Authentication
Secure your admin dashboard with Cloudflare Access - a zero-trust authentication solution that protects your admin routes without any code changes.
By default, the admin dashboard is unprotected. Anyone with the URL can access it. Always configure Cloudflare Access before deploying to production.
Why Cloudflare Access?
- Zero-trust security - Every request is authenticated
- No passwords to manage - Use identity providers like Google, GitHub, or email OTP
- Free tier available - Up to 50 users at no cost
- Instant setup - No code changes required, just configuration
Setup Guide
Enable Cloudflare Access
- Go to your Cloudflare dashboard
- Select Zero Trust from the sidebar
- If this is your first time, you’ll be prompted to create a team name (e.g.,
your-company)
Create an Access Application
- In Zero Trust, go to Access → Applications
- Click Add an application
- Select Self-hosted
- Configure the application:
| Field | Value |
|---|---|
| Application name | 0list Admin |
| Session duration | 24 hours (or your preference) |
| Application domain | your-worker.workers.dev |
| Path | /admin |
If you’re using a custom domain, use that instead of the workers.dev domain.
Configure Identity Providers
- Go to Settings → Authentication
- Add your preferred identity providers:
- Google - Best for Google Workspace users
- GitHub - Great for developer teams
- One-time PIN - Email-based authentication (no setup required)
For most setups, the built-in One-time PIN provider works great and requires no additional configuration.
Create an Access Policy
- Back in your application, go to the Policies tab
- Click Add a policy
- Configure who can access:
Policy name: Admins
Action: Allow
Include:
- Emails: [email protected], [email protected]
Or use email domains:
- Emails ending in: @yourcompany.comGet Your Application Credentials
- In your application settings, find the Application Audience (AUD) Tag
- Your team domain is
https://<team-name>.cloudflareaccess.com - Note both values for the next step
Configure Environment Variables
Set the following environment variables in your Cloudflare Worker:
wrangler secret put CF_ACCESS_TEAM_DOMAIN
# Enter: https://your-team.cloudflareaccess.com
wrangler secret put CF_ACCESS_AUD
# Enter: your-application-audience-tagOr set them in the Cloudflare dashboard under Workers & Pages → Your Worker → Settings → Variables and Secrets.
Deploy and Test
bun run deployVisit your admin dashboard. You should now be prompted to authenticate through Cloudflare Access.
How It Works
When Cloudflare Access is configured:
- Users visiting
/admin/*routes are redirected to Cloudflare Access login - After authentication, Cloudflare sets a JWT cookie (
CF_Authorization) - 0list validates this JWT on every request using your
CF_ACCESS_AUDandCF_ACCESS_TEAM_DOMAIN - The authenticated user’s email is extracted and displayed in the admin UI
Environment Variables Reference
| Variable | Description | Example |
|---|---|---|
CF_ACCESS_TEAM_DOMAIN | Your Cloudflare Access team URL | https://mycompany.cloudflareaccess.com |
CF_ACCESS_AUD | Application Audience Tag from Access | abc123def456... |
Development Mode
During local development, Cloudflare Access is automatically bypassed. You’ll see:
- A “No Auth” warning badge in the navbar
- “Development Mode” under your user menu
- A mock user email for testing
This allows you to develop without setting up Access locally.
Troubleshooting
”No Auth” warning in production
Make sure both environment variables are set:
# Verify secrets are set
wrangler secret list
# Should show:
# CF_ACCESS_TEAM_DOMAIN
# CF_ACCESS_AUDAuthentication loop
If you’re stuck in a login loop:
- Clear your browser cookies for the domain
- Verify your Access policy allows your email
- Check that the application domain matches exactly
JWT validation errors
Check your Worker logs for detailed error messages:
wrangler tailCommon issues:
- Incorrect
CF_ACCESS_AUDvalue - Team domain missing
https://prefix - Clock skew between servers (rare)