[wrangler] Add Access Service Token support for CI/non-interactive environment

[WalshyDev]

Fixes #11881.

When running wrangler dev with remote bindings (or vitest-pool-workers with remote bindings) behind a Cloudflare Access-protected domain, Wrangler spawns cloudflared access login which opens a browser for interactive authentication. This is impossible in CI/CD environments.

This PR adds support for Cloudflare Access Service Token authentication via two new environment variables:

• CLOUDFLARE_ACCESS_CLIENT_ID -- the Access Service Token Client ID
• CLOUDFLARE_ACCESS_CLIENT_SECRET -- the Access Service Token Client Secret

When both are set, Wrangler authenticates by sending CF-Access-Client-Id and CF-Access-Client-Secret headers to the Access-protected domain -- completely bypassing the interactive cloudflared flow.

Additionally, when running in a non-interactive environment (no TTY or CI detected) without these credentials, Wrangler now throws a clear, actionable UserError instead of hanging on cloudflared access login:

The domain "example.workers.dev" is behind Cloudflare Access, but no Access Service Token
credentials were found and the current environment is non-interactive.
Set the CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET environment variables
to authenticate with an Access Service Token.
See https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/

Usage

export CLOUDFLARE_ACCESS_CLIENT_ID="<your-client-id>.access"
export CLOUDFLARE_ACCESS_CLIENT_SECRET="<your-client-secret>"
wrangler dev --remote

---

• Tests
  • Tests included/updated
  • Automated tests not possible - do not know if team has setup for this and not needed
  • Additional testing not necessary because:
• Public documentation
  • Cloudflare docs PR(s): Add docs for CLOUDFLARE_ACCESS_CLIENT_ID and CLOUDFLARE_ACCESS_CLIENT_SECRET system environment variables cloudflare-docs#29256
  • Documentation not necessary because:

---

[changeset-bot]

🦋 Changeset detected

Latest commit: 55580e4

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[workers-devprod]

Codeowners approval required for this PR:

• ✅ @cloudflare/wrangler

Show detailed file reviewers

[ask-bonk]

APIError: Not Found: Not found

github run

[ask-bonk]

@WalshyDev Bonk workflow failed. Check the logs for details.

View workflow run · To retry, trigger Bonk again.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@13031

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@13031

miniflare

npm i https://pkg.pr.new/miniflare@13031

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@13031

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@13031

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@13031

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@13031

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@13031

wrangler

npm i https://pkg.pr.new/wrangler@13031

commit: 55580e4

[github-actions]

✅ All changesets look good