cloudflare · Maddy-Cloudflare · Nov 4, 2025 · Nov 4, 2025 · Nov 6, 2025 · Nov 10, 2025
@@ -2301,6 +2301,7 @@
 /cloudflare-one/team-and-resources/devices/warp/user-side-certificates/ /cloudflare-one/team-and-resources/devices/user-side-certificates/ 301
 /cloudflare-one/traffic-policies/lists/ /cloudflare-one/reusable-components/lists/ 301
 /cloudflare-one/traffic-policies/ids/ /cloudflare-one/traffic-policies/enable-ids/ 301
+/cloudflare-one/team-and-resources/devices/agentless/pac-files/ /cloudflare-one/team-and-resources/devices/agentless/pac-files/configure-pac-files/ 301
 
 # Email Security new revamp (statics)
 /cloudflare-one/email-security/auto-moves/ /cloudflare-one/email-security/settings/auto-moves/ 301

@@ -0,0 +1,6 @@
+---
+pcx_content_type: how-to
+title: Best practices for writing PAC files
+sidebar:
+  order: 3
+---
@@ -1,8 +1,8 @@
 ---
 pcx_content_type: how-to
-title: PAC files
+title: Configure PAC files
 sidebar:
-  order: 1
+  order: 2
 ---
 
 import {
@@ -13,14 +13,14 @@ import {
 	APIRequest,
 } from "~/components";
 
+<GlossaryDefinition term="PAC file" prepend="A PAC file is " />
+
 :::note
-Only available on Enterprise plans.
+PAC files are only available on Enterprise plans.
 :::
 
 You can apply Gateway HTTP and DNS policies at the browser level by configuring a Proxy Auto-Configuration (PAC) file to connect to a proxy endpoint.
 
-<GlossaryDefinition term="PAC file" prepend="A PAC file is " />
-
 When end users visit a website, their browser will send the request to a Cloudflare proxy server associated with your account to be filtered by Gateway. Note that Gateway [cannot filter every type of HTTP traffic](#limitations) proxied using PAC files.
 
 ## Prerequisites
@@ -29,7 +29,9 @@ Install a [Cloudflare certificate](/cloudflare-one/team-and-resources/devices/us
 
 ## 1. Generate a proxy endpoint
 
-You can generate a proxy endpoint in Cloudflare One or through the Cloudflare API.
+You can generate two types of proxy endpoint in Cloudflare One or through the Cloudflare API: IP and Authorization. 
+
+Authorization endpoints require users to pass [Access policies](/cloudflare-one/access-controls/policies/policy-management/) to use the endpoint. Source IP endpoints only proxy traffic originating from a specific source IP.
 
 :::caution
 All devices you add to the proxy endpoint will be able to access your Cloudflare Tunnel applications and services. If you only want to proxy web traffic, you can build a network policy that blocks those source IPs from connecting to your internal resources.
@@ -43,24 +45,74 @@ All devices you add to the proxy endpoint will be able to access your Cloudflare
 
 2. Select **Create proxy endpoint**.
 
-3. Give your endpoint any name.
+3. Select between **Add an authorization endpoint** or **Add a source IP endpoint**.
+
+:::note
+Once you choose a type of proxy endpoint, you cannot revert this decision.
+:::
+
+## Authorization endpoint
+
+Authorization endpoints support being associated with [Cloudflare Access](/cloudflare-one/access-controls/policies/) to provide full authorization capabilities. Authorization endpoint allows you yo configure authorization methods (for example, with Google), before traffic is sent for processing.
+
+Authorization endpoints offer a more flexible way to authorize traffic by leveraging Cloudflare Access.
+
+If you select **Add an authorization endpoint**:
+
+1. Enter your basic information.
+
+2. Add an existing policy, or [create a new policy](/cloudflare-one/access-controls/policies/).
+
+3. Add your login method.
+
+4. Once you filled all the information, select **Save**.
+
+### Edit authorization
+
+To edit an authorization endpoint:
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Resolvers & Proxies** > **Proxy endpoints**.
+2. Select **Proxy endpoints**, and locate your authorization endpoint. The dashboard will display **Authorization** under **Type**. 
+3. Select the three dots, then select **Configure**.
+4. Choose the information you want to edit:
+    - **Basic info**: Enter your basic info, then select **Save**.
+    - **Access policies**: Here, you can:
+        - Select existing policies or create a new policy.
+        - Select the three dots that allow you to 
+    - **Login methods**: Select the [identity providers](/cloudflare-one/integrations/identity-providers/) you want to use to log in to this application.
+
+## Source IP endpoint
+
+When you configure a source IP endpoint, traffic authorization is determined by the source IP address of the incoming traffic. You configure the endpoint to allow traffic processing only from a specific pre-defined set of source IP addresses.
 
