chore: switch to access info

this should be more in line with workerd architecture. we separate the
polymorphism to something that AccessContext wraps around rather than
having AccessContext itself be polymorphic.

Signed-off-by: Matt Provost <mprovost@cloudflare.com>

Author: BSFishy

src/workerd/api/global-scope.c++

@@ -21,6 +21,7 @@
 #include <workerd/api/tracing.h>
 #include <workerd/api/util.h>
 #include <workerd/api/worker-rpc.h>
+#include <workerd/io/access-info.h>
 #include <workerd/io/compatibility-date.h>
 #include <workerd/io/features.h>
 #include <workerd/io/io-context.h>
@@ -97,18 +98,27 @@ jsg::Optional<jsg::Ref<Tracing>> ExecutionContext::getTracing(jsg::Lock& js) {
 }
 
 kj::StringPtr AccessContext::getAud() {
-  JSG_FAIL_REQUIRE(Error, "Access context is not available.");
+  return info->getAudience();
 }
 
-jsg::Promise<jsg::JsValue> AccessContext::getIdentity(jsg::Lock& js) {
-  JSG_FAIL_REQUIRE(Error, "Access context is not available.");
+jsg::Promise<jsg::Optional<jsg::JsValue>> AccessContext::getIdentity(jsg::Lock& js) {
+  auto& ioctx = IoContext::current();
+  return ioctx.awaitIo(js, info->getIdentity(),
+      [](jsg::Lock& js, kj::Maybe<kj::String> json) -> jsg::Optional<jsg::JsValue> {
+    KJ_IF_SOME(j, json) {
+      return jsg::JsValue(js.parseJson(j).getHandle(js));
+    }
+    return kj::none;
+  });
 }
 
 jsg::Optional<jsg::Ref<AccessContext>> ExecutionContext::getAccess(jsg::Lock& js) {
-  // Hook for the embedding application to provide an AccessContext.
-  // The default Worker::Api implementation returns kj::none.
-  if (IoContext::hasCurrent()) {
-    return Worker::Isolate::from(js).getApi().getCtxAccessProperty(js);
+  // Pull the per-request AccessInfo (if any) off the current IncomingRequest. Standalone workerd
+  // never supplies one; production embedders construct one before calling newWorkerEntrypoint().
+  if (!IoContext::hasCurrent()) return kj::none;
+  auto& ioctx = IoContext::current();
+  KJ_IF_SOME(info, ioctx.getAccessInfo()) {
+    return js.alloc<AccessContext>(ioctx.addObject(kj::addRef(info)));
   }
   return kj::none;
 }

src/workerd/api/global-scope.h

@@ -25,6 +25,10 @@ namespace workerd::jsg {
 class DOMException;
 }  // namespace workerd::jsg
 
+namespace workerd {
+class AccessInfo;
+}  // namespace workerd
+
 namespace workerd::api {
 
 class Tracing;
@@ -240,19 +244,24 @@ class CacheContext: public jsg::Object {
   }
 };
 
-// Base class for the ctx.access object providing Cloudflare Access authentication context.
-// Subclass when embedding to provide an implementation.
+// Concrete wrapper exposing per-request Cloudflare Access authentication info to JavaScript
+// as `ctx.access`. The actual auth data is supplied by the embedding application via
+// `workerd::AccessInfo`, which is plumbed through `newWorkerEntrypoint()` onto
+// `IoContext::IncomingRequest`.
+//
+// Standalone workerd never constructs one of these (no `AccessInfo` is supplied), so
+// `ctx.access` is `undefined`. Embedders construct a concrete `AccessInfo` subclass and pass it
+// through the entrypoint; `ExecutionContext::getAccess()` lazily wraps it in this class.
 class AccessContext: public jsg::Object {
  public:
+  explicit AccessContext(IoOwn<AccessInfo> info): info(kj::mv(info)) {}
+
   // Returns the audience claim from the Access JWT.
-  //
-  // The default implementation throws — only meaningful when overridden by the embedding.
-  virtual kj::StringPtr getAud();
+  kj::StringPtr getAud();
 
