Skip to content

AccessServiceToken

Source: src/Cloudflare/Access/ServiceToken.ts

A Cloudflare Zero Trust Access service token. Service tokens let machine-to-machine clients authenticate to Access-protected applications by sending the CF-Access-Client-ID / CF-Access-Client-Secret headers.

The client secret is only revealed by Cloudflare on create and rotate; the provider stores it redacted in state and carries it forward across reads.

Creating a Service Token

Section titled “Creating a Service Token”

Basic token with a generated name

const token = yield* Cloudflare.AccessServiceToken("Ci", {});
// token.clientId / token.clientSecret authenticate requests

Token with an explicit name and validity

const token = yield* Cloudflare.AccessServiceToken("Deploys", {
  name: "deploy-bot",
  duration: "17520h", // 2 years
});

Rotating the Secret

Section titled “Rotating the Secret”
const token = yield* Cloudflare.AccessServiceToken("Ci", {
  clientSecretVersion: 2, // was 1 — bumping rotates the secret
});

Authorizing a Token

Section titled “Authorizing a Token”
const token = yield* Cloudflare.AccessServiceToken("Ci", {});


const policy = yield* Cloudflare.AccessPolicy("AllowCi", {
  decision: "non_identity",
  include: [{ serviceToken: { tokenId: token.serviceTokenId } }],
});