Secure Cloudflare Workers for Your Team | GitHub SSO & OTP Login

Cloudflare Developers| 00:06:14|Mar 26, 2026
Chapters10
The video promises enterprise-grade authentication for any Cloudflare worker in under 60 seconds, with a simple, one-click setup and no configuration files or libraries.

Add enterprise-grade authentication to any Cloudflare worker in under 60 seconds, with GitHub SSO and OTP—no code required.

Summary

Cloudflare Developers walks you through turning a basic Cloudflare worker into a protected service in minutes, no coding needed. The presenter demonstrates enabling Cloudflare Access, then securing a worker with a one-time PIN for a quick check and a fuller login with GitHub SSO. They create a private worker from a TypeScript Hello World example, deploy it, and verify access logs to show the login event. The video then dives into integrating GitHub as an identity provider by creating a GitHub OAuth app, collecting a client ID and secret, and wiring the app through Cloudflare’s authentication settings. A policy named GitHub organization is created to limit access to a specific organization, and that policy is attached to the super private worker. The walkthrough also highlights a convenient instant-off toggle for a single-provider setup and demonstrates a logout via cookie clearing. Finally, the presenter hints at validating the user’s JWT and accessing their GitHub organization in a follow-up video, inviting audience interaction for future steps.

Key Takeaways

  • Enable enterprise-grade authentication for any Cloudflare worker in minutes by turning on Cloudflare Access and using a one-time PIN before opting for GitHub SSO.
  • Create a private worker from a TypeScript Hello World example, deploy it, then verify access through Cloudflare's Zero Trust logs under the 'zero trust' > 'logs' path.
  • Add GitHub as an identity provider by creating a GitHub OAuth app (client ID and client secret) in GitHub settings and linking it in Cloudflare's authentication setup.
  • Configure an access policy (e.g., 'GitHub organization') and attach it to the private worker to restrict access to members of a specific GitHub organization (e.g., Yelis YouTube).
  • Enable the login method in Cloudflare Access and leverage the instant-off toggle to skip the access screen when only a single provider is configured.
  • Logout can be simulated by clearing cookies, then re-authenticating to demonstrate seamless single-click sign-in with GitHub.
  • Upcoming topic indicated by the presenter includes validating the user JWT and reading their GitHub organization for deeper access control.

Who Is This For?

This is essential viewing for Cloudflare developers and DevOps teams who want zero-code authentication for workers, plus granular, organization-scoped access control via GitHub SSO.

Notable Quotes

"What if I told you that you could add enterprisegrade authentication to any Cloudflare worker in under 60 seconds? No configuration files, no authentication libraries, just a single click."
Opening pitch showing how fast and painless the setup can be.
"In a single click, didn't I say so?"
Emphasizing how OTP login can be completed quickly.
"GitHub is now set up as an identity provider."
Key moment where GitHub authentication is enabled.
"Isn't that amazing?"
Highlighting the seamlessness of the workflow after enabling GitHub SSO.
"We went from a publicly accessible worker to a protected one with organization level access."
Summarizes the security upgrade achieved by the flow.

