Install guide

Install on Cloudflare

Frenemy for Cloudflare installs itself. You connect your Cloudflare account with one click (or paste a scoped API token), and Frenemy adds a small observer Worker in front of your site. There's nothing to copy, paste, or deploy by hand.

The observer is observe-only and fails open: if it ever has a problem, your visitors are served exactly as they were before. You can turn it off in seconds whenever you want.

The flow
  1. 1Add site
  2. 2Connect
  3. 3Verify
  4. 4Done

Before you start

  • Your site is served through Cloudflare — Cloudflare is your DNS and proxy (the orange cloud). Most sites on Cloudflare qualify.
  • You can approve an app on your Cloudflare account, or create a scoped API token.
  • If your site is itself a Cloudflare Worker or Pages app — your own code answers every request — that isn't a guided setup yet. The wizard will tell you and add you to the list.
  1. 1

    Add your site

    Sign in at app.frenemy.dev. On the first screen, enter your site's address — for example, example.com — and click Continue.

    Frenemy checks where your site is hosted. When it sees you're on Cloudflare, it routes you straight to the one-click connect.

    app.frenemy.dev

    Add your site

    Enter your site’s address — we’ll find where it’s hosted and set up the fastest connection for you.

    Your site’s address
    example.comContinue

    Finding where your site is hosted…

    Illustration — the first wizard screen.
  2. 2

    Connect Cloudflare

    Click Connect Cloudflare. You'll approve Frenemy on Cloudflare's own screen — we never see your Cloudflare password.

    Cloudflare grants can't be limited to a single zone, so the approval is account-wide. Frenemy uses it once to set this one site up, then releases it right away.

    TipPrefer not to grant account-wide access? Use the scoped API token instead — same result, narrower permissions. See “Connect with an API token” below.

    app.frenemy.dev

    Connect your Cloudflare account

    Connect Cloudflare

    You’ll approve Frenemy on Cloudflare’s own screen — we never see your password. We use the grant once to set up this one site, then release it.

    Illustration — the one-click Cloudflare connect.
  3. 3

    Confirm what Frenemy will add

    Frenemy shows you exactly what it will create before it touches anything. On example.com that's three things: a small observer Worker, its secret (your site key), and the route that points your traffic through it.

    If your account has more than one zone, pick the one for your site. Then click Create — I understand what's being added.

    app.frenemy.dev

    Confirm what Frenemy will add

    In your Cloudflare account, on example.com, Frenemy will create:

    • a Worker named frenemy-observer-example-com — observe-only; fails open
    • 🔑its secret FRENEMY_SITE_KEY
    • the route example.com/*
    Create — I understand what’s being added
    Illustration — the confirm screen; nothing is created until you approve it.
  4. 4

    You're connected

    That's it — the observer runs at Cloudflare's edge, so there's nothing for you to deploy. Frenemy sends a single test request to your /robots.txt to confirm the connection, and the wizard flips to Connected.

    From that moment, every automated visitor to example.com is verified, classified, and counted.

    app.frenemy.dev

    Verify example.com

    CONNECTED ✓

    Your first event is in — Frenemy is watching, and every visitor from this moment is counted.

    Go to my dashboard
    Illustration — the wizard confirms the connection.

Connect with an API token (instead of one-click)

Rather grant narrower access? Create a scoped Cloudflare API token and paste it into the wizard. It's used for a single setup request and never stored.

In Cloudflare, go to My Profile → API Tokens → Create Token, and next to “Create Custom Token” click Get started. Name it something like “Frenemy setup” and add the five permissions shown here.

Set Account Resources to your account and Zone Resources → Include → your domain. Continue to summary → Create Token, copy it, and paste it into the wizard. Frenemy sets everything up the same way.

dash.cloudflare.com/profile/api-tokens

Create Custom Token — permissions

Account · Workers Scripts · EditCopy
Account · Cloudflare Pages · ReadCopy
Zone · Zone · ReadCopy
Zone · DNS · ReadCopy
Zone · Workers Routes · EditCopy
Illustration — the five permissions to add when creating a custom Cloudflare API token.

What this install can see

Every number in your dashboard traces to what this install can actually observe — nothing is estimated or filled in.

It sees

Every request that reaches your site through Cloudflare — pages, static files, and cached hits alike. Because Cloudflare hands Frenemy the true client IP, verified badges run at full strength here.

It doesn’t see

Traffic that Cloudflare's own zone-level rules block before it ever reaches the Worker.

Troubleshooting Cloudflare

The wizard says a Worker already serves this hostname.

That usually means your site is itself a Cloudflare Worker or Pages app. Frenemy can't add itself in front of a Worker-served site without shadowing it, so setup stops and nothing is created. You're welcome to stay on the list while that setup becomes supported.

It's set up, but Install & health still says WAITING.

Open Install & health in your dashboard. For a Cloudflare install, confirm the route is example.com/* and that FRENEMY_ENABLED is set to 1, then click Send a test hit. If it still won't connect, email support and we'll look with you.

“Frenemy is already set up on this site.”

You've connected this site before. Use Re-key it — issue a fresh key & re-deploy from the confirm screen to rotate the key without changing the route.

More fixes in Troubleshooting, or email support@frenemy.dev and a human will help.