Prefer using Cloudflare’s API to interfacing with the Cloudflare dashboard? Just about anything you need to do can be managed via a standard programmatic interface. For questions about Cloudflare Apps please go here. Click Add in the Security Key Authentication card. Enter your Cloudflare password on the Add a Security Key screen, then click Next. A dialog appears. Interact with your security key to add it to your Cloudflare account. Enter a name for the security key. If this is the initial setup, you will be prompted to generate backup codes. Hi, I was thinking about using workers to authenticate users. It involves 3rd party API with it’s own private key. In the end I should generate JWT and sign it with another private key. Aug 27, 2019 the global CA key is essentially like the authentication to your whole account, it can do ANYTHING. The Origin CA key is essentially the first step to this Idea since it is restricted to only obtain certificates from Cloudflare’s origin CA.

1. Cloudflare Global Api Key
2. Cloudflare Authenticate And Generate Api Key Login
3. Cloudflare Api Token

All requests to the Cloudflare Workers REST API must. Be sent over HTTPS; Send a JSON body (unless otherwise indicated) contain valid identification headers (Find your Cloudflare Auth info). Using API Tokens: Authorization - provide an API token in standard Bearer format. Using Email and Global API Key. Jul 18, 2017 API Request Failed: GET /api/v4/user/apikey (undefined) Also cant change api key from the Cloudflare account. At the moment site is not synced with Cloudflare.

We built Access to solve a problem here at Cloudflare: our VPN. Our team members hated the slowness and inconvenience of VPN but, that wasn’t the issue we needed to solve. The security risks posed by a VPN required a better solution.

VPNs punch holes in the network perimeter. Once inside, individuals can access everything. This can include critically sensitive content like private keys, cryptographic salts, and log files. Cloudflare is a security company; this situation was unacceptable. We need a better method that gives every application control over precisely who is allowed to reach it.

Access meets that need. We started by moving our browser-based applications behind Access. Team members could connect to applications faster, from anywhere, while we improved the security of the entire organization. However, we weren’t yet ready to turn off our VPN as some tasks are better done through a command line. We cannot #EndTheVPN without replacing all of its use cases. Reaching a server from the command line required us to fall back to our VPN.

Today, we’re releasing a beta command line tool to help your team, and ours. Before we started using this feature at Cloudflare, curling a server required me to stop, find my VPN client and credentials, login, and run my curl command. With Cloudflare’s command line tool, cloudflared, and Access, I can run $ cloudflared access curl https://example.com/api and Cloudflare authenticates my request to the server. I save time and the security team at Cloudflare can control who reaches that endpoint (and monitor the logs).

Protect your API with Cloudflare Access

To protect an API with Access, you’ll follow the same steps that you use to protect a browser-based application. Start by adding the hostname where your API is deployed to your Cloudflare account.

Just like web applications behind Access, you can create granular policies for different paths of your HTTP API. Cloudflare Access will evaluate every request to the API for permission based on settings you configure. Placing your API behind Access means requests from any operation, CLI or other, will continue to be gated by Cloudflare. You can continue to use your API keys, if needed, as a second layer of security.

Reach a protected API

Cloudflare Access protects your application by checking for a valid JSON Web Token (JWT), whether the request comes through a browser or from the command line. We issue and sign that JWT when you successfully login with your identity provider. That token contains claims about your identity and session. The Cloudflare network looks at the claims in that token to determine if the request should proceed to the target application.

When you use a browser with Access, we redirect you to your identity provider, you login, and we store that token in a cookie. Authenticating from the command line requires a different flow, but relies on the same principles. When you need to reach an application behind Access from your command line, the Cloudflare CLI tool, cloudflared, launches a browser window so that you can login with your identity provider. Once you login, Access will generate a JWT for your session, scoped to your user identity.

Cloudflare Global Api Key

Rather than placing that JWT in a cookie, Cloudflare transfers the token in a cryptographically secure handoff to your machine. The client stores the token for you so that you don’t need to re-authenticate each time. The token is valid for the session duration as configured in Access.

When you make requests from your command line, Access will look for an HTTP header, cf-access-token, instead of a cookie. We’ll evaluate the token in that header and on every request. If you use cURL, we can help you move even faster.cloudflared includes a subcommand that wraps cURL and injects the JWT into the header for you.

Why use cloudflared to reach your application?

With cloudflared and its cURL wrapper, you can perform any cURL operation against an API protected by Cloudflare Access.

• Control endpoint access for specific users
  Cloudflare Access can be configured to protect specific endpoints. For example, you can create a rule that only a small group within your team can reach a particular URL path. You can apply that granular protection to sensitive endpoints so that you control who can reach those, while making other parts of the tool available to the full team.
• Download sensitive data
  Placing applications with sensitive data behind Access lets you control who can reach that information. If a particular file is stored at a known location, you can save time by downloading it to your machine from the command line instead of walking through the UI flow.

What's next?

CLI authentication is available today to all Access customers through the cloudflared tool. Just add the API hostname to your Cloudflare account and enable Access to start building policies that control who can reach that API. If you do not have an Access subscription yet, you can read more about the plans here and sign up.

Once you’re ready to continue ditching your VPN, follow this link to install cloudflared today. The tool is in beta and does not yet support automated scripting or service-to-service connections. Full instructions and known limitations can be found here. If you are interested in providing feedback, you can post your comments in this thread.

While working to make the Internet a better place, we also want to make it easier for our customers to have control of their content and APIs, and who has access to them. Using Cloudflare’s Token Authentication features, customers can implement access control via URL tokens or HTTP request headers without having to build complex back-end systems.

