Skip to content

SYSTEM Cited by 2 sources

Cloudflare Access

Overview

Cloudflare Access is Cloudflare's identity-aware application-proxy product — sits in front of applications (self-hosted or SaaS) and enforces identity + device + network policy via OIDC / SAML / one-time PIN flows before forwarding authenticated requests to origin. Part of the broader Cloudflare One / Zero Trust suite.

Closely related to / a rebrand of the earlier Zero Trust Access capability surfaced elsewhere in the wiki.

Managed OAuth support for agents (Agents Week 2026)

Cloudflare announced during Agents Week 2026 (see managed OAuth for Access) that Access fully supports RFC 9728 OAuth Protected Resource Metadata. Concretely:

  • Access-protected applications now advertise their authorization-server discovery metadata at the RFC 9728-mandated well-known path.
  • When an agent receives a protected URL and gets 401, it can fetch the metadata, find the authorization-server URL, drive the human user through a scoped OAuth consent flow, and come out the other side with a per-agent token the Access origin accepts.
  • The named demo scenario in the 2026-04-17 post has OpenCode receiving an Access-protected URL from a user, sending the user through Access's OAuth consent, and succeeding on subsequent authenticated calls — no session reuse, no token pasting, no ambient browser authority.

Why this matters for agent workloads

Pre-RFC-9728, the prevailing workaround for agents needing authenticated access was to let the agent pilot the user's browser session. This is the "use the logged-in browser" posture: agents effectively impersonate the human everywhere with no per-agent consent, no scope limitation, and no audit trail specific to the agent. Unsafe at scale.

Access + RFC 9728 enables per-agent OAuth scoping — per-resource tokens, per-scope grants, revocable at any time, auditable per-agent in Access logs. The agent-ergonomic authentication primitive the industry was missing.

Relationship to Agent Readiness Score

Agent Readiness Score checks for RFC 9728 OAuth metadata presence (described under the non-scoring OAuth check in the 2026-04-17 post). Access supplies the metadata automatically for Access-protected sites — so a Cloudflare-protected origin is agent-ready on the auth axis without origin-side work.

Seen in

  • sources/2025-11-18-cloudflare-outage-on-november-18-2025 — Cloudflare Access had widespread authentication failures from 11:20 UTC until the 13:05 UTC core-proxy bypass was deployed. Access depends on both the core proxy (for request routing) and Workers KV (for config / session data); both were impacted. Existing Access sessions were unaffected — the failure mode was new authentications only. All failed-authentication attempts produced error pages, so no user reached a target application while auth was broken. Successful logins during the incident were correctly logged. Any configuration updates attempted during the incident either failed outright or propagated very slowly.
  • sources/2026-04-17-cloudflare-introducing-the-agent-readiness-score-is-your-site-agent-ready — canonical wiki instance for Access's RFC-9728 support; OpenCode agent-flow demo referenced.
Last updated · 200 distilled / 1,178 read