Configuring Token Authentication

Learn how to set access permissions to files, documents, and media using Cloudflare Token Authentication.


Cloudflare Token Authentication allows you to restrict access to documents, files, and media to selected users without requiring them to register. This helps protect paid/restricted content from leeching and unauthorized sharing. 

There are two options to configure Token Authentication, via Cloudflare Workers or the Cloudflare Web Application Firewall (WAF).

Option 1: Configure using Cloudflare Workers

Review the following Cloudflare Workers documentation to configure Token Authentication:

The Auth with Headers template code contains a generic header key and value of 'X-Custom-PS and 'mypresharedkey'. To best protect your resources, change the header key and value in the Workers editor prior to saving your code.

Option 2: Configure using a Custom WAF Rule

To configure Token Authentication with a custom WAF rule, you must have a Business or Enterprise account.
To configure Token Authentication using a custom WAF rule,

  1. Log in to your Cloudflare account 
  2. Click the appropriate Cloudflare account for the domain where you want to enable Token Authentication.
  3. Click the Firewall app.
  4. Click the Managed Rules tab, then toggle the WAF to On.
  5. Click Request a rule.

6. Include the following information in the text box that appears:

  • the path you wish to authenticate (e.g.*);
  • the parameter name you wish the token to have (e.g. verify);
  • the desired token expiration times if any (e.g. 5 and 20 minutes); and 

7. Finally, create and share a secret key (preferably 32 bytes long) with Cloudflare support.

We recommend using the encryption tool Keybase. After creating your shared secret, do not send the shared secret with Cloudflare via email. If needed, Cloudflare Support will advise how to share this information.

After submitting the custom WAF rule request, Cloudflare will deploy the rule to your account.

Custom WAF rules can take up to 3 business days to be implemented fully. This is due to our staff having to build, test, and deploy the rule(s).

Once available the rule is added to the Cloudflare dashboard it will look like this:

screenshot of custom WAF rules requested by Cloudflare user in the Cloudflare dashboard

You can now enable or disable each rule independently or test them in Simulate mode.

Implement token creation

Implementing the token creation requires the following code entered at your origin server:

PHP Version

// Generate valid URL token
$secret = "thisisasharedsecret"; $time   = time(); $token  = $time . "-" . urlencode(base64_encode(hash_hmac("sha256", "/download/private.jpg$time", $secret, true)));
param   = "verify=" . $token; ?>

Python Version

import hmac
import base64
import time
import urllib
from hashlib import sha256

secret = "thisisasharedsecret"
time   = str(int(time.time()))
digest =, "/download/cat.jpg" + time, sha256)
param  = urllib.urlencode({'verify': '%s-%s' % (time, base64.b64encode(digest.digest()))})

This will generate a URL parameter such as:


Which you will then need to append to any URL under the* path. For example:


Please note that the token parameter needs to be the last parameter in the query string. You can test if URLs are being generated correctly on the server by enabling the WAF rules on simulate and monitoring the WAF logs and the Traffic app in the Cloudflare dashboard.

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk