Authentication
Every request needs a per-client bearer token
The gateway is not open. Every route is gated by a per-client bearer token. Pass it on every request:
A missing or unrecognized token returns 401 Unauthorized (with a WWW-Authenticate: Bearer header) before anything reaches the upstream — so a bad token never spends upstream credits.
How tokens are validated
The gateway never stores raw tokens. Each authorized client has one record in a Cloudflare KV namespace whose key is the SHA-256 of the token (lowercase hex) and whose value is a human-readable label for auditing. A request is authorized if and only if the SHA-256 of its token exists in that namespace.
This means tokens can be issued and revoked without redeploying the Worker.
Revocation is eventually consistent. The gateway caches KV reads for ~60 seconds at each edge location, so a freshly revoked token can keep working at a given location until that cache expires. Plan for up to a ~60s revocation lag.
Your gateway token never reaches the upstream
Before forwarding, the gateway strips the Authorization header. The upstreams authenticate with their own injected credentials (a header or query param), so your gateway token has no use upstream and never leaves the Worker.
You also never send the upstream’s own key. The gateway injects it and drops any client-supplied copy:
Example
Treat the bearer token like a password. Anyone holding it can spend the account’s upstream credits until it’s revoked — the gateway does not yet enforce per-token rate limits or spend caps.