Skip to content
GitHubXDiscordRSS

AccessServiceToken

Create Cloudflare Zero Trust Access service tokens for machine-to-machine authentication against Access-protected applications.

A Cloudflare Access service token authenticates non-human callers (CI runners, scripts, services) against Access-protected applications. The clientSecret is only returned on creation — store it immediately.

import { AccessServiceToken } from "alchemy/cloudflare";
const token = await AccessServiceToken("ci-runner", {
name: "ci-runner",
});
// token.clientId / token.clientSecret.unencrypted go into the
// CF-Access-Client-Id / CF-Access-Client-Secret request headers.

By default tokens are valid for 1 year. Override with a Cloudflare duration string.

const previewToken = await AccessServiceToken("preview-deploy", {
name: "preview-deploy",
duration: "720h", // 30 days
});

Bind the secret into a Worker so it can authenticate against another Access-protected app.

import { Worker, AccessServiceToken } from "alchemy/cloudflare";
const token = await AccessServiceToken("worker-to-admin", {
name: "worker-to-admin",
});
await Worker("admin-client", {
entrypoint: "./src/worker.ts",
bindings: {
CF_ACCESS_CLIENT_ID: token.clientId,
CF_ACCESS_CLIENT_SECRET: token.clientSecret!,
},
});