Skip to content

[AI Gateway] Document Access user metadata#31833

Draft
kennyj42 wants to merge 5 commits into
cloudflare:productionfrom
kennyj42:kjohnson/ai-gateway-access-identity
Draft

[AI Gateway] Document Access user metadata#31833
kennyj42 wants to merge 5 commits into
cloudflare:productionfrom
kennyj42:kjohnson/ai-gateway-access-identity

Conversation

@kennyj42

@kennyj42 kennyj42 commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add AI Gateway custom domains documentation focused on Access-protected hostnames and provider-relative routing.
  • Add dashboard and API configuration examples for custom domains, including the required DNS CNAME step.
  • Document reserved cf.* metadata and automatic cf.user_id injection for Access-authenticated custom domain requests.
  • Add an AI Gateway changelog entry for identity-aware controls.

Source context

  • cloudflare/aig/aig-worker-config-api!641: custom-domain config plane CRUD and SSL-for-SaaS provisioning.
  • cloudflare/aig/ai-gateway-infra!486: custom-domain data plane and Access JWT auth.
  • cloudflare/aig/ai-gateway-infra!681: inject Access JWT sub as cf.user_id metadata.
  • cloudflare/aig/ai-gateway-infra!716: release bundle expected to ship this work.

Validation

  • pnpm exec prettier --write
  • pnpm exec prettier --check src/content/docs/ai-gateway/configuration/custom-domains.mdx
  • git diff --check
  • pnpm run check currently fails on generated skills/turnstile-spin Worker types (ExportedHandler / Fetcher) unrelated to this PR. No MDX/frontmatter errors were reported before that failure.


## Limitations

- Custom-domain routes are provider-relative. Do not include `/v1/{account_id}/{gateway_id}` in the path when using the custom hostname.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(a) This isn't a limitation, this is a feature! You get to skip account Id/gateway ID
(b) It's not that these are provider-relative, you can use the compat APIs with this approach too

One current limitation though is that it doesn't (yet) work with the newer Rest API endpoints.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in the latest push: reframed the shorter custom-domain path as a feature, called out compat routes explicitly, and replaced that limitation with the current limitation that newer REST API endpoints are not supported yet.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skip me to all restricted connection approved direct

@kennyj42 kennyj42 force-pushed the kjohnson/ai-gateway-access-identity branch from 9301f10 to df86644 Compare July 1, 2026 17:27
You can also create and manage custom domains through the Cloudflare API.

:::note
The custom domains API is not yet included in the public API reference while the contract is still being finalized.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The custom domains API is not yet included in the public API reference while the contract is still being finalized.
The custom domains API is not yet included in the public API and is coming soon.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated this note in the latest push. I kept the same meaning but used 'will be added after the contract is finalized' to avoid the docs style warning around 'coming soon'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

product:ai-gateway AI Gateway: https://developers.cloudflare.com/ai-gateway/ product:changelog size/s

Projects

None yet

Development

Successfully merging this pull request may close these issues.