← Back
Cloudflare
Cloudflare Gateway launches authorization proxy with identity-aware policies in open beta
Cloudflare · featurereleaseapiintegration · developers.cloudflare.com ↗

Gateway Authorization Proxy Now in Open Beta

Cloudflare has released two new features for its Gateway product: the Gateway Authorization Proxy and Cloudflare-hosted PAC files. Both are now available in open beta for all plan types.

Moving Beyond IP-Based Authorization

Previously, proxy endpoints relied on static source IP addresses to authorize traffic, which provided no user-level identity information in logs or policies. The new authorization proxy replaces this IP-based approach with Cloudflare Access authentication, verifying user identity through your organization's identity provider before applying Gateway filtering.

This is particularly valuable for environments where device clients cannot be deployed, such as:

  • Virtual desktop infrastructure (VDI) environments
  • Mergers and acquisitions scenarios
  • Compliance-restricted endpoints

Key Capabilities

The authorization proxy delivers several important capabilities:

  • Identity-aware proxy traffic — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write identity-based policies like "only the Finance team can access this accounting tool."
  • Multiple identity providers — Organizations can display one or multiple login methods simultaneously, providing flexibility for businesses managing users across different identity systems.
  • Cloudflare-hosted PAC files — Create and host PAC files directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at https://pac.cloudflare-gateway.com/<account-id>/<slug> on Cloudflare's global network.
  • Simplified billing — Each user occupies a seat, exactly like they do with the Cloudflare One Client, with no new metrics to track.

Getting Started

To implement the authorization proxy:

  1. Navigate to Networks > Resolvers & Proxies > Proxy endpoints in Cloudflare One
  2. Create an authorization proxy endpoint and configure Access policies
  3. Create a hosted PAC file or write your own
  4. Configure browsers to use the PAC file URL
  5. Install the Cloudflare certificate for HTTPS inspection

See the proxy endpoints documentation for complete details.