CF Guard DeskCF Guard DESK
See pricingIndie / Pro / Consultant
Navigation
See pricingannual pricing emphasizedRead docs
CF Guard DeskCF Guard DESK
See pricingIndie / Pro / Consultant
Navigation
See pricingannual pricing emphasizedRead docs
DocsOperations

Workspaces and Cloudflare connections

This guide explains how the app treats workspace separation and Cloudflare access as first-class setup concepts.

Operators, consultants, and internal teams7 minCore workflowUpdated March 19, 2026
WindowsmacOSLinux
WorkspacesConnectionsZonesSecurity

How workspace boundaries, token validation, capability inspection, and zone discovery are supposed to work in the current product.

  • Workspace boundaries
  • Connection validation and capability checks
  • Zone discovery expectations
  • Visibility gaps caused by token scope
Applies to
WindowsmacOSLinux
Covers
WorkspacesConnectionsZonesSecurity

Workspaces and Cloudflare connections

Why workspaces exist

Workspaces are not decorative folders.

They keep separate:

  • Cloudflare connections
  • scan history
  • finding notes
  • suppressions
  • exports

What connection validation should do

Connection validation is expected to answer:

  • Is the token accepted?
  • Which Cloudflare surfaces are visible?
  • Which capabilities are missing?
  • Can the product discover zones from this connection?

Zone discovery expectations

A successful connection should let the app discover zones that the token can legitimately see.

If expected zones are missing:

  1. verify the token scope
  2. verify account context
  3. verify the token is being applied to the intended workspace

Why capability gaps matter

Those gaps should remain visible in the UI and later in scan output. That is why the product treats visibility gaps as audit facts, not minor warnings.