How do I set up Cloudflare Gateway? (Complete guide)

Cloudflare Gateway provides network-level AI tool blocking. The full setup has 5 parts. Everything below is done by the admin — team members only need to install WARP (Part 5). **Part 1 — Create a Cloudflare account** 1. Go to dash.cloudflare.com/sign-up 2. Sign up with Google, GitHub, or Apple (free) 3. Select the free Zero Trust plan (up to 50 users) 4. You'll be asked to set a **team name** (e.g. 'teamprompt') — note this, your team needs it later **Part 2 — Connect TeamPrompt to Cloudflare** 1. In Cloudflare: go to dash.cloudflare.com/profile/api-tokens 2. Click 'Create Token' → scroll down → click 'Get started' next to 'Create Custom Token' 3. Token name: 'TeamPrompt' 4. Permissions: set the 3 dropdowns to Account → Zero Trust → Edit 5. Account Resources: Include → All accounts 6. Click 'Continue to summary' → 'Create Token' → copy the token 7. In TeamPrompt: Settings → Integrations → Cloudflare Gateway → Connect 8. Paste your Account ID (found on the Cloudflare dashboard home page, right sidebar) and the API token **Part 3 — Choose which AI tools to approve/block** The TeamPrompt wizard shows all 18 AI tools. Toggle each one to approve or block. TeamPrompt creates DNS block rules in Cloudflare automatically. Most teams approve ChatGPT, Claude, and Gemini, then block everything else. **Part 4 — Set up Cloudflare Zero Trust for devices** This is done in the Cloudflare Zero Trust dashboard (one.dash.cloudflare.com): 1. Go to Team & Resources → Devices → Device profiles 2. Click the Default profile 3. Set **Service mode** to **'DNS only'** — this is critical. Do NOT choose 'Traffic and DNS' — that requires installing a root CA certificate on every device and causes certificate errors on websites. TeamPrompt's browser extension already handles content-level scanning, so Cloudflare only needs DNS-level blocking. 4. Save the profile 5. Set up an **enrollment policy** so your team can connect: - Go to Team & Resources → Devices → Management tab - Click 'Manage' under Device enrollment permissions - Click 'Add a rule' - Selector: 'Emails ending in' → Value: '@yourcompany.com' → Action: Allow - Save Without this enrollment policy, team members will see 'Enrollment request is invalid' when trying to connect WARP. **Part 5 — Deploy WARP to team devices** Each team member needs to install Cloudflare WARP: 1. Download WARP from one.one.one.one (available for Windows, macOS, iOS, Android, Linux) 2. Open WARP app → click gear icon → Preferences → Account 3. Click 'Login to Cloudflare Zero Trust' 4. Enter the team name (e.g. 'teamprompt') 5. Authenticate with company email (one-time code or SSO) 6. WARP switches to Zero Trust mode — done For managed devices: use MDM (Intune, JAMF, Google Admin Console) to push WARP silently with auto-enrollment. For office-only: set your office router's DNS to your Cloudflare Gateway IP instead of installing WARP on each device. This protects everyone on the network but not remote workers. Once WARP is enrolled, blocked AI tools show a Cloudflare block page saying the tool is not approved.