← Back
Cloudflare
Cloudflare launches Gateway Authorization Proxy for user-level access control on unmanaged devices
Cloudflare · featureapiplatformintegrationrelease · blog.cloudflare.com ↗

Gateway Authorization Proxy Now Available

Cloudflare has released the Gateway Authorization Proxy, addressing a critical gap in protecting traffic from unmanaged devices—those where installing a client is impossible or impractical. Instead of relying solely on static IP addresses, the new system uses identity-based access control similar to Cloudflare Access, moving from "license plate recognition" to "badge authentication."

Key Improvements Over Prior Solution

The previous proxy endpoint solution identified users only by IP address, creating several limitations:

  • Anonymous logging: System knew IPs but not the actual users
  • Brittle policies: Rules broke when users changed locations or networks
  • Manual overhead: Teams had to self-host PAC files

The Authorization Proxy solves these issues by verifying user identity before enforcing Gateway filtering, enabling true per-user access logs and policies without device clients.

How It Works

The system uses signed JWT cookies to maintain identity across domains. When a user visits a new domain through the proxy, they're redirected to Cloudflare Access for authentication—but this process happens transparently in milliseconds. Once authenticated, subsequent requests to that domain and subdomains are instantly authorized. This approach allows Cloudflare to log and filter traffic per person across all accessed domains while enabling instant access revocation.

New Features

  • Multiple identity providers: Support for displaying one or multiple login methods (e.g., Okta and Azure AD) simultaneously
  • Simplified billing: Users occupy individual "seats" like with the Cloudflare One Client
  • Cloudflare-hosted PAC files: Eliminates the need for teams to self-host and maintain their own proxy configuration files, including AI-powered summaries via Cloudy
  • Per-user policies: Write granular rules like "only Finance team can access this accounting tool"

Ideal Use Cases

The Authorization Proxy is particularly suited for:

  • Virtual desktop environments (VDI) where users access the internet through browser-only sessions
  • Mergers and acquisitions requiring rapid integration of separate security infrastructures
  • Regulated environments where endpoint software installation is legally or technically prohibited

Future enhancements planned include support for Kerberos, mTLS, and traditional username/password authentication methods.