One-Time PIN

Cloudflare Access — OTP delivered via email. No external identity provider required.

Your Identity

Loading...

How This Works

Cloudflare Access intercepts the request before it reaches the origin. If no valid CF_Authorization cookie exists, the user is redirected to the Access login page. With OTP selected as the identity provider, the user enters their email address and Cloudflare sends a one-time code directly — no external IdP involved.

The Access policy controls which email addresses or domains are permitted. On successful verification, Cloudflare issues a signed JWT and sets it as a cookie on the domain. Subsequent requests carry this cookie and bypass the login screen until expiry.

Cloudflare Configuration

1. Zero Trust → Access → Applications → Add an Application → Self-hosted
2. Set the application domain to barbicancloud.co.uk/otp/* (path) or otp.barbicancloud.co.uk (subdomain)
3. Under Identity Providers, enable One-time PIN — no setup required, it is built into Cloudflare Access
4. Add a policy: Action = Allow, Selector = Emails or Email domain (e.g. barbicancloud.co.uk)
5. Save. Cloudflare will now gate this path/subdomain and handle OTP delivery

Note: OTP is the simplest Access method to configure. It requires no app registration in Entra or any external system. Use it to validate that your Access Application and policy are working before adding a full IdP.

Routing