Reverse proxy: Cloudflare Access
Authenticate chmonitor with Cloudflare Access — Zero Trust JWT verification, no shared secret needed.
Put chmonitor behind Cloudflare Access and let Access handle authentication. Access authenticates the user and forwards a signed JWT; chmonitor verifies it cryptographically. No shared secret needed — the signature is the proof.
- Cloudflare Access sits in front of the chmonitor Worker.
- On each request, Access adds a
Cf-Access-Jwt-Assertionheader with a signed JWT. - chmonitor verifies the JWT against your team's JWKS: checks the
aud, issuer,exp, andRS256signature. - The authenticated subject is the token's
emailfield (falls back tosub). - When
CHM_CF_ACCESS_*are unset, this mechanism is skipped.
Prerequisites
A Cloudflare Zero Trust account with an Access application protecting your chmonitor Worker route.
Setup
Prop
Type
Create an Access application
In the Cloudflare Zero Trust dashboard, create an Access application that protects your chmonitor Worker route.
Copy the AUD tag
Under the application settings, copy the AUD tag (also called Application Audience).
Copy your team domain
Copy your team domain — it looks like https://your-team.cloudflareaccess.com.
Set env vars
CHM_AUTH_PROVIDER=proxy
CHM_CF_ACCESS_TEAM_DOMAIN=https://your-team.cloudflareaccess.com
CHM_CF_ACCESS_AUD=<aud-tag>Set these as Worker secrets in production:
wrangler secret put CHM_CF_ACCESS_TEAM_DOMAIN
wrangler secret put CHM_CF_ACCESS_AUDRedeploy
Users reaching the Worker URL will be sent through the Access login flow.
Verify
Open the Worker URL in a browser. Cloudflare Access should present its login page, and after signing in you land on the dashboard with data loading normally — the forwarded Cf-Access-Jwt-Assertion JWT satisfies chmonitor's guard.
Troubleshooting
No sign-in button in the header
The VITE_AUTH_PROVIDER client var does not need to be set for proxy auth; the browser UI does not show a sign-in button (Access handles the login page externally).
Related
Authentication overview
Compare all auth providers and the two-layer model.
Trusted header
Bare identity subject via shared secret for nginx or ingress.
API keys
Add chm_ Bearer tokens for programmatic access.
Environment variables — Authentication
Every CHM_* auth variable and its default.
Feature permissions
Gate individual features to authenticated users.
Clerk
Authenticate chmonitor users with Clerk — browser sign-in via __session cookie, with optional public read-only mode and MCP OAuth support.
Reverse proxy: trusted header
Authenticate chmonitor via a reverse proxy identity header and shared secret — works with nginx, Kubernetes ingress, and any SSO auth_request setup.