Zero Trust - access api on a different domain, protected by zero trust

I have the following websites:


When making requests from www.x.tld to api.x.tld, they get blocked.
Both subdomains are protected by zero trust and both subdomains have the exact same rules.

I can connect to both www.x.tld and api.x.tld when directly accessing, the problem is that requests between them get blocked.

Being a different subdomain in the request there is no cookie attached.

How am I supposed to allow these requests to go through? Add cookies to the request manually? Add some kind of header?

I’ve tried to contact the support, but it’s been 2 weeks and the only answer they gave me was to remove all policies…

You are going to want to look at service tokens.

I cannot use service tokens for this.

The request is made from user’s browser, from www.x.tld to api.x.tld, I don’t think I should expose a service token to my users so they can make requests.

Came here looking for the same answer, so far I’m here:

  • I have two subdomains app.domain.tld and api.domain.tld
  • I cannot use wildcards for my access policy because other subdomains shouldn’t be behind access and Cloudflare strips out wildcards that do partial matching.
  • I therefore have two policies
  • When a request from app.domain.tld is made to api.domain.tld - that request hits a 301 and returns the access paywall rather than returning a valid response from the api.