From 2492ffe1bf4f0574ff367334a1dc6d225f1540d3 Mon Sep 17 00:00:00 2001
From: Pete Bacon Darwin <pbacondarwin@cloudflare.com>
Date: Fri, 15 May 2026 16:49:53 +0100
Subject: [PATCH] docs: clarify Cloudflare Access setup in populate-cache
 comment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous comment said simply that 'the Application at
open-next-cache-populate.<account>.workers.dev should have a policy'.
That wording was reused verbatim in the v1.19.10 changelog entry and
turned out to be ambiguous: several users read it as 'create a new
Access application for that hostname' and ended up with an
upload-blocking setup (see #1171).

Restate the comment to reflect what actually works — attach the
Service Auth policy to the existing Access application that already
covers the hostname, typically the workers.dev wildcard — and link
out to the docs section that covers the full procedure.
---
 .../cloudflare/src/cli/commands/populate-cache.ts  | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/packages/cloudflare/src/cli/commands/populate-cache.ts b/packages/cloudflare/src/cli/commands/populate-cache.ts
index 13e9a8c0e..b6291bd16 100644
--- a/packages/cloudflare/src/cli/commands/populate-cache.ts
+++ b/packages/cloudflare/src/cli/commands/populate-cache.ts
@@ -406,11 +406,17 @@ async function sendEntryToR2Worker(options: {
 						"x-opennext-cache-key": key,
 						"content-length": fs.statSync(filename).size.toString(),
 						// Include Access Client ID and Secret if they are set in the environment,
-						// to allow the worker to authenticate with the Cloudflare API when writing to R2.
+						// so the helper worker can be reached through Cloudflare Access.
 						//
-						// The Application at "open-next-cache-populate.<account>.workers.dev" should have a policy with:
-						// - "Action" set to "Service Auth"
-						// - "Any Access Service Token" or "Service Token" + a specific service token
+						// If the workers.dev subdomain (or a parent route) is behind Cloudflare Access,
+						// attach a "Service Auth" policy to the *existing* Access application that already
+						// covers "open-next-cache-populate.<account>.workers.dev" — typically the
+						// "*.<account>.workers.dev" wildcard application. Creating a separate application
+						// scoped to this hostname has been observed to block the upload, even alongside
+						// the wildcard app. The policy should have:
+						//   - Action set to "Service Auth"
+						//   - An Include rule for "Any Access Service Token" or a specific Service Token
+						// See: https://opennext.js.org/cloudflare/cli#populating-remote-bindings-when-workers-are-protected-by-cloudflare-access
 						...(process.env.CLOUDFLARE_ACCESS_CLIENT_ID && process.env.CLOUDFLARE_ACCESS_CLIENT_SECRET
 							? {
 									"CF-Access-Client-Id": process.env.CLOUDFLARE_ACCESS_CLIENT_ID,