Zero Trust Guide
How to configure Cloudflare Access to protect the Location Launchpad.
Why Zero Trust?
Cloudflare Zero Trust Access is the preferred authentication method because:
- No passwords stored in the app or database
- Email OTP — approved users get a one-time code, no account creation needed
- Granular control — add or remove approved emails instantly
- Works with custom domains — protects
launchpad.sonantech.com at the network level
- Free for up to 50 seats
Setup Steps
- Go to one.dash.cloudflare.com
- Select your account → Zero Trust Free
- Go to Access Controls → Access → Applications → Add an application → Self-hosted
- Click Public DNS tab
- Click Continue with Self-hosted and private
- Set destination: Subdomain = blank, Domain =
launchpad.sonantech.com, Path = blank (protects entire app)
- Under Access Policies, add policy name Internal Team, Action = Allow
- Add Include rules: Emails → add each approved email address
- Save application
Adding New Approved Users
- Go to Zero Trust → Access → Applications → click your app → Edit
- Click the Internal Team policy
- Add the new email under Include → Emails
- Save
How Users Log In
- User visits
launchpad.sonantech.com
- Cloudflare Access intercepts and shows a login page
- User enters their email → Cloudflare sends a 6-digit OTP
- User enters the code → access granted for the session duration (default 24 hours)
Fallback Password Auth
If Zero Trust is not configured, the app checks for an ADMIN_PASSWORD environment variable. If set, all API requests must include:
Authorization: Bearer <base64(ADMIN_PASSWORD)>
The login page at /login.html handles this automatically. If neither Zero Trust nor ADMIN_PASSWORD is configured, the app runs open (not recommended for production).
Always use Zero Trust for production. The fallback password method stores a hashed token in localStorage and is not suitable for shared or public computers.