---
title: Connect through Cloudflare Access using a CLI
description: Cloudflare's cloudflared command-line tool allows you to interact with endpoints protected by Cloudflare Access.
image: https://developers.cloudflare.com/zt-preview.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt  
> Use this file to discover all available pages before exploring further.

[Skip to content](#%5Ftop) 

### Tags

[ CLI ](https://developers.cloudflare.com/search/?tags=CLI) 

# Connect through Cloudflare Access using a CLI

**Last reviewed:**  about 5 years ago 

Cloudflare's `cloudflared` command-line tool allows you to interact with endpoints protected by Cloudflare Access. You can use `cloudflared` to interact with a protected application's API.

These instructions are not meant for configuring a service to run against an API. The token in this example is tailored to user identity and intended only for an end user interacting with an API via a command-line tool.

**This walkthrough covers how to:**

* Connect to resources secured by Cloudflare Access from a CLI

**Time to complete:**

30 minutes

---

## Authenticate a session from the command line

Once you have [installed cloudflared](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/), you can use it to retrieve a Cloudflare Access [application token](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/). This walkthrough uses the domain `example.com` as a stand-in for a protected API.

1. To generate a token, run the following command:  
Terminal window  
```  
cloudflared access login https://example.com  
```  
With this command, `cloudflared` launches a browser window containing the same Access login page found when attempting to access a web application.
2. Select your identity provider and log in.

If the browser window does not launch, you can use the unique URL that is automatically printed to the command line.

1. Once you have successfully authenticated, the browser returns the token to `cloudflared` in a cryptographic transfer and stores it.

The token is valid for the [session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) configured by the Access administrator.

## Access your API

Once you have retrieved a token, you can access the protected API. The `cloudflared` command-line tool includes a wrapper for transferring data via `curl`, which uses URL syntax (for more, see the [curl ↗](https://github.com/curl/curl) GitHub project). The wrapper injects the token into the `curl` request as a query argument named _token_. You can invoke the wrapper as follows:

Terminal window

```

cloudflared access curl http://example.com


```

It is possible also to use the `put` command with `cloudflared` for any Unix tool to include the token in the request.

Read on for other available commands.

## Available commands

### login

The `login` command initiates the login flow for an application behind Access.

Terminal window

```

cloudflared access login http://example.com


```

### curl

The `curl` command invokes the client wrapper and includes the token in the request automatically.

Terminal window

```

cloudflared access curl http://example.com


```

### token

The `token` command retrieves the token scoped to that specific application for use in other command-line tools.

Terminal window

```

cloudflared access token -app=http://example.com


```

## Using the token as an environment variable

It is possible to save the token as an environment variable for convenience and concision in scripts that access a protected application.

Set up a token as an environment variable as follows:

1. Run the following command to export the token to the shell environment:  
Terminal window  
```  
export TOKEN=$(cloudflared access token -app=http://example.com)  
```
2. Confirm the token was saved with the following:  
Terminal window  
```  
echo $TOKEN  
```

Once you have exported the token to your environment, use the variable with the Cloudflare Access request header in the script to access a protected endpoint, as in the following example:

Terminal window

```

curl -H "cf-access-token: $TOKEN" https://example.com/rest/api/2/item/foo-123


```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/tutorials/","name":"Tutorials"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/tutorials/cli/","name":"Connect through Cloudflare Access using a CLI"}}]}
```