This guide explains how to configure Lynx to use Cloudflare Zero Trust (formerly Cloudflare Access) for authentication.
Cloudflare Zero Trust provides enterprise-grade authentication with JWT-based tokens. Lynx validates these tokens to authenticate users and can optionally promote specific users to admin roles.
- A Cloudflare account with Zero Trust enabled
- A domain configured with Cloudflare
- Lynx deployed behind Cloudflare Zero Trust
-
Log in to your Cloudflare dashboard
-
Navigate to Zero Trust → Access → Applications
-
Click Add an application
-
Select Self-hosted
-
Configure your application:
- Application name: Lynx URL Shortener
- Session duration: Choose based on your security requirements
- Application domain: Your Lynx instance URL (e.g.,
lynx.example.com)
-
Under Policies, create an access policy:
- Policy name: Allow authenticated users
- Action: Allow
- Configure rules: Select your identity providers (e.g., Google, GitHub, Email OTP)
-
Save the application
- In the application list, click Configure on your Lynx application
- Go to the Basic information tab
- Copy two values:
- Application Audience (AUD) Tag: A long alphanumeric string
- Team domain: Found in Zero Trust settings, looks like
https://your-team-name.cloudflareaccess.com
Set the following environment variables:
AUTH_MODE=cloudflare
CLOUDFLARE_TEAM_DOMAIN=https://your-team-name.cloudflareaccess.com
CLOUDFLARE_AUDIENCE=your-application-aud-tagOptional:
CLOUDFLARE_CERTS_CACHE_SECS=86400 # Default: 24 hoursYou should see: Cloudflare Zero Trust authentication enabled
Promote users to admin using the CLI:
# Promote a user
./lynx admin promote <user-sub> cloudflare
# List admins
./lynx admin list
# Demote a user
./lynx admin demote <user-sub> cloudflareNote: Admin status from Cloudflare JWT claims takes precedence. Manual promotion only applies when the JWT doesn't grant admin status.
Legacy URLs will be attributed to:
- User ID:
00000000-0000-0000-0000-000000000000 - Email:
legacy@nonexistent.joefang.org