Cloudflare Docs
Cloudflare-One
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)

Service tokens

You can provide automated systems with service tokens to authenticate against Cloudflare’s Zero Trust policies. Cloudflare for teams will generate service tokens that consist of an ID and Secret. Automated systems or applications can then use these values to reach an application protected by Access.

This section covers how to create, renew, and revoke a service token.

Create a service token

  1. On the Zero Trust dashboard, navigate to Access > Service Auth.

  2. Go to the Service Tokens tab.

  3. Click Create Service Token.

  4. Next, name the service token.

    The name allows you to easily identify events related to the token in the logs and to revoke the token individually.

    Name Service Token

  5. Click Generate token.

    The next page will display the generated Client ID and Client Secret for the service token.

  6. In the next page, copy the Client Secret.

    Access Service Token card

  7. Click Close.

You can now use the service token when you create service auth policies . When creating these policies, use the Service Auth action to ensure that the identity provider login screen is not required for end users.

Connect your service to Access

Access expects both values as headers in any request sent to the applications behind Access. Add the following to the headers of any requests and name them as follows:

CF-Access-Client-Id: <Client ID> CF-Access-Client-Secret: <Client Secret>

When a request is made to an application behind our network, the request will submit them both to Access. If the service token is valid, Access generates a JWT scoped to the application. All subsequent requests with that JWT will succeed until the expiration of that JWT.

Renew service tokens

By default, service tokens expire one year after creation. You can extend a token’s lifecycle by navigating to the Service Tokens tab and clicking the Refresh button for the token you want to renew. The Refresh operation will extend the token’s lifetime by one year from the date of the refresh.

Revoke service tokens

By default, Access service tokens expire one year after they are created. If you need to revoke access earlier, simply delete the token.

To revoke a service token immediately:

  1. On the Teams dashboard, navigate to Access > Service Auth > Service Tokens.

  2. Click Delete for the token you need to revoke and delete.

When revoking service tokens, keep in mind:

  • Services that rely on a deleted service token can no longer reach your application.
  • Clicking Revoke Existing Tokens when editing a policy in the Edit Access Policy dialog revokes existing sessions but does not revoke access.

As long as the Client ID and Client Secret are still valid, they can be exchanged for a new token on the next request. To revoke access, you must delete the service token.

Set a token expiration alert

Service tokens have a default expiration of 12 months from when they are first created. An alert can be configured to notify a week before a service token expires to allow an administrator to invoke a token refresh.

To configure a service token expiration alert:

  1. Navigate to the Cloudflare dashboard.

  2. Select the Notifications tab.

  3. Click Create.

  4. Select the Event Type “Expiring Access Service Token”.

  5. Enter a name for your alert, and an optional description.

    Expiration notification

  6. If you’d like to add other recipients for the notification email, click +Add email recipient.

  7. Click Create.

Your alert has now been set, and is now visible in the Notifications tab of the Cloudflare dashboard.