Cloudflare has introduced managed OAuth[3] support for its Access platform, enabling AI agents to securely connect with internal applications. The new feature, now in open beta, allows agents that speak OAuth 2.0 to authenticate and access internal resources on behalf of a user, streamlining workflows that rely on automation.
Simplifying Agent Authentication
With managed OAuth enabled, Cloudflare Access functions as an authorization server. When an unauthorized agent attempts to access a resource, Access returns a `www-authenticate` header, directing the agent to an endpoint where it can learn how to obtain an authorization token. The agent can then initiate a standard OAuth 2.0 flow to get a token and make authenticated requests on behalf of the user. This process avoids the security[4] risks associated with service[1] accounts.
Standards-Based Approach for Agent Integration
Cloudflare’s implementation is built on open standards, including RFC[2] 9728 for OAuth server metadata discovery. This allows any compliant agent to discover how to authenticate without bespoke integrations. The company has demonstrated this by adapting the web fetch tool in Opencode to support the new flow. The approach is designed to make a wide range of internal applications, including legacy systems, immediately agent-ready without requiring code changes.
References
- service: https://cyberwarzone.com/2026/03/16/service-account-security-how-to-control-privilege-rotation-ownership-and-trust-paths/ [back]
- RFC: https://datatracker.ietf.org/doc/html/rfc9728 [back]
- OAuth: https://blog.cloudflare.com/managed-oauth-for-access/ [back]
- security: https://cyberwarzone.com/2026/03/19/top-10-signs-a-cve-needs-emergency-patching/ [back]
