Skip to content

OriginTlsClientAuthSetting

Source: src/Cloudflare/OriginTlsClientAuth/Setting.ts

The zone-level Authenticated Origin Pulls (AOP) toggle (/zones/{zone_id}/origin_tls_client_auth/settings).

The setting is a singleton — it always exists on every zone (Cloudflare default false), so this resource never creates or deletes anything physical. Reconcile flips the flag when the observed value differs from the desired one; destroy restores the value the setting had before Alchemy first managed it (captured as initialEnabled).

Enabling AOP only has effect once a zone client certificate is uploaded ({@link OriginTlsClientAuthCertificate}) and your origin is configured to verify it — enabling the flag alone does not break traffic unless the origin enforces mTLS.

Enabling Authenticated Origin Pulls

Section titled “Enabling Authenticated Origin Pulls”

Enable zone-level AOP

const cert = yield* Cloudflare.OriginTlsClientAuthCertificate("AopCert", {
  zoneId: zone.zoneId,
  certificate: clientCertPem,
  privateKey: alchemy.secret.env.AOP_CLIENT_KEY,
});


yield* Cloudflare.OriginTlsClientAuthSetting("Aop", {
  zoneId: zone.zoneId,
  enabled: true,
});

Pin AOP off

yield* Cloudflare.OriginTlsClientAuthSetting("Aop", {
  zoneId: zone.zoneId,
  enabled: false,
});