Cloudflare Access
Cloudflare Access provides zero-trust authentication without any login page in your application. Users authenticate through Cloudflare’s identity layer before reaching your CMS.
Available Today
Basic Cloudflare Access protection is available now using environment variables — no code changes required.
Set these environment variables in your deployment:
| Variable | Type | Required | Description |
|---|---|---|---|
CF_ACCESS_TEAM_NAME | string | Yes | Your Cloudflare Zero Trust team name — the subdomain prefix in <team>.cloudflareaccess.com. Found in Zero Trust dashboard > Settings > General. |
CF_ACCESS_AUD | string | Yes | Application Audience (AUD) tag. Found in Zero Trust dashboard > Access > Applications > (your app) > Overview page. |
When both variables are set, Conloca automatically validates the CF_Authorization JWT on every request.
There is no app-level login UI. Cloudflare handles authentication before requests reach the CMS.
Prerequisites
- A domain managed by Cloudflare
- Cloudflare Zero Trust dashboard access
- An Access Application created for your CMS domain with an Application Audience (AUD) tag
Setup
1. Create a Cloudflare Access Application
In the Cloudflare Zero Trust dashboard:
- Go to Access > Applications > Add an application
- Select Self-hosted application type
- Set the Application domain to your CMS URL (e.g.,
cms.example.com) - Configure your identity provider (Google, GitHub, email OTP, etc.)
- Create an Access Policy to control who can access the CMS
- Copy the Application Audience (AUD) tag from the application overview
2. Configure environment variables
Set these variables in the environment where your Astro server runs:
CF_ACCESS_TEAM_NAME=YOUR_TEAM_NAME
CF_ACCESS_AUD=YOUR_APPLICATION_AUD_TAG
Replace YOUR_TEAM_NAME with your Cloudflare Zero Trust team name (the subdomain in
YOUR_TEAM_NAME.cloudflareaccess.com) and YOUR_APPLICATION_AUD_TAG with the AUD tag from step 1.
How it works
When a user visits your CMS, Cloudflare Access intercepts the request and requires authentication through your
configured identity provider. After successful authentication, Cloudflare sets a CF_Authorization JWT cookie and adds
a Cf-Access-Jwt-Assertion header.
Conloca verifies this JWT against Cloudflare’s public JWKS endpoint
(https://YOUR_TEAM.cloudflareaccess.com/cdn-cgi/access/certs) and extracts the user’s email from the token payload.
No login UI is needed in your application — Cloudflare handles the entire authentication flow.
Current limitations
- There is no
authoption inconlocaCMS()on this branch - Role mapping (
admin,editor,viewer) is not implemented yet - OAuth and API key providers are documented as planned work only
Combining with Cloudflare Tunnel
Cloudflare Access pairs naturally with Cloudflare Tunnel — the tunnel exposes your CMS without opening ports, and Access protects it with authentication.
Next steps
- Getting Started — Set up your first Conloca site
- Cloudflare Tunnel deployment — Expose your CMS securely
- Docker deployment — Deploy with Docker Compose