AccessIdentityProvider
Configure Cloudflare Zero Trust Access identity providers (Google, Okta, OIDC, SAML, OneTimePin and more).
A Cloudflare Access identity provider allows users to sign in to Access-protected applications. The five most common types (onetimepin, google, okta, oidc, saml) are strictly typed; everything else falls back to a permissive config object.
OneTimePin (Email Code)
Section titled “OneTimePin (Email Code)”The simplest provider — Cloudflare emails a one-time code to the user. No external setup required.
import { AccessIdentityProvider } from "alchemy/cloudflare";
const otp = await AccessIdentityProvider("otp", { type: "onetimepin", name: "Email OTP",});Google OAuth
Section titled “Google OAuth”const google = await AccessIdentityProvider("google", { type: "google", name: "Google", clientId: alchemy.secret.env.GOOGLE_CLIENT_ID.unencrypted, clientSecret: alchemy.secret.env.GOOGLE_CLIENT_SECRET,});Generic OIDC
Section titled “Generic OIDC”const oidc = await AccessIdentityProvider("idp", { type: "oidc", name: "Corporate IdP", authUrl: "https://idp.example.com/oauth2/authorize", tokenUrl: "https://idp.example.com/oauth2/token", certsUrl: "https://idp.example.com/oauth2/certs", clientId: "my-app", clientSecret: alchemy.secret.env.IDP_CLIENT_SECRET, scopes: ["openid", "email", "profile"], pkceEnabled: true,});- The
typefield is immutable — changing it forces replacement of the underlying Cloudflare resource. clientSecretis re-sent on every update; Cloudflare clears it if the field is omitted.- Deleting an identity provider fails if any AccessApplication references it via
allowedIdps.