Questions This Video Answers

  • How do you enable GitHub SSO for a Cloudflare Worker without writing code?
  • What steps are involved to set up a GitHub OAuth app for Cloudflare Access?
  • How can I restrict Cloudflare Access to a specific GitHub organization?
  • How does the OTP one-time PIN login compare to GitHub SSO in Cloudflare Access?
  • Can I audit access to a protected Cloudflare worker using the zero trust logs and where to find them?
Cloudflare WorkersCloudflare AccessZero TrustGitHub OAuthGitHub SSOOTP (one-time PIN)TypeScriptOAuth Appaccess policiesorganization access
Full Transcript
What if I told you that you could add enterprisegrade authentication to any Cloudflare worker in under 60 seconds? No configuration files, no authentication libraries, just a single click. In this video, I'm going to show you exactly how to do so. And we'll even take it a step further by adding GitHub single sign on. I'll start by creating a new worker using ppm create cloud for later super private worker. We'll use the hello world example worker only in TypeScript. We'll use git and we'll immediately deploy this application. After deploying, we should be able to get our URL. Let's open it up in our browser. Now, this is not a very secure Cloudflare worker. So, let's change that. I'm going to go to my Cloudflare dashboard. I'll click on compute and AI workers and pages and we should now have our super private worker. I'll then go to settings, click those three dots over here and turn on Cloudflare access. Here we have the audience tag and the JSON web key set URL that we won't need for now. They can both be retrieved later. Now let's open up our worker again. I'll refresh. As you can see, our worker is now secured by a one-time PIN code. Let's fill in my email address and send the code. I'm going to grab my phone and read the onetime PIN that I got. 712277. Sign in. There we go. In a single click, didn't I say so? Now, let's look at the access log event. I'll go to compute workers. We'll go to zero trust. And under logs, we should now have access logs. We'll filter by super private worker. We apply the filters. And there you go. We have one login event where access was granted from the US. That was me. We can do better than a one-time pin. Let's add login with GitHub and then add a policy that restricts access to members of my organization only. So in here I'll go to settings and first I want to show you on the custom pages our team domain. This team domain will be imported later. For me it is yells-youtube.cloudflare access.com. So I'll copy this. Now I go to settings authentication and under login methods I can add a new method. We'll choose GitHub. Now we'll need an app ID and a client secret. We can get those by following these instructions. So, inside of GitHub, I'm going to go to settings, scroll down until I see developer settings, oath applications, and then create a new oath application, and we'll create this super secret app. Now the homepage URL as you can see in the docs is the team domain we just copied but with the protocol in front of it. So we say https and then the domain. Next we need the authorization callback URL. That will be the same domain but there's this callback path appended to it. Now this callback URL is where GitHub will redirect us after authentication. Let's register the application. Great. I got my client ID and now I need to create a client secret and here I'll click generate new secret. And a new secret is created for me here. Let's copy it in here and save. Now when I click finish setup, we'll allow Cloudflare to read from this OOTH application data like public profile and organization membership. Okay, this is the OOTH screen. Note that I have this Yellow YouTube organization. I'm going to grant access to this organization and this will become important quickly. Now authorize myself. Success. GitHub is now set up as an identity provider. Now we've added a new identity provider. Now we just need to enable it and create a policy. So under access policies I'll create a new policy. The policy will be called GitHub organization and the action will be allowed. Then in this dropdown I should now see GitHub organization. This is because we added GitHub as an identity provider. The organization name is Yelis YouTube. and I'm going to save. Okay. Now, there's one more step we need to take. When I go to applications, super private worker, configure, and under policies, I need to select an existing policy. I'll add this GitHub organization policy we just created and save. I need to enable this new login method. So, under login methods, I should now see GitHub. Let's enable it. Notice this instant off toggle. This allows the user to skip the access screen if you only have one provider. Okay, let me save the application. So to simulate a log out, I'm going to clear my cookies. Storage cookies. Clear. And I'm going to refresh the page. Now I can click sign in with GitHub. And we're authenticated again. Isn't that amazing? In just a couple of minutes, we went from a publicly accessible worker to a protected one with organization level access control. We didn't have to write any code. Leave a comment below if you want to see the next video where we'll validate the user's JWT and access their current GitHub organization. Thanks for watching.

More from Cloudflare Developers

Related Videos

The End of JS thumbnail

The End of JS

 The PrimeTime
00:09:38
The Magic Behind Shiki Magic Move thumbnail

The Magic Behind Shiki Magic Move

 Joy of Code
00:40:00
How to Transcribe Audio with Scribe v2 — Speech to Text API thumbnail

How to Transcribe Audio with Scribe v2 — Speech to Text API

 ElevenLabs
00:06:24
Cybersecurity Predictions 2026: What Security Leaders Learned in 2025 thumbnail

Cybersecurity Predictions 2026: What Security Leaders Learned in 2025

 Cloudflare
00:24:18
Moltworker (for OpenClaw) & Markdown for Agents: Running AI on Cloudflare thumbnail

Moltworker (for OpenClaw) & Markdown for Agents: Running AI on Cloudflare

 Cloudflare
00:27:30
Code Mode: Giving AI Agents an Entire API in 1,000 Tokens (With Demos) thumbnail

Code Mode: Giving AI Agents an Entire API in 1,000 Tokens (With Demos)

 Cloudflare
00:42:27

Get daily recaps from
Cloudflare Developers

AI-powered summaries delivered to your inbox. Save hours every week while staying fully informed.

Get Started