Summary
This skill helps Claude make authenticated requests to services protected by Cloudflare Access tunnels. It covers the essential pattern of adding CF-Access-Client-Id and CF-Access-Client-Secret headers to curl commands, which is what you need whether you're hitting internal APIs, downloading files, or posting data through Argo tunnels. The examples show how to layer Cloudflare's authentication with your service's own auth schemes like Bearer tokens or Basic Auth. Honestly, it's a reference card for a pretty specific use case, but if you're running services behind Cloudflare Zero Trust, you'll be copying these header patterns constantly.
Install to Claude Code
npx -y skills add vm0-ai/vm0-skills --skill cloudflare-tunnel --agent claude-codeInstalls into .claude/skills of the current project.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Files
SKILL.mdView on GitHub
Usage
Basic curl Request
Add two headers to authenticate through Cloudflare Access:
curl -s \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
"https://your-protected-service.example.com/api/endpoint"
With Additional Authentication
Many services require both Cloudflare Access AND their own authentication:
curl -s \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
-H "Authorization: Bearer $API_TOKEN" \
"https://your-protected-service.example.com/api/endpoint"
With Basic Auth
curl -s \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
-u "username:password" \
"https://your-protected-service.example.com/api/endpoint"
POST Request with JSON Body
Write to /tmp/request.json:
{
"key": "value"
}
Then run:
curl -s -X POST \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
-H "Content-Type: application/json" \
-d @/tmp/request.json \
"https://your-protected-service.example.com/api/endpoint"
Download File
curl -s -o /tmp/output.file \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
"https://your-protected-service.example.com/file"
Skip SSL Verification (Self-signed certs)
Add -k flag for services with self-signed certificates:
curl -k -s \
-H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
-H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
"https://your-protected-service.example.com/api/endpoint"
Required Headers
| Header | Value | Description |
|---|---|---|
CF-Access-Client-Id | <client-id>.access | Service Token Client ID |
CF-Access-Client-Secret | <secret> | Service Token Client Secret |
Common Errors
| Error | Cause | Solution |
|---|---|---|
| 403 Forbidden | Invalid or missing headers | Check Client ID and Secret |
| 403 Forbidden | Token not in Access policy | Add token to application's Access policy |
| 401 Unauthorized | Service's own auth failed | Check service-specific credentials |
| Connection refused | Tunnel not running | Verify cloudflared is running |
Tips
- Header order doesn't matter - CF headers can be anywhere in the request
- Works with any HTTP method - GET, POST, PUT, DELETE, etc.
- Combine with other auth - CF Access + Basic Auth, Bearer Token, etc.
- Token rotation - Rotate secrets periodically in Zero Trust dashboard
API Reference
- Cloudflare Access: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/
- Zero Trust Dashboard: https://one.dash.cloudflare.com/
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
