Warp-cli: --access-client-id and --access-client-secret no longer exist?


How I can enroll linux device without GUI with warp-cli?

Seems like --access-client-id and --access-client-secret no longer exist?

root@warp-client:~# warp-cli --version
WARP 2022.4.235

warp-cli teams-enroll --help
Enroll with Cloudflare for Teams

warp-cli teams-enroll

-h, --help Prints help information
-V, --version Prints version information


I have the same question. How are we supposed to link servers up with warp-cli? These are not users logging in “for the day”, they need to be always up and connected. I got the impression this is what service tokens were for…why would you remove this functionality?

Yes it’s crazy it was availiable when we were on Free plan, now paying Standard and thinking about Enterprise and this feature dissapear…

We need more stability of core features in SECURITY SOFTWARE because Cloudflare for Teams is now announced as SECURITY SOFTWARE.

  1. Go to https://teamname.cloudflareaccess.com/warp.
  2. Open DevTools.
  3. Login.
  4. When you get a prompt about opening a link with Cloudflare WARP, press cancel.
  5. Look at the request to auth?token=<blah> & copy the Request URL that starts with com.cloudflare.warp
  6. Run warp-cli teams-enroll-token "<paste that Request URL here>"

Ideal? Probably not - but it works.

Source: strings on /usr/bin/warp-cli


Maybe the Zero Trust team can chime in with a more seamless flow.



Thanks for looking into this, I realize this is outside your scope. This doesn’t work in practice. I’m doing a fresh install on an Ubuntu 20.04 VM (I can post every single step if you’d like). The main thing is that I do the warp-cli register and warp-cli connect and those work fine.

I can certainly follow your directions, that isn’t the issue. I can run warp-cli teams-enroll-token ... and I get a Success in response. But it isn’t actually making things any better. It is actually making things works. After running register and connect if I run curl https://www.cloudflare.com/cdn-cgi/trace/ I get warp=on but gateway=off. My hope was that by running warp-cli teams-enroll, I could get gateway=on as well. But, in fact, after running the commands you suggest, not only do I get gateway=off, I also get warp=off, i.e., is appears to cancel out the previous warp-cli connect command.

Keep in mind, I’d obviously like scriptable way of implementing this for each new VM we try to deploy. So yes, in that sense it isn’t ideal. But that isn’t the part that is so frustrating here, it is the fact that none of this is even documented (and by that I mean in the documentation). Installing to headless Linux servers is a HUGE part of our use case and it is a bit shocking to me that while “Linux support” has been touted for some time, this particular use case seems to have been completely ignored. I’m not complaining, you’ve gone out of your way to help. But I’m just pointing out that a little bit of documentation could go a long way here in improving support for what must be a common use case (that or I do not understand at all what this product is for…which is entirely possible).

In any case, I’m still completely stuck.

Update: now after create MDM file we enroll device without GUI (for example linux server)


For example we can enroll device by Service Token

  1. In Zero Trust dashobard go to Access > Service Auth. Create token and save.
  2. In Zero Trust dashboard go to Settings > WARP Client > Device enrollment permissions > Manage and add Service Auth rule
  3. On Linux server install WARP and create MDM file:


with content:


and run warp-cli register && warp-cli connect

Now we are connected to our Team… but incoming connections stop working (like SSH) until warp-cli disconnect… not sure how resolve this issue

Did you ever find a solution to this? I am also experimenting with warp-cli on a Ubuntu server and it seems that if warp-cli is enabled and connected, incoming connections no longer work.

Edit: I had to exclude the public IP of the machine I am using to SSH into the server in split tunnels to connect into the server with Warp enabled. This is less than ideal.

You need to log in to your organization and set the WARP Client service mode to Proxy mode,
Settings > WARP Client > Device settings > Default > configure
Allow updates --Enabled
Service mode --Proxy mode
and run warp-cli connect

I currently use

“Gateway with WARP”

All traffic is encrypted by Gateway. This mode is required if you want to enable HTTP rules, Browser Isolation, Anti-Virus scanning and DLP.

in Proxy mode there is no HTTP rules etc.

And you connect to server only via WARP or without too?