Skip to content

OriginTlsClientAuthHostnameAssociation

Source: src/Cloudflare/OriginTlsClientAuth/HostnameAssociation.ts

A per-hostname Authenticated Origin Pulls (AOP) association (/zones/{zone_id}/origin_tls_client_auth/hostnames).

Pins a hostname client certificate ({@link OriginTlsClientAuthHostnameCertificate}) to a hostname and toggles hostname-level AOP for it. Cloudflare’s API is a bulk upsert keyed by hostname; this resource manages exactly one hostname per instance, so separate instances for different hostnames are safe to deploy concurrently. On destroy the association is voided (enabled: null), which restores the hostname to zone-level AOP behavior.

Enabling AOP for a hostname

Section titled “Enabling AOP for a hostname”

Associate a hostname with a client certificate

const cert = yield* Cloudflare.OriginTlsClientAuthHostnameCertificate("AopHostCert", {
  zoneId: zone.zoneId,
  certificate: clientCertPem,
  privateKey: alchemy.secret.env.AOP_CLIENT_KEY,
});


yield* Cloudflare.OriginTlsClientAuthHostnameAssociation("AopHost", {
  zoneId: zone.zoneId,
  hostname: "api.example.com",
  certId: cert.certificateId,
  enabled: true,
});

Keep the certificate pinned but disable enforcement

yield* Cloudflare.OriginTlsClientAuthHostnameAssociation("AopHost", {
  zoneId: zone.zoneId,
  hostname: "api.example.com",
  certId: cert.certificateId,
  enabled: false,
});