Credential access
Reads tunnel credentials, Cloudflare tokens, and local tunnel config.
brew
Cloudflare Tunnel client (formerly Argo Tunnel). Version 2026.6.1 via Homebrew; verified 2026-06-18.
agent safety
cloudflared manages tunnels, DNS-facing connectivity, and Cloudflare access paths.
Reads tunnel credentials, Cloudflare tokens, and local tunnel config.
Can create tunnels, route traffic, and update service exposure.
Can expose local or internal services to the network.
Gate tunnel creation, route changes, token use, and service exposure.
Allow tunnel status checks; require approval before exposing endpoints or changing routes.
install
brew install cloudflaredlocal Homebrew formula metadata
sudo port install cloudflaredMacPorts ports tree · net/cloudflared/Portfile · source: api.github.com
sudo apk add cloudflaredAlpine Linux edge package indexes · cloudflared · source: dl-cdn.alpinelinux.org
nix profile install nixpkgs#cloudflarednixpkgs package indexes · pkgs/by-name/cl/cloudflared/package.nix · source: api.github.com
sudo pacman -S cloudflaredArch Linux sync databases · cloudflared · source: geo.mirror.pkgbuild.com
sudo zypper install cloudflaredopenSUSE Tumbleweed package metadata · cloudflared · source: download.opensuse.org
choco install cloudflaredChocolatey community package catalog · cloudflared · source: community.chocolatey.org
scoop install main/cloudflaredScoop official bucket manifest trees · bucket/cloudflared.json · source: api.github.com
winget install --id Cloudflare.cloudflared -eWindows Package Manager source index · Cloudflare.cloudflared · source: cdn.winget.microsoft.com
overview
Cloudflare Tunnel client (formerly Argo Tunnel)
history
cloudflared is Cloudflare's Tunnel client, the daemon/CLI that establishes outbound-only connections from private infrastructure to Cloudflare's network. It grew out of the Argo Tunnel product line and became a central piece of Cloudflare One and Zero Trust access patterns.
The official cloudflared repository was created in 2017, matching the period when Cloudflare was turning Argo Tunnel into a packaged client. Cloudflare now documents Cloudflare Tunnel as a connector that lets origins and private networks reach Cloudflare without opening inbound firewall ports.
The tool's role expanded from origin tunneling for web apps into a general Zero Trust connector: it can run as a service, authenticate tunnels with credential files, and support remotely managed tunnels through Cloudflare's dashboard and API.
cloudflared has unusually broad package-manager coverage for a vendor network daemon. The batch package metadata lists apk, Homebrew, Chocolatey, MacPorts, Nix, pacman, Scoop, winget, and zypper, reflecting demand across Linux servers, macOS developer machines, and Windows desktops.
Cloudflare's documentation and release cadence make cloudflared a common dependency in homelab, self-hosting, Kubernetes, CI, and enterprise Zero Trust deployments where operators want a reverse tunnel without exposing origin services directly.
Operators use cloudflared to create, run, and supervise Cloudflare Tunnel connectors. Typical workflows include logging in, creating a tunnel, writing config.yml, storing a tunnel credentials JSON file, and running cloudflared as a foreground process or system service.
The same executable also covers DNS-over-HTTPS proxying and other Cloudflare network utility tasks, but the Homebrew package is primarily significant as the Cloudflare Tunnel client.
cloudflared is a good example of a cloud vendor shipping a cross-platform networking daemon through mainstream package managers instead of only tarballs or curl-piped installers. Formula maintainers care about service integration, binary update speed, and config/credential paths because it is often run unattended.
Its packaging surface is broader than many cloud CLIs because it serves both developers and infrastructure operators: the same package can be used interactively on a laptop or as a long-running connector on a server.
security posture
formula declares a Homebrew service. infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
~/.cloudflared/config.yml$XDG_CONFIG_HOME/cloudflared/config.yml~/.config/cloudflared/config.ymlCredential-bearing paths to review before unattended agent runs.
~/.cloudflared/cert.pem~/.cloudflared/*.json$XDG_CONFIG_HOME/cloudflared/cert.pem$XDG_CONFIG_HOME/cloudflared/*.json~/.config/cloudflared/cert.pem~/.config/cloudflared/*.jsonexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
cloudflared | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/cloudflare/cloudflared
install metadata
| Package key | brew:cloudflared |
|---|---|
| Version | 2026.6.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/cloudflared |
| Homepage | https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/ |
| Repository | https://github.com/cloudflare/cloudflared |
| Upstream docs | https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel |
| License | Apache-2.0 |
| Source archive | https://github.com/cloudflare/cloudflared/archive/refs/tags/2026.6.1.tar.gz |
| Last updated | 2026-06-18T15:38:07Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | cloudflared |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
cloudflared
nix profile install nixpkgs#cloudflaredcloudflared 2026.6.0-r0
Cloudflare Tunnel client
https://github.com/cloudflare/cloudflared
sudo apk add cloudflaredcloudflared-doc 2026.6.0-r0
Cloudflare Tunnel client (documentation)
https://github.com/cloudflare/cloudflared
sudo apk add cloudflared-doccloudflared-openrc 2026.6.0-r0
Cloudflare Tunnel client (OpenRC init scripts)
https://github.com/cloudflare/cloudflared
sudo apk add cloudflared-openrccloudflared 2026.6.0-1
Command-line client for Cloudflare Tunnel
https://github.com/cloudflare/cloudflared
sudo pacman -S cloudflaredcloudflared 2026.5.2-1.1
Cloudflare Tunnel client
https://github.com/cloudflare/cloudflared
sudo zypper install cloudflaredcloudflared
sudo port install cloudflaredcloudflared
choco install cloudflaredmain/cloudflared
scoop install main/cloudflaredCloudflare.cloudflared
winget install --id Cloudflare.cloudflared -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.