-  // Fetches the full identity information for the authenticated user.
-  //
-  // The default implementation throws — only meaningful when overridden by the embedding.
-  virtual jsg::Promise<jsg::JsValue> getIdentity(jsg::Lock& js);
+  // Fetches the full identity information for the authenticated user. Resolves to `undefined`
+  // if no identity is associated with the request (e.g. service-token authentication).
+  jsg::Promise<jsg::Optional<jsg::JsValue>> getIdentity(jsg::Lock& js);
 
   JSG_RESOURCE_TYPE(AccessContext) {
     JSG_READONLY_INSTANCE_PROPERTY(aud, getAud);
@@ -262,6 +271,9 @@ class AccessContext: public jsg::Object {
       getIdentity(): Promise<CloudflareAccessIdentity | undefined>;
     });
   }
+
+ private:
+  IoOwn<AccessInfo> info;
 };
 class ExecutionContext: public jsg::Object {
  public:

src/workerd/api/tests/ctx-access-test.js

@@ -7,8 +7,9 @@ import { strictEqual } from 'node:assert';
 export const ctxAccessPropertyExists = {
   test(controller, env, ctx) {
     // The access property is always present on ctx as a lazy instance property.
-    // In standalone workerd (no embedding override), the value is undefined because
-    // the default Worker::Api::getCtxAccessProperty() returns kj::none.
+    // In standalone workerd no AccessInfo is supplied to newWorkerEntrypoint(), so the
+    // current IncomingRequest has no AccessInfo and getAccess() returns kj::none, which
+    // surfaces as `undefined` to JS.
     strictEqual('access' in ctx, true);
     strictEqual(ctx.access, undefined);
   },

src/workerd/io/BUILD.bazel

@@ -47,6 +47,7 @@ wd_cc_library(
         "worker-fs.c++",
     ] + ["//src/workerd/api:srcs"],
     hdrs = [
+        "access-info.h",
         "compatibility-date.h",
         "external-pusher.h",
         "hibernation-manager.h",

src/workerd/io/access-info.h

@@ -0,0 +1,40 @@
+// Copyright (c) 2026 Cloudflare, Inc.
+// Licensed under the Apache 2.0 license found in the LICENSE file or at:
+//     https://opensource.org/licenses/Apache-2.0
+
+#pragma once
+
+#include <kj/async.h>
+#include <kj/refcount.h>
+#include <kj/string.h>
+
+namespace workerd {
+
+// Per-request Cloudflare Access authentication information.
+//
+// This is the I/O-side carrier for Access auth data. It is created by the embedding application
+// (e.g. the production runtime) before invoking the worker, plumbed through `newWorkerEntrypoint()`
+// into the `IoContext::IncomingRequest`, and surfaced to JavaScript by the concrete
+// `api::AccessContext` wrapper as `ctx.access`.
+//
+// In standalone workerd this is never constructed; `ctx.access` evaluates to `undefined`.
+//
+// This type intentionally lives in `io/` rather than `api/` because:
+// - It is the polymorphism boundary between embedders (workerd vs. production), not the
+//   JS-facing type.
+// - It carries per-request data that flows through `newWorkerEntrypoint` → `IncomingRequest`,
+//   not through `Worker::Api` (which is per-isolate) or `IoChannelFactory`.
+class AccessInfo: public kj::Refcounted {
+ public:
+  virtual ~AccessInfo() noexcept(false) = default;
+
+  // The audience claim from the Access JWT. Stable for the lifetime of the request.
+  virtual kj::StringPtr getAudience() = 0;
+
+  // Fetches the full identity information for the authenticated user, equivalent to calling
+  // /cdn-cgi/access/get-identity. The returned string is a JSON document; `kj::none` indicates
+  // no identity is available (e.g. service-token authentication).
+  virtual kj::Promise<kj::Maybe<kj::String>> getIdentity() = 0;
+};
+
+}  // namespace workerd

src/workerd/io/io-context.c++

@@ -4,6 +4,7 @@
 
 #include "io-context.h"
 
