Allow (with auth) for a domain, but bypass auth for a path that should be available for public access?

Hi folks,

I just used a Cloudflare tunnel for a service, which is published with a domain name ( Backend is

The Access policy for that is to force user to authenticate via my authentication service (Okta), and it also does MFA. Now that works wonder whenever someone access or any path beyond it.

However, there is now a need for a public page (which is expected to be reachable via that I am suppose to allow. I’m feeling there are two ways I can do it, but want to consult you guys for experience:

  1. Using the existing tunnel and service, but create another Application which points to the path Then the policy is set to Bypass
  2. Using a new tunnel, with a new domain name (, with its service points to the path The new Application for has its policy set to Bypass

I’ve tried the first one but seems CORS blocked the cross-origin requests (the requests for the resources still called to, and my public page failed to display due to that). If I were to login first instead, then refresh the public page - now it loads properly.

If using the second method, I would have to ask the guys controlling our public DNS system to add another domain name, which is a hassle (business-side, not technical-side)

Sincerely appreciate any inputs

Curious if you came across a resolution, looking for one myself.