Cloudflare will check these tokens at the edge before any request is relayed to an origin or served from cache. If the token is not valid the request is blocked. Since Cloudflare handles all the token validation, the origin server does not need to have complex authentication logic. In addition, a malicious user who attempts to forge tokens will be blocked from ever reaching the origin.

CC BY 2.0image by zeevveez

Leveraging our edge network of over 100 data centers, customers can use token authentication to perform access control checks on content and APIs, as well as allowing Cloudflare to cache private content and only serve it to users with a valid token tied specifically to that cached asset.

Performing access control on the edge has many benefits. Brute force attempts and other attacks on private assets don't ever reach an origin server, preventing origin CPU and bandwidth from being wasted on malicious requests.

By performing authentication on the edge it's possible to cache protected content, giving users faster access to private content because there’s no round trip to the origin for authentication. At the same time web application owners are assured that only valid, authenticated users have access to the cache content.

By validating that an API request is from a valid client, Cloudflare is able to eliminate forged requests coming from bots, attackers or non-authenticated users.

Content Access Control

Many Internet applications are not built with access control features for assets, especially static assets like images, PDFs, zip files, apps, eBooks, and other downloadable content. Building an access control layer for these can be difficult and expensive.

We’ve worked with many customers to solve problems such as:

• A website provides downloadable static content to registered users; however, users tend to share/publish links to that content on social media platforms;
• A website provides downloadable static content, but crawlers and scrapers are constantly trying to find/leech/look for available links;
• An access control system is in place, but the customer would like to cache content at the edge for a better user experience and reduced bandwidth bills;
• A website would like to generate links with an expiry time;
• Access to specific resources hosted outside of the main application needs to be limited and restricted.

API Protection

Today most applications are client software that connect to HTTP based APIs on the Internet. Protecting those APIs from malicious use is important as it’s possible to write client software, such as bots, that talks directly to the APIs bypassing the original application. This can lead to abuse and unwanted load on API servers.

Cloudflare’s token authentication can be used to validate that an API request is coming from a valid user, client or a mobile device on the edge. Cloudflare will filter out non-authenticated or forged requests and not pass them on to the origin API server.

Along with Cloudflare’s Rate Limiting and WAF, a mobile application with an Internet API can be protected at the edge, far from the origin API server.

Cloudflare’s Token Authentication Solution

Token Authentication leverages tokens to verify that a user has access to a specific resource. The token can be sent as a URL parameter or in an HTTP header.

The token is an HMAC generated from the following:

• A secret shared between Cloudflare and the web application or mobile app;
• The path to the resource or API;
• A Unix epoch timestamp;
• Potential optional additional parameters (e.g. IP address, cookie value, username);

The Cloudflare edge validates the token and allow access or not based on the result. The generated HMAC can also be configured to expire after a certain time (e.g. 10 minutes), or so that the expiry is controlled directly from the origin server. In the latter case, the generated URLs would simply include an absolute future Unix timestamp.

Protecting Private Content with Token Authentication

Cloudflare Authenticate And Generate Api Key Login

In the simplest implementations, tokens can be used to protect static private content. The code required in the back end application would be as follows (in PHP):

The code above, given a shared secret:

• Generates the current timestamp;
• Generates the token by concatenating the timestamp with the cryptographic hash separated by a dash -;
• The cryptographic hash is a SHA256 based HMAC generated from the relative path to the restricted asset concatenated with the timestamp. The key of the hash is the shared secret;
• The hash is base64 encoded, and subsequently, URL encoded;
• Finally, the URL to the private asset is generated by simply adding the resulting token to the query string. The token HTTP GET parameter name is customizable.

Once deployed, the authentication rules are available under the Web Application Firewall Custom User Rule Set Package. From here the rules can be configured on simulate, challenge or block or deactivated completely:

Once active and in the event a user were to try to access a restricted resource without a valid token, Cloudflare would present the default WAF Block page shown below:

The block page can be fully customized to match the customer branding as necessary.

API Requests with Token Authentication

In more advanced implementations tokens can also be used to perform API authentication:

• User requests access using a standard authentication method (e.g. username and password);
• The origin server validates access and provides a token to the client. The token is specific to the user;
• Client stores the token and includes it in any subsequent request to API endpoints;
• The Cloudflare edge validates the token on every request. If the token is missing or the token is not valid the request is denied;
• The token can be configured to expire after a certain time, forcing the client to re-authenticate with the origin server if necessary.

Using tokens for API endpoints provides many benefits:

• No session information is stored so it is much easier to scale applications;
• Tokens help to prevent CSFR attacks as the token is required on every request;
• Ability to provide selective access to third party applications;
• Lower load on API servers.

Allowing access to API servers only from Cloudflare IP ranges will ensure that users cannot bypass the token authentication.

Additionally, for API endpoints, Cloudflare can be configured to generate custom JSON responses compatible with the API specification.

Validating Mobile Apps with Token Authentication

Most mobile applications leverage HTTP based API endpoints to provide dynamic functionality to the end user. The shared secret used to generate the token can be embedded and encrypted within native mobile applications, improving protection of mobile app API endpoints and ensuring only requests from legitimate clients are allowed to access the underlying API.

Conclusion

Token Authentication is available on the Business Plan if you are able to follow the default Cloudflare parameter format and expiry times are known beforehand. Our support team is able to provide implementation details on request.

Cloudflare Api Token

If this is not possible, or if you are looking for additional logic and/or custom behavior, please contact us and enquire about our Enterprise Plan and reference Token Authentication.