+#include <workerd/io/access-info.h>
 #include <workerd/io/io-gate.h>
 #include <workerd/io/tracer.h>
 #include <workerd/io/worker.h>
@@ -218,11 +219,13 @@ IoContext::IncomingRequest::IoContext_IncomingRequest(kj::Own<IoContext> context
     kj::Own<IoChannelFactory> ioChannelFactoryParam,
     kj::Own<RequestObserver> metricsParam,
     kj::Maybe<kj::Own<BaseTracer>> workerTracer,
+    kj::Maybe<kj::Own<AccessInfo>> accessInfo,
     kj::Maybe<tracing::InvocationSpanContext> maybeTriggerInvocationSpan)
     : context(kj::mv(contextParam)),
       metrics(kj::mv(metricsParam)),
       workerTracer(kj::mv(workerTracer)),
       ioChannelFactory(kj::mv(ioChannelFactoryParam)),
+      accessInfo(kj::mv(accessInfo)),
       maybeTriggerInvocationSpan(kj::mv(maybeTriggerInvocationSpan)) {}
 
 tracing::InvocationSpanContext& IoContext::IncomingRequest::getInvocationSpanContext() {

src/workerd/io/io-context.h

@@ -8,6 +8,7 @@
 #include "worker.h"
 
 #include <workerd/api/deferred-proxy.h>
+#include <workerd/io/access-info.h>
 #include <workerd/io/actor-id.h>
 #include <workerd/io/external-pusher.h>
 #include <workerd/io/io-channels.h>
@@ -71,6 +72,7 @@ class IoContext_IncomingRequest final {
       kj::Own<IoChannelFactory> ioChannelFactory,
       kj::Own<RequestObserver> metrics,
       kj::Maybe<kj::Own<BaseTracer>> workerTracer,
+      kj::Maybe<kj::Own<AccessInfo>> accessInfo,
       kj::Maybe<tracing::InvocationSpanContext> maybeTriggerInvocationSpan);
   KJ_DISALLOW_COPY_AND_MOVE(IoContext_IncomingRequest);
   ~IoContext_IncomingRequest() noexcept(false);
@@ -131,6 +133,12 @@ class IoContext_IncomingRequest final {
     return rootUserTraceSpan.addRef();
   }
 
+  // The Cloudflare Access auth info for this request, if any was provided by the embedder. Used
+  // to populate `ctx.access` in JavaScript.
+  kj::Maybe<AccessInfo&> getAccessInfo() {
+    return accessInfo.map([](kj::Own<AccessInfo>& p) -> AccessInfo& { return *p; });
+  }
+
   // The invocation span context is a unique identifier for a specific
   // worker invocation.
   tracing::InvocationSpanContext& getInvocationSpanContext();
@@ -140,6 +148,7 @@ class IoContext_IncomingRequest final {
   kj::Own<RequestObserver> metrics;
   kj::Maybe<kj::Own<BaseTracer>> workerTracer;
   kj::Own<IoChannelFactory> ioChannelFactory;
+  kj::Maybe<kj::Own<AccessInfo>> accessInfo;
 
   // Root user trace span for this request. Populated during delivered() via
   // BaseTracer::makeUserRequestSpan(); otherwise a null SpanParent. The tracer it references
@@ -240,6 +249,14 @@ class IoContext final: public kj::Refcounted, private kj::TaskSet::ErrorHandler
     return getCurrentIncomingRequest().getRootUserTraceSpan();
   }
 
+  // The Cloudflare Access auth info for the current incoming request, if any was provided by
+  // the embedder. Used to populate `ctx.access` in JavaScript.
+  kj::Maybe<AccessInfo&> getAccessInfo() {
+    if (incomingRequests.empty()) return kj::none;
+    return getCurrentIncomingRequest().getAccessInfo();
+  }
+
+
   LimitEnforcer& getLimitEnforcer() {
     return *limitEnforcer;
   }

src/workerd/io/worker-entrypoint.c++

@@ -7,6 +7,7 @@
 #include <workerd/api/basics.h>
 #include <workerd/api/global-scope.h>
 #include <workerd/api/util.h>
+#include <workerd/io/access-info.h>
 #include <workerd/io/features.h>
 #include <workerd/io/io-context.h>
 #include <workerd/io/limit-enforcer.h>
@@ -60,6 +61,7 @@ class WorkerEntrypoint final: public WorkerInterface {
       kj::Maybe<kj::Own<BaseTracer>> workerTracer,
       kj::Maybe<kj::String> cfBlobJson,
       kj::Maybe<Worker::VersionInfo> versionInfo,
+      kj::Maybe<kj::Own<AccessInfo>> accessInfo,
       kj::Maybe<tracing::InvocationSpanContext> maybeTriggerInvocationSpan,
       bool isDynamicDispatch);
 
