From cloudflare-zero-trust-access
Cloudflare Zero Trust Access authentication for Workers. Use for JWT validation, service tokens, CORS, or encountering preflight blocking, cache race conditions, missing JWT headers.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cloudflare-zero-trust-access:cloudflare-zero-trust-accessThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Integrate Cloudflare Zero Trust Access authentication with Cloudflare Workers applications using proven patterns and templates.
references/access-policy-setup.mdreferences/common-errors.mdreferences/jwt-payload-structure.mdreferences/quick-start.mdreferences/service-tokens-guide.mdreferences/use-cases.mdreferences/value-proposition.mdscripts/create-service-token.shscripts/test-access-jwt.shtemplates/cors-access.tstemplates/hono-basic-setup.tstemplates/jwt-validation-manual.tstemplates/multi-tenant.tstemplates/service-token-auth.tstemplates/types.tstemplates/wrangler.jsoncIntegrate Cloudflare Zero Trust Access authentication with Cloudflare Workers applications using proven patterns and templates.
This skill provides complete integration patterns for Cloudflare Access, enabling application-level authentication for Workers without managing your own auth infrastructure.
What is Cloudflare Access? Cloudflare Access is Zero Trust authentication that sits in front of your application, validating users before they reach your Worker. After authentication, Access issues JWT tokens that your Worker validates.
Key Benefits:
Trigger this skill when tasks involve:
Keywords to Trigger: cloudflare access, zero trust, access authentication, JWT validation, service tokens, cloudflare auth, hono access, workers authentication, protect worker routes, admin authentication
📖 New to Cloudflare Access? Load references/quick-start.md for step-by-step setup instructions (15-20 minutes).
Use @hono/cloudflare-access for one-line Access integration.
When to Use:
Template: templates/hono-basic-setup.ts
Setup:
import { Hono } from 'hono'
import { cloudflareAccess } from '@hono/cloudflare-access'
const app = new Hono<{ Bindings: Env }>()
// Public routes
app.get('/', (c) => c.text('Public page'))
// Protected routes
app.use(
'/admin/*',
cloudflareAccess({
domain: (c) => c.env.ACCESS_TEAM_DOMAIN,
})
)
app.get('/admin/dashboard', (c) => {
const { email } = c.get('accessPayload')
return c.text(`Welcome, ${email}!`)
})
Configuration (wrangler.jsonc):
{
"vars": {
"ACCESS_TEAM_DOMAIN": "your-team.cloudflareaccess.com",
"ACCESS_AUD": "your-app-aud-tag"
}
}
Benefits:
When to Use: Not using Hono, need custom validation logic
Template: templates/jwt-validation-manual.ts (~100 lines, uses Web Crypto API)
When to Use: CI/CD pipelines, backend services, cron jobs (no interactive login)
Client: Send CF-Access-Client-Id + CF-Access-Client-Secret headers
Server: Same middleware handles both - detect via !payload.email && payload.common_name
📄 Full guide: references/service-tokens-guide.md
When to Use: SPA (React/Vue/Angular) calling protected API
⚠️ CRITICAL: CORS middleware MUST come BEFORE Access middleware!
// ✅ CORRECT ORDER
app.use('*', cors({ origin: 'https://app.example.com', credentials: true }))
app.use('/api/*', cloudflareAccess({ domain: (c) => c.env.ACCESS_TEAM_DOMAIN }))
Why: OPTIONS preflight has no auth headers → Access blocks with 401
📄 Full pattern: templates/cors-access.ts
When to Use: SaaS with per-org authentication, white-label apps
Architecture: Tenant config in D1/KV → Dynamic middleware per request
📄 Full pattern: templates/multi-tenant.ts and references/use-cases.md
This skill prevents 8 documented errors. Full details: references/common-errors.md
Problem: OPTIONS requests return 401, breaking CORS
Solution: CORS middleware BEFORE Access middleware
// ✅ Correct
app.use('*', cors())
app.use('/api/*', cloudflareAccess({ domain: '...' }))
Problem: Request not going through Access, no JWT header
Solution: Access Worker through Access URL, not direct *.workers.dev
✅ https://team.cloudflareaccess.com/...
❌ https://worker.workers.dev
Problem: Hardcoded or wrong team name causes "Invalid issuer"
Solution: Use environment variables
// ✅ Correct
cloudflareAccess({ domain: (c) => c.env.ACCESS_TEAM_DOMAIN })
// ❌ Wrong
cloudflareAccess({ domain: 'my-team.cloudflareaccess.com' })
| # | Error | Solution |
|---|---|---|
| 4 | Key cache race | Use @hono/cloudflare-access (auto-caches) |
| 5 | Wrong service token headers | Use CF-Access-Client-Id/Secret (not Authorization) |
| 6 | Token expiration (401 after 1 hr) | Handle gracefully, redirect to login |
| 7 | Overlapping policies | Use most specific paths |
| 8 | Dev/prod mismatch | Use environment-specific configs |
📄 Full error details: references/common-errors.md (~2.5 hours saved per implementation)
| Template | Purpose |
|---|---|
hono-basic-setup.ts | Standard Hono + Access integration |
jwt-validation-manual.ts | Manual JWT verification with Web Crypto |
service-token-auth.ts | Service token patterns |
cors-access.ts | CORS + Access (correct ordering) |
multi-tenant.ts | Multi-tenant architecture |
wrangler.jsonc | Complete Wrangler configuration |
.env.example | Environment variable template |
types.ts | TypeScript definitions |
| Script | Usage |
|---|---|
test-access-jwt.sh | ./test-access-jwt.sh <jwt-token> - Decode and validate JWT |
create-service-token.sh | ./create-service-token.sh [name] - Service token setup guide |
| Use Case | Template | Key Point |
|---|---|---|
| Admin Dashboard | hono-basic-setup.ts | Email domain policy |
| API Authentication | hono-basic-setup.ts | Mixed user/service policy |
| SPA + API | cors-access.ts | CORS before Access! |
| CI/CD Pipeline | service-token-auth.ts | Service token in secrets |
| Multi-Tenant SaaS | multi-tenant.ts | D1 tenant config |
📄 Detailed use cases: references/use-cases.md
| Reference File | Load When... |
|---|---|
references/quick-start.md | Step-by-step setup for new users, first-time integration |
references/common-errors.md | Debugging auth issues, prevention patterns (includes all 8 errors) |
references/jwt-payload-structure.md | Accessing JWT claims, user vs service token |
references/service-tokens-guide.md | Setting up machine-to-machine auth |
references/access-policy-setup.md | Dashboard configuration, policy creation |
references/use-cases.md | Detailed implementation for specific scenarios |
references/value-proposition.md | Token efficiency metrics, workflow guidance, production validation |
| Package | Version |
|---|---|
| @hono/cloudflare-access | 0.3.1 |
| hono | 4.10.7 |
| @cloudflare/workers-types | 4.20251126.0 |
Verified: 2025-12-14 | Token Savings: ~58% | Production Tested: ✅
This skill is for Cloudflare Workers with Cloudflare Access. Do not use for:
@cloudflare/pages-plugin-cloudflare-access instead)For those, use appropriate skills or libraries.
Cloudflare Documentation:
Packages:
Dashboard:
Skill Version: 1.0.0 Last Updated: 2025-10-28 Errors Prevented: 8 Token Savings: 58% Time Savings: 2.5 hours Production Tested: ✅
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Manages knowledge base ingestion, sync, and retrieval across local files, MCP memory, vector stores, and Git repos. Use for saving, organizing, deduplicating, or searching knowledge.
npx claudepluginhub midego1/claude-skills --plugin cloudflare-zero-trust-access