tools.xlrd.org.Authenticate Cloudflare CLI on your Mac. Opens browser, click Authorize. Stored in ~/.wrangler/config/default.toml.
# If wrangler not installed yet: brew install cloudflare-wrangler # Login (browser opens, click Authorize): wrangler login # Verify: wrangler whoami
Create a service token in Cloudflare dashboard. Used for iOS Shortcut to authenticate inbound requests at tools.xlrd.org via the Cloudflare Access app.
# GUI path (one-time, browser): # 1. dash.cloudflare.com -> Zero Trust -> Access -> Service Auth # 2. Create Service Token, name: "xen-ios-shortcut" # 3. Save Client ID + Client Secret (you'll see them ONCE) # OR via API: curl -X POST "https://api.cloudflare.com/client/v4/accounts/$CF_ACCOUNT_ID/access/service_tokens" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ --data '{"name":"xen-ios-shortcut","duration":"forever"}'
Three secrets are needed by the worker. Run in the tools-runtime/ wrangler project directory.
# Peer token (used by iOS Shortcut + IFTTT applets): wrangler secret put XEN_TOOLS_TOKEN # <- paste a strong random token (openssl rand -hex 32) # HMAC signing key (separate from peer token): wrangler secret put XEN_HMAC_KEY # <- paste another strong random key # Omnimind inject token (same value as Win/Mac XEN_MAC_TOKEN): wrangler secret put XEN_MAC_TOKEN # <- paste from ~/.xen/secrets.env XEN_MAC_TOKEN value
Map the tools.xlrd.org hostname to the worker. Already declared in wrangler.toml via [[routes]] but needs Cloudflare to recognize the zone.
# Ensure xlrd.org zone is in your Cloudflare account. # Add A or CNAME record for tools.xlrd.org pointing anywhere (worker overrides): curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \ -H "Authorization: Bearer $CF_API_TOKEN" \ -H "Content-Type: application/json" \ --data '{"type":"AAAA","name":"tools","content":"100::","proxied":true}' # Then deploy worker — route is auto-applied via wrangler.toml: cd tools-runtime wrangler deploy # Verify: curl https://tools.xlrd.org/health
Install the xen-tool-call.ios-shortcut.json on your iPhone. Spec was dropped at ~/.xen/state/xen-tool-call.ios-shortcut.json on m4 (mac-xen).
# From mac-xen, generate an iCloud sharing link: osascript <<EOF tell application "Shortcuts" import shortcut from POSIX file "/Users/qi/.xen/state/xen-tool-call.shortcut" set linkURL to iCloud link of last shortcut return linkURL end tell EOF # OR open the .shortcut file directly from Mail/Messages on the iPhone # (iOS gotcha: "Allow Untrusted Shortcuts" toggle hidden until at least one # shortcut has run on the device — see canon_agent_urls:72) # Once installed: # Settings -> Shortcuts -> Advanced -> Allow Sharing Large Amounts of Data ON # Hey Siri "Hey Xen [your trigger phrase]" -> routes to tools.xlrd.org
# From any machine — should return 200 + ok:true TOKEN=$(cat ~/.xen/secrets.env | grep XEN_TOOLS_TOKEN | cut -d= -f2) BODY='{"test":"hello from cli"}' SIG=$(echo -n "$BODY" | openssl dgst -sha256 -hmac "$HMAC_KEY" -hex | cut -d' ' -f2) curl -X POST https://tools.xlrd.org/ifttt/paypal-paid \ -H "X-Xen-Token: $TOKEN" \ -H "X-Xen-Sig: $SIG" \ -H "Content-Type: application/json" \ --data "$BODY" # Then say "Hey Siri, Hey Xen test" — should land in omnimind pane via inject
Worker source: /tools-worker/worker.js · Wrangler template: /tools-worker/wrangler.toml.template · Canon: canon_ifttt_tools_xlrd_org_3layer_auth_2026-05-22