Skip to main content

Using Cloudflare Tunnels to access your SPIN Runtime

Cloudflare Tunnels is a service that allows you to make your SPIN runtime accessible from the internet while still allowing it to run behind a firewall.

Quick Tunnels

For trial and testing purposes, you can use quick tunnels, which allow you to create a tunnel without signing up with Cloudflare.

Docker Compose Example

services:
  cloudflare-tunnel:
    image: cloudflare/cloudflared:2025.8.0
    restart: unless-stopped
    command: tunnel --url http://spin-runtime:8888/
  spin-runtime:
    image: ghcr.io/siftd/spin-runtime:latest
    environment:
      - SPIN_TOKEN=<SPIN_TOKEN>
    volumes:
      - ${PWD}/runtime-data:/opt/spin/var
    restart: unless-stopped
Replace <SPIN_TOKEN> with the token you receive in the SPIN UI when creating a new runtime. Then run the containers by running: 
docker compose up -d

Getting the Runtime URL

To obtain the runtime URL, view the logs of the cloudflare-tunnel container: 
docker compose logs cloudflare-tunnel
This will output something like: 
cloudflare-tunnel-1  | 2025-08-12T05:52:14Z INF +--------------------------------------------------------------------------------------------+
cloudflare-tunnel-1  | 2025-08-12T05:52:14Z INF |  Your quick Tunnel has been created! Visit it at (it may take some time to be reachable):  |
cloudflare-tunnel-1  | 2025-08-12T05:52:14Z INF |  https://toronto-foul-enlargement-gothic.trycloudflare.com                                 |
cloudflare-tunnel-1  | 2025-08-12T05:52:14Z INF +--------------------------------------------------------------------------------------------+
Grab the URL (https://toronto-foul-enlargement-gothic.trycloudflare.com in the example above) and paste it in the SPIN UI runtime URL field.

Quick Tunnel Limitations

  • The URL will change on every restart (this requires you to update the runtime config in the SPIN UI)
  • No uptime guarantees by Cloudflare
  • Best suited for testing before setting up a permanent tunnel
Quick tunnels are ideal for getting something up and running quickly for testing, before investing time and resources (a DNS domain on Cloudflare is required for regular tunnels) to set up a permanent tunnel.

Permanent Tunnels

For production use, you should set up a permanent tunnel. Prerequisites:
  • A Cloudflare account
  • A DNS domain on Cloudflare
Steps:
  1. Configure tunnel in the Cloudflare dashboard
  2. Run spin-runtime with cloudflared sidecar in docker

Configure Cloudflare Tunnel

First, head over to your Cloudflare dashboard, then navigate to Zero Trust -> Networks -> Tunnels.
Create Tunnel in Cloudflare dashboard
 Next, provide a name for your tunnel and click Create tunnel.
Provide a name for your tunnel
 In the next step, all we need is the Tunnel token. Copy the docker command and grab the token (which is everything after the --token flag). We’ll use this token in the next step when we configure the SPIN runtime in docker compose.
Copy the tunnel token
 Lastly, we’ll configure the route for the tunnel. You’ll have to provide:
  • A: A hostname for the tunnel
  • B: Select a DNS domain you own on Cloudflare
  • C: The service URL: http://spin-runtime:8888/
Copy the tunnel token
 The tunnel will be reachable at https://<hostname>.<domain>. In the example above, the tunnel will be reachable at https://mytunnel.spintun.net. This is the value we’ll provide when configuring the runtime in the SPIN UI.

Run SPIN Runtime with Cloudflare Tunnel

---
version: "3.7"
services:
  cloudflare-tunnel:
    image: cloudflare/cloudflared:2025.8.0
    restart: unless-stopped
    command: tunnel run --token <CLOUDFLARE_TUNNEL_TOKEN>
  spin-runtime:
    image: ghcr.io/siftd/spin-runtime:latest
    environment:
      - SPIN_TOKEN=<SPIN_TOKEN>
    volumes:
      - ${PWD}/runtime-data:/opt/spin/var
    restart: unless-stopped
Replace <SPIN_TOKEN> with the token you receive in the SPIN UI when creating a new runtime and replace <CLOUDFLARE_TUNNEL_TOKEN> with the token you copied in the previous step. Then run the containers by running: 
docker compose up -d