Authentication

Setup and configure authentication for Pixelflare CDN deployments, using a provider of your choice.

Pixelflare supports the following authentication methods:

• Cloudflare Zero Trust - Cloudflare's built-in enterprise identity + access management
• OAuth - Direct OAuth integration using Auth.js
• No Authentication - Disable authentication entirely
• Mock Authentication - For local development only

---

Supported Identity Providers

Provider	OAuth	Cloudflare Zero
Apple	✅	❌
Atlassian	✅	❌
Auth0	✅	*️⃣
Authentik	✅	*️⃣
Azure Active Directory (incl. B2C)	✅	✅
Amazon Cognito	✅	*️⃣
Discord	✅	❌
Facebook	✅	✅
GitHub	✅	✅
GitLab	✅	*️⃣
Google	✅	✅
Instagram	✅	❌
Keycloak	✅	*️⃣
LinkedIn	✅	✅
Okta	✅	✅
OneLogin	✅	✅
Patreon	✅	❌
PingOne / Ping Identity	❌	✅
Reddit	✅	❌
Salesforce	❌	*️⃣
Slack	✅	❌
Twitter (v2 OAuth)	✅	❌
Yandex	✅	✅
Zoom	✅	*️⃣

Legend: ✅ Supported | ❌ Not Supported | *️⃣ Supported Indirectly

Note:

• GitLab, Salesforce, Zoom, Keycloak, Authentik, WorkOS and BoxyHQ SAML are supports on indirectly Cloudflare via SAML
• Auth0, Amazon Cognito, Keycloak, Authentik, WorkOS as well as other providers are supported on Cloudflare via OIDC
• Some auth providers are untested, and may/probably will require additional configuration, within the app and Cloudflare

---

Security Best Practices

General

1. Always use HTTPS in production - Required for secure cookies (__Secure- and __Host- prefixes)
2. Keep secrets secure - Use Cloudflare Workers secrets or environment variables, never commit to git
3. Rotate secrets regularly - Change AUTH_SECRET and API_HASH_SECRET periodically
4. Use minimum required scopes - Grant API keys only the permissions they need
5. Monitor authentication logs - Enable audit logging to track authentication events

Cloudflare Zero Trust

1. Use Zero Trust Policies - Implement granular access policies based on user identity
2. Enable session recording (optional) - Track user activities for security auditing
3. Configure session duration - Balance security and user experience
4. Use email verification - Require verified email addresses for access
5. Enable MFA - Require multi-factor authentication for sensitive operations

Auth.js

1. Use strong AUTH_SECRET - Minimum 32 bytes of entropy (use openssl rand -base64 32)
2. Protect OAuth secrets - Store GITHUB_OAUTH_CLIENT_SECRET as Workers secret
3. Configure OAuth scopes - Request only required GitHub scopes
4. Set appropriate session maxAge - Default is 7 days, adjust based on security requirements
5. Use production cookie prefixes - __Secure- prefix requires HTTPS

API Keys

1. Set expiration dates - API keys should have limited lifetimes
2. Use IP whitelisting - Restrict API key usage to known IP addresses
3. Rotate keys regularly - Replace API keys periodically, especially after team changes
4. Delete unused keys - Remove API keys that are no longer needed
5. Monitor key usage - Track last_used_at timestamps to identify inactive keys

---