Skip to content

Cloudflare Access

Cloudflare Access provides zero-trust authentication without any login page in your application. Users authenticate through Cloudflare’s identity layer before reaching your CMS.

Available Today

Basic Cloudflare Access protection is available now using environment variables — no code changes required.

Set these environment variables in your deployment:

VariableTypeRequiredDescription
CF_ACCESS_TEAM_NAMEstringYesYour Cloudflare Zero Trust team name — the subdomain prefix in <team>.cloudflareaccess.com. Found in Zero Trust dashboard > Settings > General.
CF_ACCESS_AUDstringYesApplication Audience (AUD) tag. Found in Zero Trust dashboard > Access > Applications > (your app) > Overview page.

When both variables are set, Conloca automatically validates the CF_Authorization JWT on every request.

There is no app-level login UI. Cloudflare handles authentication before requests reach the CMS.

Prerequisites

  • A domain managed by Cloudflare
  • Cloudflare Zero Trust dashboard access
  • An Access Application created for your CMS domain with an Application Audience (AUD) tag

Setup

1. Create a Cloudflare Access Application

In the Cloudflare Zero Trust dashboard:

  1. Go to Access > Applications > Add an application
  2. Select Self-hosted application type
  3. Set the Application domain to your CMS URL (e.g., cms.example.com)
  4. Configure your identity provider (Google, GitHub, email OTP, etc.)
  5. Create an Access Policy to control who can access the CMS
  6. Copy the Application Audience (AUD) tag from the application overview

2. Configure environment variables

Set these variables in the environment where your Astro server runs:

CF_ACCESS_TEAM_NAME=YOUR_TEAM_NAME
CF_ACCESS_AUD=YOUR_APPLICATION_AUD_TAG

Replace YOUR_TEAM_NAME with your Cloudflare Zero Trust team name (the subdomain in YOUR_TEAM_NAME.cloudflareaccess.com) and YOUR_APPLICATION_AUD_TAG with the AUD tag from step 1.

How it works

When a user visits your CMS, Cloudflare Access intercepts the request and requires authentication through your configured identity provider. After successful authentication, Cloudflare sets a CF_Authorization JWT cookie and adds a Cf-Access-Jwt-Assertion header.

Conloca verifies this JWT against Cloudflare’s public JWKS endpoint (https://YOUR_TEAM.cloudflareaccess.com/cdn-cgi/access/certs) and extracts the user’s email from the token payload.

No login UI is needed in your application — Cloudflare handles the entire authentication flow.

Current limitations

  • There is no auth option in conlocaCMS() on this branch
  • Role mapping (admin, editor, viewer) is not implemented yet
  • OAuth and API key providers are documented as planned work only

Combining with Cloudflare Tunnel

Cloudflare Access pairs naturally with Cloudflare Tunnel — the tunnel exposes your CMS without opening ports, and Access protects it with authentication.

Next steps