APCP auth readiness

This panel shows the hosted SaaS-compatible authorization layer, Cloudflare Access activation boundary, public demo separation, and the exact local checks to run before trusting Access headers.

Demo preview Demo readiness Operator demo Access plan JSON Capabilities JSON Access cutover package

StatusLoading

Activation State

Loading activation checks...

Authorization Model

Loading roles and permissions...

Local Checks

Run the Access activation package:

npm run access:activation

Read the activation state machine:

npm run publish:activation-status

Run the application auth harness:

npm run auth:check

Bundle demo, Access, and auth evidence:

npm run demo:evidence

Token-backed operator readiness endpoint:

GET /v1/workspaces/default/access-readiness

Token-backed activation status endpoint:

GET /v1/workspaces/default/access-activation-status

Read-only membership seed planner:

GET /v1/workspaces/default/membership-seeding-plan

Protected Route Plan

/operatorOperator shell can reveal private API entry points even when data still requires tokens.

/operator/intakeProtected staging intake can submit real user material and must sit behind the operator perimeter.

/v1/workspaces*Private workspace, manifest, event, provider, or publish-run API surface.

/v1/eventsPrivate workspace, manifest, event, provider, or publish-run API surface.

/v1/publish-runs*Private workspace, manifest, event, provider, or publish-run API surface.

/v1/operator-submissionsPrivate workspace, manifest, event, provider, or publish-run API surface.

/v1/manifests*Private workspace, manifest, event, provider, or publish-run API surface.

Cloudflare Access Checklist

stepChoose the operator identity selector: explicit emails, an IdP group, an email domain, or an Access group.

stepCreate or select service tokens for CLI, MCP, and CI automation.

stepCreate a self-hosted Access application for /operator and private API path patterns.

stepAttach Allow and Service Auth policies, leaving public demo and status routes outside the protected path set.

stepSet CF_ACCESS_CLIENT_ID and CF_ACCESS_CLIENT_SECRET only in local profiles or CI secrets, never in source.

stepRun npm run access:activation, npm run auth:check, and npm run demo:smoke against staging before protecting production.

stepEnable AUTH_TRUST_ACCESS_HEADERS=true only after the private route set is protected by Cloudflare Access.

stop boundaryCreating Access applications, policies, service tokens, or secrets must be approved and run against the Cloudflare account.

AUTH_TRUST_ACCESS_HEADERS=true is intentionally a post-Access switch. Leave it off until /operator and private API routes are protected at the Cloudflare edge.

Raw Public Plan

Loading /v1/access-policy-plan...