Skip to Content

Secure Unmanaged Devices with Cloudflare Gateway Authorization Proxy

5 March 2026 by
Suraj Barman

Gateway Authorization Proxy adds identity‑based protection for any device that can reach the Internet.

Unlike earlier proxy endpoints that relied on static IPs, the new proxy verifies the user before applying policies. It works with browsers native proxy capabilities, so no client software is required on the endpoint.

Identity integration via signed JWT cookies

The proxy creates a short‑lived JWT cookie after a successful login, linking each request to a specific user. This enables per‑user logs and granular rule enforcement.

  • Redirects unknown domains to JSON Web Token (JWT) generation flow.
  • Stores a domain‑specific JWT cookie that is automatically sent on subsequent requests.
  • Supports revocation of a single users access without affecting others.
  • Works with Cloudflare Access identity cookies for single‑sign‑on.
  • Provides audit trails that include the exact user + resource pair.

Proxy Auto‑Configuration (PAC) File Hosting

Cloudflare now hosts PAC files, removing the need for a separate server to distribute proxy settings. Browsers fetch the file directly from Cloudflares edge network.

  • Templates are available to get a PAC file running in minutes.
  • Automatic updates propagate instantly across all users.
  • AI‑assisted summaries help administrators understand rule behavior.
  • Supports both HTTP and HTTPS PAC URLs.
  • Integrates with Cloudflare dashboard for one‑click activation.

Multi‑provider identity support

The proxy can present several identity providers at login, making it easy to merge environments after an acquisition or to meet compliance requirements.

  • Okta, Azure AD, Google Workspace, and SAML providers are all accepted.
  • Admins can enable a primary provider and optionally surface secondary options.
  • Each providers authentication flow is handled by Cloudflare Access.
  • Future extensions will include Kerberos, mTLS, and password‑based login.
  • Policy rules can target groups from any connected provider.

Operational benefits

Moving the identity challenge to the network simplifies management and improves visibility.

  • True user logs: every request shows who accessed which URL.
  • Policy granularity: create rules such as Finance can reach accounting‑tool.example.com.
  • Billing simplicity: charge per active user seat, matching the Cloudflare One model.
  • Fast onboarding: new users are authorized within milliseconds, invisible to the browser.
  • Scalable architecture similar to patterns described in real‑time payment orchestration frameworks.

Step‑by‑step deployment guide

Follow these concise actions to enable the proxy for unmanaged devices.

  • Navigate to Resolvers and Proxies in the Cloudflare dashboard.
  • Select Gateway Authorization Proxy and choose the desired identity providers.
  • Generate a PAC file using the provided starter template and save it to the hosted location.
  • Configure browsers (or VDI images) to point to the hosted PAC URL.
  • Test by visiting a new domain confirm the JWT cookie is set and logs record the user name.

For additional guidance on integrating security tooling with development workflows, see implementing terminal accessibility in the GitHub CLI.