-4. Enter the public source IP address of your device(s) in CIDR notation. For example:
+If you select **Add a source IP endpoint**:
+
+1. Enter the public source IP address of your device(s) in CIDR notation. For example:
    - **IPv4**: `192.0.2.0/8`
    - **IPv6**: `2001:0db8:0000:0000:0000:1234:5678:0000/109`
 
    :::note
    Gateway limits the prefix length of source networks for proxy endpoints to `/8` for IPv4 networks and `/32` for IPv6 networks.
    :::
 
-5. Select **Save endpoint** and confirm the endpoint creation.
+2. Select **Save endpoint** and confirm the endpoint creation.
 
 Your Cloudflare proxy server domain is of the form:
 
 ```txt
 https://<SUBDOMAIN>.proxy.cloudflare-gateway.com
 ```
 
+### Edit source IP endpoint
+
+To edit a source IP endpoint:
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Resolvers & Proxies** > **Proxy endpoints**.
+2. Select **Proxy endpoints**, and locate your authorization endpoint. The dashboard will display **Source IP** under **Type**. 
+3. Select the three dots, then select **Configure**.
+4. Edit the name and/or configure the source IPs that are allowed.
+5. Select **Save**.
+
 </TabItem>
 
 <TabItem label="API">
@@ -114,6 +166,7 @@ https://<SUBDOMAIN>.proxy.cloudflare-gateway.com
 
 </Tabs>
 
+
 ## 2. Test your proxy server
 
 1. In [Cloudflare One](https://one.dash.cloudflare.com/), create an [HTTP policy](/cloudflare-one/traffic-policies/http-policies/) for testing purposes. For example:
@@ -164,6 +217,34 @@ function FindProxyForURL(url, host) {
 - Use a proper text editor such as VS Code to avoid added characters.
   :::
 
+To create a PAC file:
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Resolvers & Proxies** > **Proxy endpoints**.
+2. Create a proxy endpoint.
+3. Once you create a proxy endpoint, select **Add PAC files**.
+4. Here, you can add **PAC file details** and **Setup instructions**. 
+    In **PAC files details**:
+        - Enter the **Basic Information**.
+        - Enter the **PAC file configuration** > Select **Browse PAC file configuration templates** and choose a pre-configured template to customize. The only available outputs are Okta and Azure. Once you select the template, the **PAC file JavaScript** is going to be populated with a template.
+    In **Setup instructions:**
+        - Choose a browser and follow the instructions.
+4. Select **Create**.
+
+Your PAC file is of the form:
+
+```txt
+https://pac.cloudflare-gateway.com/<account-tag>/<slug>
+```
+
+### Edit your PAC files
+
+To edit your PAC files:
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Networks** > **Resolvers & Proxies** > **Proxy endpoints** > **PAC files**.
+2. Locate the PAC file you want to edit, select the three dots, then select **Configure**.
+3. Edit **PAC files details** and/or **Setup instructions**.
+4. Select **Save**.
+
 ## 4. Configure your devices
 
 All major browsers support PAC files. You can configure individual browsers, or you can configure system settings that apply to all browsers on the device. Multiple devices can call the same PAC file as long as their source IP addresses were included in the proxy endpoint configuration.
@@ -306,16 +387,4 @@ Using your proxy endpoint's domain, you can get the IP addresses assigned to the
 
 </Tabs>
 
-To ensure responses are allowed through your firewall, add an inbound rule to allow the static IPv4 address for Cloudflare proxy endpoints, `162.159.193.21`.
-
-## Limitations
-
-### Traffic limitations
-
-The agentless HTTP proxy does not support [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) or mTLS authentication.
-
-To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection).
-
-### Gateway DNS and resolver policies
-
-Gateway DNS and resolver policies will always apply to traffic proxied via PAC files, regardless of device configuration.
+To ensure responses are allowed through your firewall, add an inbound rule to allow the static IPv4 address for Cloudflare proxy endpoints, `162.159.193.21`.
@@ -0,0 +1,9 @@
+---
+pcx_content_type: how-to
+title: PAC files
+sidebar:
+  order: 1
+  group:
+    hideIndex: true
+---
+
diff --git a/...s/cloudflare-one/team-and-resources/devices/agentless/pac-files/limitations.mdx b/...s/cloudflare-one/team-and-resources/devices/agentless/pac-files/limitations.mdx
@@ -0,0 +1,18 @@
+---
+pcx_content_type: how-to
+title: Limitations
+sidebar:
+  order: 4
+---
+
+## Traffic limitations
+
+IP endpoints do not support [identity-based policies](/cloudflare-one/traffic-policies/identity-selectors/) or mTLS authentication.
+
+To enforce HTTP policies for UDP traffic, you must turn on the [Gateway proxy for UDP](/cloudflare-one/traffic-policies/http-policies/http3/#enable-http3-inspection).
+
+Authorization endpoints, do not support anything that is not HTTP/HTTPS. That means no other TCP or UDP protocol is supported, including HTTP3.
+
+## Gateway DNS and resolver policies
+
+Gateway DNS and resolver policies will always apply to traffic proxied via PAC files, regardless of device configuration.