← Back to Skills Marketplace

Cloudflare Access VPS

Name: Cloudflare Access VPS
Author: maverick-software

by maverick-software · GitHub ↗ · v1.0.0

cross-platform ✓ Security Clean

267

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install cloudflare-access-vps

Description

Add Cloudflare Zero Trust Access authentication to a VPS-hosted OpenClaw agent. Puts a login screen (email OTP, Google SSO, GitHub, or TOTP MFA) in front of...

README (SKILL.md)

Cloudflare Access for OpenClaw VPS Agents

Gates the entire domain with Cloudflare Zero Trust Access — every URL, including /ws, /api/, and the control UI, requires authentication before a byte reaches the VPS.

Architecture

Browser / app hits https://koda.yourdomain.com
        ↓
Cloudflare Edge
  ├── Access policy check → BLOCKED if unauthenticated (login screen shown)
  └── Authenticated → Cloudflare Tunnel → localhost:18789 → OpenClaw
                                                                ↓
                                                       Gateway token auth (layer 2)
                                                                ↓
                                                       Device pairing  (layer 3)

Prerequisites: Cloudflare Tunnel active (cloudflared service running), domain on Cloudflare DNS. See cloudflare-agent-tunnel skill if tunnel is not yet set up.

Quick Setup (5 Steps)

Step 1 — Enable Zero Trust

dash.cloudflare.com → select your account → Zero Trust
On first visit, pick a team name (e.g. teamplayers) — this becomes teamplayers.cloudflareaccess.com
Free plan: up to 50 users, no credit card required

Step 2 — Add an Identity Provider

Zero Trust → Settings → Authentication → Add new — pick one:

Provider	Best for	Setup effort
One-time PIN (email OTP)	Simplest, no external app	Zero — built-in
Google	Teams with Google Workspace	~5 min (OAuth app in Google Console)
GitHub	Developer teams	~5 min (OAuth app in GitHub)

For most solo/small team deployments, One-time PIN is sufficient and needs no external setup.

Step 3 — Create an Access Application

Zero Trust → Access → Applications → Add an application → Self-hosted

Field	Value
Application name	`OpenClaw - Koda` (or agent name)
Session duration	`24 hours` (reduce for higher security)
Application domain	`koda.yourdomain.com`
Path	(leave blank to gate entire domain)

Click Next.

Step 4 — Create an Access Policy

Policy name: Owners only (or similar)

Rule	Setting
Action	Allow
Include → Selector	Emails
Include → Value	`[email protected]` (your email)

To require MFA: Add require rule → Authentication Method → mfa (forces TOTP/hardware key on top of identity provider).

Click Next → Save.

Step 5 — Test

Open a private/incognito window → visit https://koda.yourdomain.com. You should see a Cloudflare login page. After authenticating, OpenClaw loads normally.

Multi-Agent Setup

Each agent subdomain gets its own Access Application with its own policy.

koda.teamplayers.ai    → Application: "OpenClaw - Koda"    → Policy: owners only
agent2.teamplayers.ai  → Application: "OpenClaw - Agent 2" → Policy: client X only

To add a second agent: repeat Steps 3–4 with the new subdomain.

Service Tokens (for API / Native App Access)

Browser-based Cloudflare login doesn't work for programmatic or native app connections. Use Service Tokens instead — static credentials sent as HTTP headers.

Zero Trust → Access → Service Auth → Create Service Token

Copy the CF-Access-Client-Id and CF-Access-Client-Secret.

Attach the token to the application:

In the Access Application, add a second policy:
- Action: Allow, Include → Service Token → select the token you created

The caller then sends:

CF-Access-Client-Id: \x3Cid>.access
CF-Access-Client-Secret: \x3Csecret>

For WebSocket connections (OpenClaw gateway): pass these as HTTP headers on the WS upgrade request.

Full details → references/service-tokens.md

Interaction with OpenClaw Token + Pairing

Cloudflare Access is the outer gate. OpenClaw's own auth layers still apply after it:

Layer	What it blocks
Cloudflare Access	Unauthenticated internet users (never reach the UI)
Gateway token	Anyone who bypasses Cloudflare (e.g. VPS localhost, misconfigured tunnel)
Device pairing	Someone with the token but on an unapproved browser

For existing deployments, no OpenClaw config changes are needed — Access just wraps the outside.

