Linux Server Security is the current field-guide cluster.Linux • Security • Self-hosting • Practical tools
Secure Remote Access

Cloudflare Access Service Tokens vs Login: Choose the Right Machine Auth

Use an interactive Access login for people and a service token for automation that cannot complete a browser identity flow. A service token is still a credential: scope it narrowly, store it safely, rotate it, and do not confuse Tunnel transport with application authentication.

When is a service token appropriate?

Use one for a scheduled job, monitoring agent, or internal service calling an Access-protected application. Cloudflare documents a Client ID and Client Secret flow, with dedicated headers or a single alternative header depending on configuration.

When should a human login win?

Use identity-provider login when a person needs accountability, MFA, group membership, or an interactive session. Giving a script a human credential makes rotation and attribution worse, not better.

What can go wrong?

A token copied into a repository, image, log, or broad environment has the same basic problem as any leaked secret. Keep the token outside source control, limit the application policy, restrict the caller where possible, and document an owner and rotation date.

For the boundary between transport and auth, read why a Cloudflare Tunnel is not authentication and Cloudflare Access as a web-app login layer.

Sources