From 4b50aca2147d85aac39320091b5cba5fc6f76e72 Mon Sep 17 00:00:00 2001
From: Shogo Yamazaki <pgp@mocknen.net>
Date: Mon, 3 Nov 2025 15:42:53 +0900
Subject: [PATCH] Prevent loading the origin certificate for remotely-managed
 tunnels

---
 cmd/cloudflared/tunnel/cmd.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cmd/cloudflared/tunnel/cmd.go b/cmd/cloudflared/tunnel/cmd.go
index 925333a4..37667724 100644
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
@@ -459,9 +459,10 @@ func StartServer(
 		}
 	}
 
-	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
 	var isFEDEndpoint bool
-	if err != nil {
+	if c.String(TunnelTokenFlag) != "" || c.String(TunnelTokenFileFlag) != "" {
+		isFEDEndpoint = false
+	} else if userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log); err != nil {
 		isFEDEndpoint = false
 	} else {
 		isFEDEndpoint = userCreds.IsFEDEndpoint()