cloudflare-tunnel

Original：🇺🇸 English

Translated

Authenticate requests through Cloudflare Access / Cloudflare Tunnel using Service Token headers. Use when accessing services protected by Cloudflare Zero Trust.

2installs

Sourcevm0-ai/vm0-skills

Added on2026-03-04

NPX Install

npx skill4agent add vm0-ai/vm0-skills cloudflare-tunnel

SKILL.md Content

View Translation Comparison →

Cloudflare Tunnel / Access Authentication

Authenticate HTTP requests to services protected by Cloudflare Access using Service Token headers.

When to Use

Access internal services exposed via Cloudflare Tunnel
Authenticate to Cloudflare Zero Trust protected applications
Make API calls to services behind Cloudflare Access
Bypass Cloudflare Access login page for automated requests

Prerequisites

bash

export CF_ACCESS_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.access
export CF_ACCESS_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Create Service Token

Go to Cloudflare Zero Trust Dashboard
Navigate to Access → Service Auth → Service Tokens
Click Create Service Token
Name your token and click Generate token
Copy both Client ID and Client Secret (shown only once!)

Configure Access Policy

Ensure your Access Application allows service token authentication:

Go to Access → Applications → Select your app
Add a policy with Service Token as Include rule
Select your created token

Important: When using
$VAR
in a command that pipes to another command, wrap the command containing
$VAR
in
bash -c '...'
. Due to a Claude Code bug, environment variables are silently cleared when pipes are used directly.

Usage

Basic curl Request

Add two headers to authenticate through Cloudflare Access:

bash

bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/api/endpoint"'

With Additional Authentication

Many services require both Cloudflare Access AND their own authentication:

bash

bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -H "Authorization: Bearer $API_TOKEN" \
  "https://your-protected-service.example.com/api/endpoint"'

With Basic Auth

bash

bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -u "username:password" \
  "https://your-protected-service.example.com/api/endpoint"'

POST Request with JSON Body

Write to

/tmp/request.json

:

json

{
  "key": "value"
}

Then run:

bash

bash -c 'curl -s -X POST \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -H "Content-Type: application/json" \
  -d @/tmp/request.json \
  "https://your-protected-service.example.com/api/endpoint"'

Download File

bash

bash -c 'curl -s -o /tmp/output.file \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/file"'

Skip SSL Verification (Self-signed certs)

Add

-k

flag for services with self-signed certificates:

bash

bash -c 'curl -k -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/api/endpoint"'

Required Headers

Header	Value	Description
`CF-Access-Client-Id`	`<client-id>.access`	Service Token Client ID
`CF-Access-Client-Secret`	`<secret>`	Service Token Client Secret

Common Errors

Error	Cause	Solution
403 Forbidden	Invalid or missing headers	Check Client ID and Secret
403 Forbidden	Token not in Access policy	Add token to application's Access policy
401 Unauthorized	Service's own auth failed	Check service-specific credentials
Connection refused	Tunnel not running	Verify cloudflared is running

Tips

Header order doesn't matter - CF headers can be anywhere in the request
Works with any HTTP method - GET, POST, PUT, DELETE, etc.
Combine with other auth - CF Access + Basic Auth, Bearer Token, etc.
Token rotation - Rotate secrets periodically in Zero Trust dashboard

API Reference

Cloudflare Access: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/
Zero Trust Dashboard: https://one.dash.cloudflare.com/

cloudflare-tunnel

NPX Install

Tags

SKILL.md Content

Cloudflare Tunnel / Access Authentication

When to Use

Prerequisites

Create Service Token

Configure Access Policy

Usage

Basic curl Request

With Additional Authentication

With Basic Auth

POST Request with JSON Body

Download File

Skip SSL Verification (Self-signed certs)

Required Headers

Common Errors

Tips

API Reference