From b9229f21d650d1cc8ac27d4a226267de12a23582 Mon Sep 17 00:00:00 2001
From: Ranbel Sun <ranbel@cloudflare.com>
Date: Mon, 28 Apr 2025 17:12:55 -0400
Subject: [PATCH 1/2] send service token in one header

---
 .../identity/service-tokens.mdx               | 27 ++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/content/docs/cloudflare-one/identity/service-tokens.mdx b/src/content/docs/cloudflare-one/identity/service-tokens.mdx
index 6eae9884229482..872ad9987ba92c 100644
--- a/src/content/docs/cloudflare-one/identity/service-tokens.mdx
+++ b/src/content/docs/cloudflare-one/identity/service-tokens.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 6
 ---
 
-import { AvailableNotifications, Render } from "~/components";
+import { AvailableNotifications, Render, APIRequest } from "~/components";
 
 You can provide automated systems with service tokens to authenticate against your Zero Trust policies. Cloudflare Access will generate service tokens that consist of a Client ID and a Client Secret. Automated systems or applications can then use these values to reach an application protected by Access.
 
@@ -35,6 +35,31 @@ curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_
 
 If the service token is valid, Access generates a JWT scoped to the application in the form of a [`CF_Authorization` cookie](/cloudflare-one/identity/authorization-cookie/). You can use this cookie to authenticate [subsequent requests](#subsequent-requests) to the application.
 
+#### Authenticate with a single header
+
+You can configure a self-hosted Access application to accept a service token in a single HTTP header, as an alternative to the `CF-Access-Client-Id` and `CF-Access-Client-Secret` pair of headers. This is useful for authenticating SaaS services that only support sending one custom header in a request (for example, the `Authorization` header).
+
+To authenticate using a single header:
+
+1. In your Access application, specify the name of the header you want to use for service token authentication:
+
+	<APIRequest
+		path="/accounts/{account_id}/access/apps/{app_id}"
+		method="PUT"
+		json={{
+			"domain": "app.example.com",
+			"type": "self_hosted",
+			"read_service_tokens_from_header": "Authorization"
+		}}
+
+	/>
+
+2. Add the header to any HTTP request. For example,
+
+	```sh
+	curl -H "Authorization: {"CF-Access-Client-Id": "<CLIENT_ID>", "CF_Access-Client-Secret": "<CLIENT_SECRET>"}" https://app.example.com
+	```
+
 ### Subsequent requests
 
 After you have [authenticated to the application](#initial-request) using the service token, add the resulting `CF_Authorization` cookie to the headers of all subsequent requests:

From cd7dd282d0046a3bb7e05bc59ba87ac8e07f1d91 Mon Sep 17 00:00:00 2001
From: Ranbel Sun <ranbel@cloudflare.com>
Date: Mon, 28 Apr 2025 17:47:57 -0400
Subject: [PATCH 2/2] clarify PUT request body

---
 .../docs/cloudflare-one/identity/service-tokens.mdx    | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/content/docs/cloudflare-one/identity/service-tokens.mdx b/src/content/docs/cloudflare-one/identity/service-tokens.mdx
index 872ad9987ba92c..47a5da52f95443 100644
--- a/src/content/docs/cloudflare-one/identity/service-tokens.mdx
+++ b/src/content/docs/cloudflare-one/identity/service-tokens.mdx
@@ -41,7 +41,14 @@ You can configure a self-hosted Access application to accept a service token in
 
 To authenticate using a single header:
 
-1. In your Access application, specify the name of the header you want to use for service token authentication:
+1. Get your existing Access application configuration:
+
+	<APIRequest
+		path="/accounts/{account_id}/access/apps/{app_id}"
+		method="GET"
+	/>
+
+2. Make a `PUT` request with the name of the header you want to use for service token authentication. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request.
 
 	<APIRequest
 		path="/accounts/{account_id}/access/apps/{app_id}"
@@ -51,7 +58,6 @@ To authenticate using a single header:
 			"type": "self_hosted",
 			"read_service_tokens_from_header": "Authorization"
 		}}
-
 	/>
 
 2. Add the header to any HTTP request. For example,