← Back
Cloudflare
Cloudflare launches Gateway Authorization Proxy for user-based access control without device clients
Cloudflare · featureapisecurityplatform · blog.cloudflare.com ↗

Moving from IP-Based to User-Based Identity

Cloudflare has released the Gateway Authorization Proxy, upgrading its legacy proxy endpoint system from IP-address-based identification to true user authentication. Previously, the system could only recognize traffic based on static source IPs—a brittle approach that broke when users changed locations or devices. The new Authorization Proxy uses Cloudflare Access-style login to verify user identity before enforcing Gateway filtering rules.

Key Features and Benefits

The Authorization Proxy brings three major improvements:

  • True Identity Logging: Proxy logs now show exactly which user accessed which site, enabling granular policies like "only Finance team members access this accounting tool"—without requiring a device client
  • Flexible Identity Providers: Organizations can display one or multiple identity providers (e.g., Okta, Azure AD) simultaneously, offering flexibility that competitors lack
  • Simplified Billing: Users occupy standard "seats" identical to Cloudflare One Client billing, eliminating complicated new metrics

Technical Implementation

The system uses signed JWT cookies to maintain user identity across requests. On first visit to a new domain, the proxy redirects users to Cloudflare Access to authenticate (if not already logged in), then generates a secure token for that domain. Subsequent visits are instant—the entire process happens at Cloudflare's edge in milliseconds, invisible to users.

Additionally, Cloudflare now offers Proxy Auto-Configuration (PAC) File Hosting, allowing organizations to host PAC files directly on Cloudflare rather than managing their own infrastructure. The platform includes starter templates and an AI assistant (Cloudy) to help administrators understand PAC file behavior.

Ideal Use Cases

The Authorization Proxy is purpose-built for scenarios where device clients cannot be installed:

  • Virtual desktop infrastructure (VDI) environments
  • Merger and acquisition scenarios requiring rapid multi-company consolidation
  • Compliance-restricted environments where software installation is prohibited

Cloudflare continues to recommend the One Client for maximum control and user experience, but the Authorization Proxy closes a critical gap for clientless security.