Troubleshooting

See references/troubleshooting.md for common issues including:

"Access denied" after login
WebSocket connections failing through Access
Service token auth not working
Bypassing Access for localhost development

Usage Guidance

This skill is a how-to guide that appears internally consistent with its purpose; it will not auto-run code on your machine. Before following it you should: (1) ensure you actually have cloudflared/tunnel and Cloudflare DNS for the domain, (2) treat CF service tokens and OpenClaw gateway tokens as sensitive secrets — store them in a vault and do not commit them to git, (3) prefer short-lived sessions/tokens and per-client tokens where possible and rotate/revoke compromised tokens promptly, (4) be aware that localhost connections bypass Cloudflare Access so lock down any services listening on the VPS (bind to localhost only, use firewall rules), (5) test WebSocket (wss://) behavior after enabling Access and confirm service-token policies include the token, and (6) monitor Zero Trust Access logs to verify expected behavior and detect unexpected usage. If you want higher assurance, request an audited install script from a trusted source rather than relying only on manual instructions.

Capability Analysis

Type: OpenClaw Skill Name: cloudflare-access-vps Version: 1.0.0 The skill bundle consists entirely of documentation and configuration guides for setting up Cloudflare Zero Trust Access to secure an OpenClaw VPS deployment. It contains no executable code, scripts, or malicious instructions, focusing instead on architectural overviews, step-by-step dashboard instructions, and troubleshooting (SKILL.md, references/service-tokens.md, references/troubleshooting.md). The content is aligned with its stated purpose of enhancing security through identity-based access control.

Capability Assessment

✓ Purpose & Capability

The name/description (Cloudflare Access for a VPS-hosted OpenClaw agent) matches the content: it documents configuring Cloudflare Zero Trust, creating Access applications/policies, and using service tokens. It correctly requires an existing cloudflared tunnel and a Cloudflare-managed domain — these are expected prerequisites.

ℹ Instruction Scope

Instructions remain focused on Cloudflare dashboard actions, Access application/policy creation, service token usage, and OpenClaw configuration. The guide tells operators to store service tokens (e.g., ~/.openclaw/secrets.json) and explains localhost bypass for development; it also documents using non-expiring service tokens (which is functional but a security choice). There are no instructions to read unrelated system files, exfiltrate data, or contact unknown endpoints.

✓ Install Mechanism

This is instruction-only (no install spec, no code files executed). That minimizes on-disk risk — nothing will be downloaded or installed automatically by the skill.

✓ Credentials

The skill does not request environment variables, secrets, or unrelated credentials. It discusses Cloudflare service tokens and OpenClaw gateway tokens, which are logically required for the documented use-cases; the guidance warns to treat them like API keys. No unrelated credentials or system config paths are asked for.

✓ Persistence & Privilege

always:false and no code means the skill cannot auto-install or persist settings. It does not ask to modify other skills or system-wide configurations. Note: the documentation explicitly states localhost connections bypass Cloudflare Access (expected behavior) — operators must secure local endpoints accordingly.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install cloudflare-access-vps
After installation, invoke the skill by name or use /cloudflare-access-vps
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release — zero-trust identity gate for OpenClaw VPS agents. Covers 5-step Cloudflare Access setup, MFA policies, service tokens for API/native app access, multi-agent patterns, and troubleshooting.

Metadata

Slug cloudflare-access-vps

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Cloudflare Access VPS?

Add Cloudflare Zero Trust Access authentication to a VPS-hosted OpenClaw agent. Puts a login screen (email OTP, Google SSO, GitHub, or TOTP MFA) in front of... It is an AI Agent Skill for Claude Code / OpenClaw, with 267 downloads so far.

How do I install Cloudflare Access VPS?

Run "/install cloudflare-access-vps" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Cloudflare Access VPS free?

Yes, Cloudflare Access VPS is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Cloudflare Access VPS support?

Cloudflare Access VPS is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Cloudflare Access VPS?

It is built and maintained by maverick-software (@maverick-software); the current version is v1.0.0.

More Skills