Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

tuna --login

Set up Cloudflare credentials for tunnel management.

Usage

tuna --login

What It Does

  1. Prompts for your Cloudflare API token
  2. Validates the token against Cloudflare API
  3. Fetches your account ID
  4. Prompts for your root domain
  5. Verifies domain access
  6. Stores credentials in macOS Keychain

Interactive Flow

$ tuna --login
 
🔐 Tuna Login
 
Create a token at: https://dash.cloudflare.com/profile/api-tokens
Required permissions:
 Account Cloudflare Tunnel Edit
 Account Access: Apps and Policies Edit
 Zone DNS Edit
 Account Account Settings Read
 
? Enter your Cloudflare API token: ************************************
 Token validated
 Account ID: 699d98642c564d2e855e9661899b7252
 
? Enter your root domain (e.g., example.com): example.com
 Domain verified
 
 Credentials saved to macOS Keychain
 
Next steps:
  1. Add to your package.json:
     {
       "tuna": {
         "forward": "my-app.example.com",
         "port": 3000
       }
     }
  2. Run: tuna npm run dev

Creating an API Token

  1. Go to Cloudflare API Tokens
  2. Click Create Token
  3. Click Create Custom Token
  4. Configure permissions:
SectionResourcePermission
PermissionsAccount - Cloudflare TunnelEdit
PermissionsAccount - Access: Apps and PoliciesEdit
PermissionsZone - DNSEdit
PermissionsAccount - Account SettingsRead
  1. Under Zone Resources, select your domain or "All zones"
  2. Click Continue to summaryCreate Token
  3. Copy the token immediately (it won't be shown again)

Credential Storage

Credentials are stored in your macOS Keychain:

  • Service: tuna-credentials-{domain}
  • Account: {domain}
  • Data: API token, account ID, domain (JSON)

Security

  • Encrypted at rest by macOS
  • Requires biometric auth (Touch ID) or password to access
  • Never stored in files or environment variables
  • Not accessible to other applications

Multiple Domains

Run --login multiple times for different domains:

tuna --login  # Configure example.com
tuna --login  # Configure another-domain.com

Each domain's credentials are stored separately.

Updating Credentials

Run --login again to update credentials for a domain. The old credentials will be replaced.

Troubleshooting

"Invalid API token"

  • Check for typos when pasting
  • Ensure the token hasn't expired
  • Verify the token has all required permissions

"Domain not found"

  • Ensure the domain is added to your Cloudflare account
  • Check that your token has access to that zone
  • Use just the root domain (e.g., example.com, not www.example.com)

"Could not save to Keychain"

  • Check System Preferences → Security & Privacy → Privacy
  • Ensure your terminal app has Keychain access
  • Try running in a new terminal window

See Also