowering all users to easily create and manage their security.txt files. This feature enhances vulnerability disclosure processes, aligns with industry standards, and is integrated into the dashboard for seamless access. Strengthen your website's security today!...

October 02, 2024 1:00 PM

How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack

Over the past couple of weeks, Cloudflare's DDoS protection systems have automatically and successfully mitigated multiple hyper-volumetric L3/4 DDoS attacks exceeding 3 billion packets per second (Bpps). Our systems also automatically mitigated multiple attacks exceeding 3 terabits per second (Tbps), with the largest ones exceeding 3.65 Tbps. The scale of these attacks is unprecedented....