Service Token

Cloudflare Access machine-to-machine authentication via client ID and secret headers.

Auth Status

If you reached this page via a browser, a valid CF_Authorization session cookie was present.
If you reached this page programmatically, the CF-Access-Client-Id and
CF-Access-Client-Secret headers were validated by Cloudflare at the edge.

How This Works

A Cloudflare Access Service Token is a client ID and secret pair generated in Zero Trust. Unlike user authentication, there is no redirect or login page — the client passes credentials as HTTP headers on every request.

Cloudflare validates the headers at the edge before forwarding the request. If the headers are absent or invalid, Cloudflare returns a 401. The origin never receives unauthenticated requests.

Service tokens have an expiry date set at creation time. Rotation must be handled manually or automated via the Cloudflare API.

Cloudflare Configuration

1. Generate a Service Token

1. Zero Trust → Access → Service Auth → Service Tokens → Create Service Token
2. Name: barbican-demo-token, set an expiry duration
3. Copy the Client ID and Client Secret immediately — the secret is shown only once

2. Add Access Application

1. Zero Trust → Access → Applications → Add an Application → Self-hosted
2. Domain: barbicancloud.co.uk/service-token/* or service-token.barbicancloud.co.uk
3. Add a policy: Action = Non-identity (Service Auth), Selector = Service Token → select barbican-demo-token

Set the session duration to No duration, expires immediately for service token policies — tokens should re-authenticate on every request rather than relying on a session cookie.

Making Authenticated Requests

curl https://barbicancloud.co.uk/service-token/ \
  -H "CF-Access-Client-Id: <your-client-id>" \
  -H "CF-Access-Client-Secret: <your-client-secret>"
  

In application code, include these two headers on every request to the protected endpoint. No session management or token refresh is required — Cloudflare validates on each request.

Routing