Install on Cloudflare
One-click connect — Frenemy adds a tiny observer Worker in front of your site.
Frenemy for Cloudflare installs itself. You connect your Cloudflare account with one click (or paste a scoped API token), and Frenemy adds a small observer Worker in front of your site. There's nothing to copy, paste, or deploy by hand.
The observer is observe-only and fails open: if it ever has a problem, your visitors are served exactly as they were before. You can turn it off in seconds whenever you want.
- 1Add site
- 2Connect
- 3Verify
- 4Done
Before you start
- Your site is served through Cloudflare — Cloudflare is your DNS and proxy (the orange cloud). Most sites on Cloudflare qualify.
- You can approve an app on your Cloudflare account, or create a scoped API token.
- If your site is itself a Cloudflare Worker or Pages app — your own code answers every request — that isn't a guided setup yet. The wizard will tell you and add you to the list.
- 1
Add your site
Sign in at app.frenemy.dev. On the first screen, enter your site's address — for example, example.com — and click Continue.
Frenemy checks where your site is hosted. When it sees you're on Cloudflare, it routes you straight to the one-click connect.
Add your site
Enter your site’s address — we’ll find where it’s hosted and set up the fastest connection for you.
Your site’s addressexample.comContinueFinding where your site is hosted…
Illustration — the first wizard screen. - 2
Connect Cloudflare
Click Connect Cloudflare. You'll approve Frenemy on Cloudflare's own screen — we never see your Cloudflare password.
Cloudflare grants can't be limited to a single zone, so the approval is account-wide. Frenemy uses it once to set this one site up, then releases it right away.
TipPrefer not to grant account-wide access? Use the scoped API token instead — same result, narrower permissions. See “Connect with an API token” below.
Connect your Cloudflare account
Connect CloudflareYou’ll approve Frenemy on Cloudflare’s own screen — we never see your password. We use the grant once to set up this one site, then release it.
Prefer not to grant account-wide access? Paste a scoped Cloudflare API token instead
Illustration — the one-click Cloudflare connect. - 3
Confirm what Frenemy will add
Frenemy shows you exactly what it will create before it touches anything. On example.com that's three things: a small observer Worker, its secret (your site key), and the route that points your traffic through it.
If your account has more than one zone, pick the one for your site. Then click Create — I understand what's being added.
Confirm what Frenemy will add
In your Cloudflare account, on example.com, Frenemy will create:
- ⚙a Worker named
frenemy-observer-example-com— observe-only; fails open - 🔑its secret
FRENEMY_SITE_KEY - ↳the route
example.com/*
Illustration — the confirm screen; nothing is created until you approve it. - ⚙a Worker named
- 4
You're connected
That's it — the observer runs at Cloudflare's edge, so there's nothing for you to deploy. Frenemy sends a single test request to your /robots.txt to confirm the connection, and the wizard flips to Connected.
From that moment, every automated visitor to example.com is verified, classified, and counted.
Verify example.com
CONNECTED ✓Your first event is in — Frenemy is watching, and every visitor from this moment is counted.
Go to my dashboardIllustration — the wizard confirms the connection.
Connect with an API token (instead of one-click)
Rather grant narrower access? Create a scoped Cloudflare API token and paste it into the wizard. It's used for a single setup request and never stored.
In Cloudflare, go to My Profile → API Tokens → Create Token, and next to “Create Custom Token” click Get started. Name it something like “Frenemy setup” and add the five permissions shown here.
Set Account Resources to your account and Zone Resources → Include → your domain. Continue to summary → Create Token, copy it, and paste it into the wizard. Frenemy sets everything up the same way.
Create Custom Token — permissions
Account · Workers Scripts · EditCopyAccount · Cloudflare Pages · ReadCopyZone · Zone · ReadCopyZone · DNS · ReadCopyZone · Workers Routes · EditCopyWhat this install can see
Every number in your dashboard traces to what this install can actually observe — nothing is estimated or filled in.
Every request that reaches your site through Cloudflare — pages, static files, and cached hits alike. Because Cloudflare hands Frenemy the true client IP, verified badges run at full strength here.
Traffic that Cloudflare's own zone-level rules block before it ever reaches the Worker.
Troubleshooting Cloudflare
The wizard says a Worker already serves this hostname.
That usually means your site is itself a Cloudflare Worker or Pages app. Frenemy can't add itself in front of a Worker-served site without shadowing it, so setup stops and nothing is created. You're welcome to stay on the list while that setup becomes supported.
It's set up, but Install & health still says WAITING.
Open Install & health in your dashboard. For a Cloudflare install, confirm the route is example.com/* and that FRENEMY_ENABLED is set to 1, then click Send a test hit. If it still won't connect, email support and we'll look with you.
“Frenemy is already set up on this site.”
You've connected this site before. Use Re-key it — issue a fresh key & re-deploy from the confirm screen to rotate the key without changing the route.
More fixes in Troubleshooting, or email support@frenemy.dev and a human will help.