playbooks

home / skills / vm0-ai / vm0-skills / cloudflare-tunnel

cloudflare-tunnel skill

/cloudflare-tunnel

This skill authenticates requests to Cloudflare Protected services using Service Tokens, enabling automated, token-based access behind Cloudflare Zero Trust.

npx playbooks add skill vm0-ai/vm0-skills --skill cloudflare-tunnel

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
4.5 KB
---
name: cloudflare-tunnel
description: Authenticate requests through Cloudflare Access / Cloudflare Tunnel using Service Token headers. Use when accessing services protected by Cloudflare Zero Trust.
vm0_secrets:
  - CF_ACCESS_CLIENT_ID
  - CF_ACCESS_CLIENT_SECRET
---

# Cloudflare Tunnel / Access Authentication

Authenticate HTTP requests to services protected by Cloudflare Access using Service Token headers.

## When to Use

- Access internal services exposed via Cloudflare Tunnel
- Authenticate to Cloudflare Zero Trust protected applications
- Make API calls to services behind Cloudflare Access
- Bypass Cloudflare Access login page for automated requests

## Prerequisites

```bash
export CF_ACCESS_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.access
export CF_ACCESS_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```

### Create Service Token

1. Go to [Cloudflare Zero Trust Dashboard](https://one.dash.cloudflare.com/)
2. Navigate to **Access** → **Service Auth** → **Service Tokens**
3. Click **Create Service Token**
4. Name your token and click **Generate token**
5. Copy both **Client ID** and **Client Secret** (shown only once!)

### Configure Access Policy

Ensure your Access Application allows service token authentication:

1. Go to **Access** → **Applications** → Select your app
2. Add a policy with **Service Token** as Include rule
3. Select your created token

> **Important:** When using `$VAR` in a command that pipes to another command, wrap the command containing `$VAR` in `bash -c '...'`. Due to a Claude Code bug, environment variables are silently cleared when pipes are used directly.

---

## Usage

### Basic curl Request

Add two headers to authenticate through Cloudflare Access:

```bash
bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/api/endpoint"'
```

### With Additional Authentication

Many services require both Cloudflare Access AND their own authentication:

```bash
bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -H "Authorization: Bearer $API_TOKEN" \
  "https://your-protected-service.example.com/api/endpoint"'
```

### With Basic Auth

```bash
bash -c 'curl -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -u "username:password" \
  "https://your-protected-service.example.com/api/endpoint"'
```

### POST Request with JSON Body

Write to `/tmp/request.json`:

```json
{
  "key": "value"
}
```

Then run:

```bash
bash -c 'curl -s -X POST \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  -H "Content-Type: application/json" \
  -d @/tmp/request.json \
  "https://your-protected-service.example.com/api/endpoint"'
```

### Download File

```bash
bash -c 'curl -s -o /tmp/output.file \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/file"'
```

### Skip SSL Verification (Self-signed certs)

Add `-k` flag for services with self-signed certificates:

```bash
bash -c 'curl -k -s \
  -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
  -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
  "https://your-protected-service.example.com/api/endpoint"'
```

---

## Required Headers

| Header | Value | Description |
|--------|-------|-------------|
| `CF-Access-Client-Id` | `<client-id>.access` | Service Token Client ID |
| `CF-Access-Client-Secret` | `<secret>` | Service Token Client Secret |

## Common Errors

| Error | Cause | Solution |
|-------|-------|----------|
| 403 Forbidden | Invalid or missing headers | Check Client ID and Secret |
| 403 Forbidden | Token not in Access policy | Add token to application's Access policy |
| 401 Unauthorized | Service's own auth failed | Check service-specific credentials |
| Connection refused | Tunnel not running | Verify cloudflared is running |

## Tips

1. **Header order doesn't matter** - CF headers can be anywhere in the request
2. **Works with any HTTP method** - GET, POST, PUT, DELETE, etc.
3. **Combine with other auth** - CF Access + Basic Auth, Bearer Token, etc.
4. **Token rotation** - Rotate secrets periodically in Zero Trust dashboard

## API Reference

- Cloudflare Access: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/
- Zero Trust Dashboard: https://one.dash.cloudflare.com/

Overview

This skill authenticates HTTP requests to services protected by Cloudflare Access / Cloudflare Tunnel using Service Token headers. It provides simple shell curl examples and patterns to include the required CF-Access headers for automated scripts and CI. Use it to call internal apps or APIs shielded by Cloudflare Zero Trust without interactive login.

How this skill works

The skill injects two HTTP headers—CF-Access-Client-Id and CF-Access-Client-Secret—into requests made from shell scripts or CI pipelines. It demonstrates curl commands for GET, POST, file download, basic auth, bearer tokens, and skipping SSL verification when necessary. Environment variables are recommended for secrets, and commands that pipe must be wrapped in bash -c to preserve env vars.

When to use it

  • Access internal services exposed via Cloudflare Tunnel
  • Call APIs or web apps protected by Cloudflare Zero Trust
  • Automate requests that would otherwise hit the Cloudflare Access login page
  • Combine Cloudflare Access auth with an app’s own credentials in scripts
  • Download files or interact with services behind an Access policy from CI/CD pipelines

Best practices

  • Store CF_ACCESS_CLIENT_ID and CF_ACCESS_CLIENT_SECRET in secure environment variables or a secrets manager
  • Wrap piped curl commands in bash -c '...' so environment variables are preserved in shells used by some runtimes
  • Rotate service token secrets regularly and update policies in the Zero Trust dashboard
  • Add the service token to the application Access policy with a Service Token include rule
  • Combine with additional headers (Authorization, Basic Auth) only when the app requires them

Example use cases

  • Simple API GET using curl to an internal endpoint protected by Cloudflare Access
  • POST JSON payloads to a protected service from automation or webhook handlers
  • Download logs or artifacts from a tunneled service into CI using the CF headers
  • Access an internal dashboard programmatically while also supplying a Bearer token for app-level auth
  • Use -k in development to bypass SSL verification for self-signed certificates on tunneled services

FAQ

What headers are required?

You must send CF-Access-Client-Id and CF-Access-Client-Secret with each HTTP request. The Client ID ends with .access.

Why wrap commands in bash -c?

Some runtimes clear environment variables when piping; wrapping the command in bash -c '...' preserves variables like CF_ACCESS_CLIENT_SECRET during piped executions.