Cloudflare Access (Zero Trust)¶
Overview¶
Cloudflare Access protects all OpenClaw instances behind email-based authentication. Only authorized emails can access the dashboard.
Access Applications¶
| App Name | App ID | Domain | Allowed Emails |
|---|---|---|---|
| OpenClaw - DEEPCOOL | f533bae9-9618-452e-b344-534179798f55 |
openclaw-deepcool.bigleagueinc.com |
Ajay@bigleagueinc.com |
Policy Details¶
- Policy Name: Only Me
- Policy ID:
268d8034-f5ba-4e2d-a281-65009d8c72fc - Decision: Allow
- Session Duration: 24 hours
- Auto-redirect: Enabled (skips IdP selection, goes straight to email)
- Auth method: One-time PIN sent to email
API Token¶
- Token Name: OpenClaw Setup
- Token ID:
520f544f1ae26b88eab2b45bf3ce9b82 - Permissions: Account > Access: Apps and Policies > Edit, Zone > Zone > Read
Managing via API¶
List Access Apps¶
curl -s -H "Authorization: Bearer <TOKEN>" \
"https://api.cloudflare.com/client/v4/accounts/34b8e072efa0800baf6216c4d07f7c52/access/apps"
Create New Access App (for new machine)¶
curl -s -X POST \
"https://api.cloudflare.com/client/v4/accounts/34b8e072efa0800baf6216c4d07f7c52/access/apps" \
-H "Authorization: Bearer <TOKEN>" \
-H "Content-Type: application/json" \
-d '{
"name": "OpenClaw - <MACHINE>",
"domain": "openclaw-<machine>.bigleagueinc.com",
"type": "self_hosted",
"session_duration": "24h",
"auto_redirect_to_identity": true,
"policies": [{
"name": "Only Me",
"decision": "allow",
"include": [{"email": {"email": "Ajay@bigleagueinc.com"}}]
}]
}'
Zero Trust Dashboard¶
Navigate to Access controls > Applications to manage apps via UI.