Cloudflare Tunnel
Call APIs and services behind Cloudflare Access using CF-Access client credentials and curl patterns for tunnels and protected origins.
Overview
cloudflare-tunnel is an agent skill for the Operate phase that shows how to authenticate curl and API calls to services behind Cloudflare Tunnel and Access.
Install
npx skills add https://github.com/vm0-ai/vm0-skills --skill cloudflare-tunnelWhat is this skill?
- CF-Access-Client-Id and CF-Access-Client-Secret header pattern on every curl request
- Combines Cloudflare Access with Bearer API tokens or HTTP basic auth
- POST JSON via /tmp/request.json and file download with -o patterns
- Trigger phrases: Cloudflare tunnel, argo tunnel, secure connectivity
Adoption & trust: 676 installs on skills.sh; 64 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your service is only reachable through Cloudflare Access and your agent or script gets blocked without the correct CF Access client headers.
Who is it for?
Operators and solo devs scripting against CF Access–protected tunnel hostnames from CI or local agents.
Skip if: Initial cloudflared installation and tunnel provisioning from scratch without existing Access service credentials.
When should I use this skill?
User mentions Cloudflare tunnel, argo tunnel, or secure connectivity.
What do I get? / Deliverables
You can issue authenticated GET/POST curl requests—and combine Access with app tokens or basic auth—to reach tunnel-protected endpoints reliably.
- Authenticated curl command templates
- POST and download request patterns for protected URLs
Recommended Skills
Journey fit
Operate/infra is the canonical shelf because the skill focuses on authenticated access to already-deployed services through Cloudflare Tunnel and Access—not greenfield app coding. Infra covers secure connectivity, tunnel-protected endpoints, and operational curl recipes agents use against production or staging URLs.
How it compares
Request-cookbook for Access-authenticated HTTP—not a full Terraform or Zero Trust policy designer.
Common Questions / FAQ
Who is cloudflare-tunnel for?
Builders and operators who already use Cloudflare Tunnel/Access and need copy-paste curl patterns for agents or shell automation.
When should I use cloudflare-tunnel?
In operate/infra when testing or integrating with argo tunnel or Cloudflare tunnel endpoints, or whenever user mentions secure connectivity through Access headers.
Is cloudflare-tunnel safe to install?
It encourages use of client secrets and API tokens via environment variables; review the Security Audits panel on this Prism page and rotate credentials if exposed in chat logs.
SKILL.md
READMESKILL.md - Cloudflare Tunnel
## Usage ### Basic curl Request Add two headers to authenticate through Cloudflare Access: ```bash curl -s \ -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \ -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \ "https://your-protected-service.example.com/api/endpoint" ``` ### With Additional Authentication Many services require both Cloudflare Access AND their own authentication: ```bash curl -s \ -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \ -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \ -H "Authorization: Bearer $API_TOKEN" \ "https://your-protected-service.example.com/api/endpoint" ``` ### With Basic Auth ```bash curl -s \ -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \ -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \ -u "username:password" \ "https://your-protected-service.example.com/api/endpoint" ``` ### POST Request with JSON Body Write to `/tmp/request.json`: ```json { "key": "value" } ``` Then run: ```bash curl -s -X POST \ -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \ -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \ -H "Content-Type: application/json" \ -d @/tmp/request.json \ "https://your-protected-service.example.com/api/endpoint" ``` ### Download File ```bash curl -s -o /tmp/output.file \ -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \ -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \ "https://your-protected-service.example.com/file" ``` ### Skip SSL Verification (Self-signed certs) Add `-k` flag for services with self-signed certificates: ```bash curl -k -s \ -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \ -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \ "https://your-protected-service.example.com/api/endpoint" ``` ## Required Headers | Header | Value | Description | |--------|-------|-------------| | `CF-Access-Client-Id` | `<client-id>.access` | Service Token Client ID | | `CF-Access-Client-Secret` | `<secret>` | Service Token Client Secret | ## Common Errors | Error | Cause | Solution | |-------|-------|----------| | 403 Forbidden | Invalid or missing headers | Check Client ID and Secret | | 403 Forbidden | Token not in Access policy | Add token to application's Access policy | | 401 Unauthorized | Service's own auth failed | Check service-specific credentials | | Connection refused | Tunnel not running | Verify cloudflared is running | ## Tips 1. **Header order doesn't matter** - CF headers can be anywhere in the request 2. **Works with any HTTP method** - GET, POST, PUT, DELETE, etc. 3. **Combine with other auth** - CF Access + Basic Auth, Bearer Token, etc. 4. **Token rotation** - Rotate secrets periodically in Zero Trust dashboard ## API Reference - Cloudflare Access: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/ - Zero Trust Dashboard: https://one.dash.cloudflare.com/