← Back
Cloudflare
Cloudflare launches Gateway Authorization Proxy for device-agnostic access with identity-based filtering
Cloudflare · featureapisecurityplatform · blog.cloudflare.com ↗

Gateway Authorization Proxy: Identity-Based Access Without Client Software

Cloudflare has launched the Gateway Authorization Proxy, a new security solution addressing a critical gap: protecting traffic from devices where software installation is impossible or impractical. The system moves beyond IP-based identification ("license plates") to user identity verification ("badges"), enabling granular access control on unmanaged endpoints.

The Challenge

The previous proxy endpoint system relied on static IP addresses to identify traffic sources, creating several operational headaches:

  • Anonymous logging: IP addresses alone don't reveal which user accessed what
  • Brittle policies: Users working from different locations would break endpoint configurations
  • Manual overhead: Teams had to host and maintain their own PAC (Proxy Auto-Configuration) files

The Solution: Badge-Based Access Control

The Authorization Proxy introduces Cloudflare Access-style authentication at the proxy layer. Key capabilities include:

  • True user identity integration: Logs and policies now track individual users, not just IPs. Teams can enforce rules like "only Finance can access accounting tools" without device agents
  • Flexible identity providers: Organizations can display multiple login methods simultaneously (e.g., Okta and Azure AD), ideal for M&A scenarios
  • Simplified billing: Users occupy standard "seats" aligned with Cloudflare One Client pricing

How It Works

The system uses signed JWT cookies to maintain session identity across domains:

  1. First domain visit: User is redirected to Cloudflare Access for authentication if no domain cookie exists
  2. Instant subsequent requests: Once authenticated, the cookie grants immediate access to that domain and subdomains
  3. Millisecond redirects: Global edge processing ensures authentication is imperceptible to users

Cloudflare also launched PAC File Hosting, allowing teams to manage proxy configurations directly on Cloudflare's platform rather than maintaining separate infrastructure. The feature includes starter templates and AI-powered documentation summaries via Cloudy.

Ideal Use Cases

  • Virtual desktop environments (VDI)
  • Merger and acquisition scenarios requiring rapid security unification
  • Compliance-restricted environments prohibiting endpoint software