JWT Verification for Cloudflare Access


Hi All,

I’m new to Cloudflare Access. I was able to configure it pretty easily, but am having some difficulty verifying JWT tokens: https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/.

My selected method is Programmatic via Python. I’ve got all the dependencies installed, and have updated the supplied script with my audience tag and auth domain. Unfortunately, I’m getting a 403 and, “missing required cf authorization token.”

In addition to the setup instructions, are there other steps I need to take verify the token?

I apologize if this is a ridiculous question or have provided incomplete information. It’s not intentional. I’m trying to learn. Thank you for your patience.


For starters, I am neither overly familiar with Access nor with Python, so I am a bit in uncharted waters here :slight_smile: however from your description and the code listed under the linked page I would get the impression the 403 you were referring to is the else branch in the first if of the wrapper function. Would that be about right?

    def wrapper():
        token = ''
        if 'CF_Authorization' in request.cookies:
            token = request.cookies['CF_Authorization']
            return "missing required cf authorization token", 403
        keys = _get_public_keys()

If that is the case it would seem as if your request did not contain the CF_Authorization cookie which is supposed to hold the token.

Cloudflare Access generated JWT tokens are available in a request header as Cf-Access-Jwt-Assertion and cookie as CF_Authorization.


Did you hardcode those variables or are you reading them in as ENV variables? If you’re reading the in, can you echo them to make sure they are correct?


Hi Sandro,

Yes. I think you’re right. Thanks!



I hardcoded the variables, copy/pasting my auth domain and audience tag.

Before I waste more of anyone’s time, I’ll explain what I’ve done. I’m a beginner. Sometimes, I think I understand how something works, but my assumptions are wrong, and it actually works in a different way.

I’m attempting verification from my local environment. The word verification suggested to me that I’d just be making sure the key pair is signing correctly. I also believed this because I read the article on how Access works. I didn’t see any of the steps hitting the actual app server, or my my case a web server, until authentication was complete at step 9. To me, that meant, I wouldn’t need to run the script from my web server. I could be completely mistaken.

In my local environment, I’m using python3. I satisfied all the dependencies and executed the script.

After seeing this, please feel free to let me know I’m going about this the wrong way. Thanks for your time! :grinning:


In that case I’d verify the authentication token is actually sent. If you dont send the authentication credentials/token you will naturally fail the authentication :slight_smile:


That sounds like a great idea. Now, I need to figure out how to do that! It’s a good learning opportunity for me. Thanks! :grinning:


You need to have a JWT token issued. https://developers.cloudflare.com/access/connecting-to-apps/service-token/ might help you in this context.


Awesome! Thank you!