Skip to content

[ZT] Use Access service token in one header #22035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 30, 2025
Merged

[ZT] Use Access service token in one header #22035

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b9229f2
send service token in one header
ranbel Apr 28, 2025
cd7dd28
clarify PUT request body
ranbel Apr 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 32 additions & 1 deletion src/content/docs/cloudflare-one/identity/service-tokens.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ sidebar:
order: 6
---

import { AvailableNotifications, Render } from "~/components";
import { AvailableNotifications, Render, APIRequest } from "~/components";

You can provide automated systems with service tokens to authenticate against your Zero Trust policies. Cloudflare Access will generate service tokens that consist of a Client ID and a Client Secret. Automated systems or applications can then use these values to reach an application protected by Access.

Expand Down Expand Up @@ -35,6 +35,37 @@ curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_

If the service token is valid, Access generates a JWT scoped to the application in the form of a [`CF_Authorization` cookie](/cloudflare-one/identity/authorization-cookie/). You can use this cookie to authenticate [subsequent requests](#subsequent-requests) to the application.

#### Authenticate with a single header

You can configure a self-hosted Access application to accept a service token in a single HTTP header, as an alternative to the `CF-Access-Client-Id` and `CF-Access-Client-Secret` pair of headers. This is useful for authenticating SaaS services that only support sending one custom header in a request (for example, the `Authorization` header).

To authenticate using a single header:

1. Get your existing Access application configuration:

<APIRequest
path="/accounts/{account_id}/access/apps/{app_id}"
method="GET"
/>

2. Make a `PUT` request with the name of the header you want to use for service token authentication. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request.

<APIRequest
path="/accounts/{account_id}/access/apps/{app_id}"
method="PUT"
json={{
"domain": "app.example.com",
"type": "self_hosted",
"read_service_tokens_from_header": "Authorization"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add an ellipses or something to simulate adding all the other fields. I think be default this would remove most of them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The APIRequest Markdown component does not support adding ellipses. Proposed workaround: cd7dd28

}}
/>

2. Add the header to any HTTP request. For example,

```sh
curl -H "Authorization: {"CF-Access-Client-Id": "<CLIENT_ID>", "CF_Access-Client-Secret": "<CLIENT_SECRET>"}" https://app.example.com
```

### Subsequent requests

After you have [authenticated to the application](#initial-request) using the service token, add the resulting `CF_Authorization` cookie to the headers of all subsequent requests:
Expand Down
Loading