Cloudflare Access Authentication
Sink can use Cloudflare Access as an alternative to the site token. An API request is accepted when it has either a valid NUXT_SITE_TOKEN bearer token or a valid Cloudflare Access application JWT. Sink verifies the JWT signature, issuer, audience, and expiration against the team's public keys; a header or cookie is never trusted by presence alone.
Compatibility-first setup
This setup protects the dashboard while keeping public short links and SiteToken clients unchanged.
- Create a Cloudflare Access self-hosted application for your Sink hostname.
- Cover
/dashboardand its child routes with the application path. - Do not protect
/apiat the Access proxy layer. Sink authenticates API requests with SiteToken or the signed Access application cookie. - In advanced cookie settings, leave Cookie Path disabled so the cookie reaches
/api. UseLaxorStrictSameSite when cross-site requests are unnecessary. - Configure both values and redeploy:
NUXT_CF_ACCESS_TEAM_DOMAIN=https://your-team.cloudflareaccess.com
NUXT_CF_ACCESS_AUD=your-application-aud-tagThe team domain must not include a path. Find the AUD tag in the Access application's additional settings.
Short links, static assets, and API documentation remain public at the Access layer. Sink still authenticates API operations. Protect /_docs separately if the OpenAPI schema should not be public.
Security considerations
In compatibility-first mode, Sink validates the signed JWT locally instead of asking the Access proxy to evaluate every /api request. An administrator-revoked session can therefore remain usable until its JWT expires. Choose an appropriately short Access policy or application session duration.
Because Access uses a browser cookie, Sink rejects cross-site browser requests authenticated through Access and verifies Origin for state-changing methods. SiteToken requests are unchanged; non-browser clients should use NUXT_SITE_TOKEN.
Do not expose another deployment hostname with a weak SiteToken. Protecting the dashboard hostname does not protect other hostnames routed to the same Worker or Pages project.
Logout
When the dashboard uses Access authentication, Sink redirects logout to /cdn-cgi/access/logout, which revokes the Access session across applications and clears the application cookie.
Strict setup
For stronger edge enforcement, protect both /dashboard and /api. Cloudflare then blocks requests before they reach Sink. A SiteToken-only client cannot use that hostname and must also present an Access service token or use a separate API hostname.