Access on Workers docs (#25603)

* Access on Workers docs

* Add detail about environment variables and hero image

Author: GregBrimble

src/assets/images/workers/changelog/workers-access.png

@@ -0,0 +1,84 @@
+---
+title: One-click Cloudflare Access for Workers
+description: You can now enable Cloudflare Access for your workers.dev and preview URLs in a single click.
+products:
+  - workers
+date: 2025-10-03
+---
+
+import { DashButton } from "~/components";
+
+You can now enable [Cloudflare Access](/cloudflare-one/policies/access/) for your [`workers.dev`](/workers/configuration/routing/workers-dev/) and [Preview URLs](/workers/configuration/previews/) in a single click.
+
+![Screenshot of the Enable/Disable Cloudflare Access button on the workers.dev route settings page](~/assets/images/workers/changelog/workers-access.png)
+
+Access allows you to limit access to your Workers to specific users or groups. You can limit access to yourself, your teammates, your organization, or anyone else you specify in your [Access policy](/cloudflare-one/policies/access).
+
+To enable Cloudflare Access:
+
+1. In the Cloudflare dashboard, go to the **Workers & Pages** page.
+
+   <DashButton url="/?to=/:account/workers-and-pages" />
+
+2. In **Overview**, select your Worker.
+3. Go to **Settings** > **Domains & Routes**.
+4. For `workers.dev` or Preview URLs, click **Enable Cloudflare Access**.
+5. Optionally, to configure the Access application, click **Manage Cloudflare Access**. There, you can change the email addresses you want to authorize. View [Access policies](/cloudflare-one/policies/access/#selectors) to learn about configuring alternate rules.
+
+To fully secure your application, it is important that you validate the JWT that Cloudflare Access adds to the `Cf-Access-Jwt-Assertion` header on the incoming request.
+
+The following code will validate the JWT using the [jose NPM package](https://www.npmjs.com/package/jose):
+
+```javascript
+import { jwtVerify, createRemoteJWKSet } from "jose";
+
+export default {
+	async fetch(request, env, ctx) {
+		// Get the JWT from the request headers
+		const token = request.headers.get("cf-access-jwt-assertion");
+
+		// Check if token exists
+		if (!token) {
+			return new Response("Missing required CF Access JWT", {
+				status: 403,
+				headers: { "Content-Type": "text/plain" },
+			});
+		}
+
+		try {
+			// Create JWKS from your team domain
+			const JWKS = createRemoteJWKSet(
+				new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`),
+			);
+
+			// Verify the JWT
+			const { payload } = await jwtVerify(token, JWKS, {
+				issuer: env.TEAM_DOMAIN,
+				audience: env.POLICY_AUD,
+			});
+
+			// Token is valid, proceed with your application logic
+			return new Response(`Hello ${payload.email || "authenticated user"}!`, {
+				headers: { "Content-Type": "text/plain" },
+			});
+		} catch (error) {
+			// Token verification failed
+			return new Response(`Invalid token: ${error.message}`, {
+				status: 403,
+				headers: { "Content-Type": "text/plain" },
+			});
+		}
+	},
+};
+```
+
+#### Required environment variables
+
+Add these [environment variables](/workers/configuration/environment-variables/) to your Worker:
+
+- `POLICY_AUD`: Your application's AUD tag
+- `TEAM_DOMAIN`: `https://<your-team-name>.cloudflareaccess.com`
+
+Both of these appear in the modal that appears when you enable Cloudflare Access.
+
+You can set these variables by adding them to your Worker's [Wrangler configuration file](/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** > **your-worker** > **Settings** > **Environment Variables**.

src/content/changelog/workers/2025-10-03-one-click-access-for-workers.mdx

@@ -62,7 +62,7 @@ The [`wrangler versions upload`](/workers/wrangler/commands/#upload) command upl
    <DashButton url="/?to=/:account/workers-and-pages" />
 
 2. Select your Worker.
-2. Go to the **Deployments** tab, and find the version you would like to view.
+3. Go to the **Deployments** tab, and find the version you would like to view.
 
 ### Aliased preview URLs
 
@@ -97,29 +97,16 @@ The resulting alias would be associated with this version, and immediately avail
 When enabled, all preview URLs are available publicly. You can use [Cloudflare Access](/cloudflare-one/policies/access/) to require visitors to authenticate before accessing preview URLs. You can limit access to yourself, your teammates, your organization, or anyone else you specify in your [access policy](/cloudflare-one/policies/access).
 
 To limit your preview URLs to authorized emails only:
+
 1. In the Cloudflare dashboard, go to the **Workers & Pages** page.
 
