Cloudflare Inbox Docs

Waku + Cloudflare worker inbox

Browse docs

Cloudflare InboxProduct docs for the Waku inbox, Cloudflare bindings, and the shared web workflow.

Getting StartedRun the app locally, understand the key bindings, and know what is public versus protected.

Web AuthUnderstand the shared token/password login and the current cookie session model.

Documentation

Web Auth

Understand the shared token/password login and the current cookie session model.

View markdown Edit on GitHub

content/docs/web-auth.mdx

Auth inputs

The app accepts a single shared credential field on /login.

Either of these Worker environment values can satisfy that credential:

AUTH_PASSWORD
AUTH_TOKEN

When login is enabled, the server issues a cookie named cloudflare_inbox_session.

Current behavior:

HttpOnly
SameSite=Lax
Path=/
Max-Age=30 days
Secure when the request is HTTPS

Validation model

This alpha app does not store sessions in a database.

Instead, it computes the expected cookie value from:

a fixed app prefix
AUTH_COOKIE_SECRET
AUTH_PASSWORD
AUTH_TOKEN

That means rotating any of those values invalidates all existing sessions immediately.

Protected surfaces

/app
/send
/thread-read

The /blob route remains public for now so emailed attachment fallback links still work outside the logged-in browser session.

When to harden it later

per-user sessions
session revocation without rotating the global secret
attachment privacy on emailed /blob links
audit trails tied to individual operators