Cloudflare Access

Cloudflare Access puts an auth layer in front of your tunnel. Agmente supports service tokens, which are ideal for programmatic access from mobile.

How it works

Only authenticated requests reach your agent.
Access policies can be revoked instantly from the Cloudflare dashboard.
No changes are required on the agent server itself.

Setup

Open Zero Trust dashboard: Go to Cloudflare Zero Trust and select your account.
Create an Access application:
- Access → Applications → Add an application → Self-hosted
- Name: Agmente Agent
- Session duration: 24 hours (or your choice)
- Application domain: your tunnel hostname (for example, agent.yourdomain.com)
Create a policy:
- Policy name: Service Token Access
- Action: Service Auth
- Include rule: Service Token (value added later)
Create a service token:
- Access → Service Auth → Service Tokens → Create Service Token
- Name: Agmente iOS
- Duration: Non-expiring (or set an expiry)
- Copy both values immediately:
  - CF-Access-Client-Id
  - CF-Access-Client-Secret
Attach the token to the policy: Edit the Access policy and add the new token under the Service Token rule.
Configure Agmente:
- Edit your server → Cloudflare Access
- Enter the Client ID and Client Secret
- Agmente sends headers on every request:

CF-Access-Client-Id: <CLIENT_ID>
CF-Access-Client-Secret: <CLIENT_SECRET>

Test your setup

Without credentials (should fail):

curl -I https://agent.yourdomain.com

With credentials (should succeed):

curl -I https://agent.yourdomain.com \
  -H "CF-Access-Client-Id: YOUR_CLIENT_ID" \
  -H "CF-Access-Client-Secret: YOUR_CLIENT_SECRET"

Manage access

Revoke a token

Access → Service Auth → Service Tokens → find your token → Revoke.
Create a new token and update Agmente.

View logs

Access → Logs
Filter by your application name to see successful and failed attempts.

Multiple devices

Shared token
Per-device tokens

Use the same service token on all devices. Simpler, but revoking it affects everyone.

Create separate tokens such as Agmente iPhone and Agmente iPad. You can revoke access for one device without affecting others.

Troubleshooting

403 Forbidden after adding credentials

Verify the Client ID/Secret values.
Confirm the service token is referenced in the Access policy.
Check that the token is not revoked.

Token not being sent

Save the server configuration after entering credentials.
Disconnect and reconnect the server.
Ensure both Client ID and Client Secret fields are filled.

Works in browser but not in app

Browser login uses cookies; Agmente uses service tokens.
Ensure the Access policy action is Service Auth with a service token rule.

Security best practices

Use non-expiring tokens sparingly; rotate them periodically.
Monitor Access logs for unexpected attempts.
Use separate Access applications (and tokens) per tunnel when possible.
Protect your device with a passcode or biometric lock because the token is stored locally.

How it works​

Setup​

Test your setup​

Manage access​

Revoke a token​

View logs​

Multiple devices​

Troubleshooting​

403 Forbidden after adding credentials​

Token not being sent​

Works in browser but not in app​

Security best practices​