Unable to use Service Auth Token

I’m unable access my Cloudflare Tunnel using a Service Token.

curl --head https://foo.example.com/ \
    -H "CF-Access-Client-Id: e70aa32...access" \
    -H "CF-Access-Client-Secret: 59d322...."

I keep getting a 401 response, no matter what settings I try, or which tokens I use.

I configured a Cloudflare Tunnel with one Public Hostname and I verified its accessible using curl before setting up an “Access application”.

  • The “Protect with Access” option for the Tunnel is disabled.

I’ve created a Service Token.

I’ve created an Applications for foo.example.com

  • Type: Self-Hosted
  • Session Duration: 24 hours
  • Enable App in App Launcher: Disabled
  • Accept all available identity providers: Enabled

The application has 1 policy assigned:

  • Action: Service Auth
  • Session Duration: Same as application
  • 401 Response: Disabled
  • Groups: None assigned (grayed out)
  • Additional rules:
    • Include
    • Selector: Service Token
    • Value: 2x Service Tokens I created

Still all I get is 401. What am I doing wrong?

This is the response I get:

HTTP/2 401
date: Thu, 01 Feb 2024 17:01:00 GMT
set-cookie: CF_Authorization=eyJraWQiOiI[snip...]; Expires=Fri, 02 Feb 2024 17:01:00 GMT; Path=/; Secure; SameSite=none
cf-cache-status: DYNAMIC
report-to: ...
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=15552000; includeSubDomains; preload
x-content-type-options: nosniff
server: cloudflare
cf-ray: 84ebc0fc1fe1844d-YVR
alt-svc: h3=":443"; ma=86400