Skip to content

OriginTlsClientAuthCertificate

Source: src/Cloudflare/OriginTlsClientAuth/Certificate.ts

A zone-level Authenticated Origin Pulls (AOP) client certificate (/zones/{zone_id}/origin_tls_client_auth).

Uploads the client certificate Cloudflare presents to your origin when zone-level Authenticated Origin Pulls is enabled ({@link OriginTlsClientAuthSetting}), letting the origin verify that requests really come from Cloudflare via mTLS.

Certificates are immutable: there is no update API, so changing any property triggers a replacement. Deployment is asynchronous — the certificate starts in pending_deployment and becomes active within a few minutes; deletion likewise passes through pending_deletion.

Uploading a certificate

Section titled “Uploading a certificate”
const cert = yield* Cloudflare.OriginTlsClientAuthCertificate("AopCert", {
  zoneId: zone.zoneId,
  certificate: clientCertPem,
  privateKey: alchemy.secret.env.AOP_CLIENT_KEY,
});

Enabling Authenticated Origin Pulls

Section titled “Enabling Authenticated Origin Pulls”
const cert = yield* Cloudflare.OriginTlsClientAuthCertificate("AopCert", {
  zoneId: zone.zoneId,
  certificate: clientCertPem,
  privateKey: alchemy.secret.env.AOP_CLIENT_KEY,
});


yield* Cloudflare.OriginTlsClientAuthSetting("Aop", {
  zoneId: zone.zoneId,
  enabled: true,
});