chmonitor
Authentication

Reverse proxy: Cloudflare Access

Authenticate chmonitor with Cloudflare Access — Zero Trust JWT verification, no shared secret needed.

Put chmonitor behind Cloudflare Access and let Access handle authentication. Access authenticates the user and forwards a signed JWT; chmonitor verifies it cryptographically. No shared secret needed — the signature is the proof.

  • Cloudflare Access sits in front of the chmonitor Worker.
  • On each request, Access adds a Cf-Access-Jwt-Assertion header with a signed JWT.
  • chmonitor verifies the JWT against your team's JWKS: checks the aud, issuer, exp, and RS256 signature.
  • The authenticated subject is the token's email field (falls back to sub).
  • When CHM_CF_ACCESS_* are unset, this mechanism is skipped.

Prerequisites

A Cloudflare Zero Trust account with an Access application protecting your chmonitor Worker route.

Setup

Prop

Type

Create an Access application

In the Cloudflare Zero Trust dashboard, create an Access application that protects your chmonitor Worker route.

Copy the AUD tag

Under the application settings, copy the AUD tag (also called Application Audience).

Copy your team domain

Copy your team domain — it looks like https://your-team.cloudflareaccess.com.

Set env vars

CHM_AUTH_PROVIDER=proxy
CHM_CF_ACCESS_TEAM_DOMAIN=https://your-team.cloudflareaccess.com
CHM_CF_ACCESS_AUD=<aud-tag>

Set these as Worker secrets in production:

wrangler secret put CHM_CF_ACCESS_TEAM_DOMAIN
wrangler secret put CHM_CF_ACCESS_AUD

Redeploy

Users reaching the Worker URL will be sent through the Access login flow.

Verify

Open the Worker URL in a browser. Cloudflare Access should present its login page, and after signing in you land on the dashboard with data loading normally — the forwarded Cf-Access-Jwt-Assertion JWT satisfies chmonitor's guard.

Troubleshooting

No sign-in button in the header

The VITE_AUTH_PROVIDER client var does not need to be set for proxy auth; the browser UI does not show a sign-in button (Access handles the login page externally).

On this page