    <DashButton url="/?to=/:account/workers-and-pages" />
 
-2. Select **Create application**.
-3. Select **Self Hosted**.
-4. Name your application (for example, "my-worker") and add your `workers.dev` subdomain as the **Application domain**.
-
-For example, if you want to secure preview URLs for a Worker running on `my-worker.my-subdomain.workers.dev`.
-
-- Subdomain: `*-my-worker`
-- Domain: `my-subdomain.workers.dev`
-
-:::note
-You must press enter after you input your Application domain for it to save. You will see a "Zone is not associated with the current account" warning that you may ignore.
-:::
-
-6. Go to the next page.
-7. Add a name for your access policy (for example, "Allow employees access to preview URLs for my-worker").
-8. In the **Configure rules** section create a new rule with the **Emails** selector, or any other attributes which you wish to gate access to previews with.
-9. Enter the emails you want to authorize. View [access policies](/cloudflare-one/policies/access/#selectors) to learn about configuring alternate rules.
-10. Go to the next page.
-11. Add application.
+2. In **Overview**, select your Worker.
+3. Go to **Settings** > **Domains & Routes**.
+4. For Preview URLs, click **Enable Cloudflare Access**.
+5. Optionally, to configure the Access application, click **Manage Cloudflare Access**. There, you can change the email addresses you want to authorize. View [Access policies](/cloudflare-one/policies/access/#selectors) to learn about configuring alternate rules.
+6. [Validate the Access JWT](https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/validating-json/#cloudflare-workers-example) in your Worker script using the audience (`aud`) tag and JWKs URL provided.
 
 ## Toggle Preview URLs (Enable or Disable)
 
@@ -131,6 +118,7 @@ Note:
 ### From the Dashboard
 
 To toggle Preview URLs for a Worker:
+
 1. In the Cloudflare dashboard, go to the **Workers & Pages** page.
 
    <DashButton url="/?to=/:account/workers-and-pages" />
@@ -153,15 +141,19 @@ Older Wrangler versions will default to Preview URLs being enabled.
 To toggle Preview URLs for a Worker, include any of the following in your Worker's Wrangler file:
 
 <WranglerConfig>
+
 ```toml
 preview_urls = true
 ```
+
 </WranglerConfig>
 
 <WranglerConfig>
+
 ```toml
 preview_urls = false
 ```
+
 </WranglerConfig>
 
 If not given, `preview_urls = false` is the default.
@@ -175,4 +167,4 @@ If you enable or disable Preview URLs in the Cloudflare dashboard, but do not up
 - Preview URLs are not generated for Workers that implement a [Durable Object](/durable-objects/).
 - Preview URLs are not currently generated for [Workers for Platforms](/cloudflare-for-platforms/workers-for-platforms/) [user Workers](/cloudflare-for-platforms/workers-for-platforms/reference/how-workers-for-platforms-works/#user-workers). This is a temporary limitation, we are working to remove it.
 - You cannot currently configure Preview URLs to run on a subdomain other than [`workers.dev`](/workers/configuration/routing/workers-dev/).
-- You cannot view logs for Preview URLs today, this includes Workers Logs, Wrangler tail and Logpush.
+- You cannot view logs for Preview URLs today, this includes Workers Logs, Wrangler tail and Logpush.

src/content/docs/workers/configuration/previews.mdx

@@ -21,6 +21,22 @@ It's recommended to run production Workers on a [Workers route or custom domain]
 
 All Workers are assigned a `workers.dev` route when they are created or renamed following the syntax `<YOUR_WORKER_NAME>.<YOUR_SUBDOMAIN>.workers.dev`. The [`name`](/workers/wrangler/configuration/#inheritable-keys) field in your Worker configuration is used as the subdomain for the deployed Worker.
 
+## Manage access to `workers.dev`
+
+When enabled, your `workers.dev` URL is available publicly. You can use [Cloudflare Access](/cloudflare-one/policies/access/) to require visitors to authenticate before accessing preview URLs. You can limit access to yourself, your teammates, your organization, or anyone else you specify in your [access policy](/cloudflare-one/policies/access).
+
+To limit your `workers.dev` URL to authorized emails only:
+
+1. In the Cloudflare dashboard, go to the **Workers & Pages** page.
+
+   <DashButton url="/?to=/:account/workers-and-pages" />
+
+2. In **Overview**, select your Worker.
+3. Go to **Settings** > **Domains & Routes**.
+4. For `workers.dev`, click **Enable Cloudflare Access**.
+5. Optionally, to configure the Access application, click **Manage Cloudflare Access**. There, you can change the email addresses you want to authorize. View [Access policies](/cloudflare-one/policies/access/#selectors) to learn about configuring alternate rules.
+6. [Validate the Access JWT](https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/validating-json/#cloudflare-workers-example) in your Worker script using the audience (`aud`) tag and JWKs URL provided.
+
 ## Disabling `workers.dev`
 
 ### Disabling `workers.dev` in the dashboard
@@ -38,7 +54,7 @@ To disable the `workers.dev` route for a Worker:
 
 ### Disabling `workers.dev` in the Wrangler configuration file
 
-To disable the `workers.dev` route for a Worker, include the following in your Worker's  [Wrangler configuration file](/workers/wrangler/configuration/):
+To disable the `workers.dev` route for a Worker, include the following in your Worker's [Wrangler configuration file](/workers/wrangler/configuration/):
 
 <WranglerConfig>