@@ -110,6 +112,7 @@ class WorkerEntrypoint final: public WorkerInterface {
       kj::Own<IoChannelFactory> ioChannelFactory,
       kj::Own<RequestObserver> metrics,
       kj::Maybe<kj::Own<BaseTracer>> workerTracer,
+      kj::Maybe<kj::Own<AccessInfo>> accessInfo,
       kj::Maybe<tracing::InvocationSpanContext> maybeTriggerInvocationSpan);
 
   template <typename T>
@@ -183,6 +186,7 @@ kj::Own<WorkerInterface> WorkerEntrypoint::construct(ThreadContext& threadContex
     kj::Maybe<kj::Own<BaseTracer>> workerTracer,
     kj::Maybe<kj::String> cfBlobJson,
     kj::Maybe<Worker::VersionInfo> versionInfo,
+    kj::Maybe<kj::Own<AccessInfo>> accessInfo,
     kj::Maybe<tracing::InvocationSpanContext> maybeTriggerInvocationSpan,
     bool isDynamicDispatch) {
   TRACE_EVENT("workerd", "WorkerEntrypoint::construct()");
@@ -191,7 +195,7 @@ kj::Own<WorkerInterface> WorkerEntrypoint::construct(ThreadContext& threadContex
       waitUntilTasks, tunnelExceptions, isDynamicDispatch, entrypointName, kj::mv(props),
       kj::mv(cfBlobJson), kj::mv(versionInfo));
   obj->init(kj::mv(worker), kj::mv(actor), kj::mv(limitEnforcer), kj::mv(ioContextDependency),
-      kj::mv(ioChannelFactory), kj::addRef(*metrics), kj::mv(workerTracer),
+      kj::mv(ioChannelFactory), kj::addRef(*metrics), kj::mv(workerTracer), kj::mv(accessInfo),
       kj::mv(maybeTriggerInvocationSpan));
   auto& wrapper = metrics->wrapWorkerInterface(*obj);
   return kj::attachRef(wrapper, kj::mv(obj), kj::mv(metrics));
@@ -222,6 +226,7 @@ void WorkerEntrypoint::init(kj::Own<const Worker> worker,
     kj::Own<IoChannelFactory> ioChannelFactory,
     kj::Own<RequestObserver> metrics,
     kj::Maybe<kj::Own<BaseTracer>> workerTracer,
+    kj::Maybe<kj::Own<AccessInfo>> accessInfo,
     kj::Maybe<tracing::InvocationSpanContext> maybeTriggerInvocationSpan) {
   TRACE_EVENT("workerd", "WorkerEntrypoint::init()");
   // We need to construct the IoContext -- unless this is an actor and it already has a
@@ -252,7 +257,8 @@ void WorkerEntrypoint::init(kj::Own<const Worker> worker,
   }
 
   incomingRequest = kj::heap<IoContext::IncomingRequest>(kj::mv(context), kj::mv(ioChannelFactory),
-      kj::mv(metrics), kj::mv(workerTracer), kj::mv(maybeTriggerInvocationSpan))
+      kj::mv(metrics), kj::mv(workerTracer), kj::mv(accessInfo),
+      kj::mv(maybeTriggerInvocationSpan))
                         .attach(kj::mv(actor));
 }
 
@@ -1007,12 +1013,13 @@ kj::Own<WorkerInterface> newWorkerEntrypoint(ThreadContext& threadContext,
     kj::Maybe<kj::Own<BaseTracer>> workerTracer,
     kj::Maybe<kj::String> cfBlobJson,
     kj::Maybe<Worker::VersionInfo> versionInfo,
+    kj::Maybe<kj::Own<AccessInfo>> accessInfo,
     kj::Maybe<tracing::InvocationSpanContext> maybeTriggerInvocationSpan,
     bool isDynamicDispatch) {
   return WorkerEntrypoint::construct(threadContext, kj::mv(worker), kj::mv(entrypointName),
       kj::mv(props), kj::mv(actor), kj::mv(limitEnforcer), kj::mv(ioContextDependency),
       kj::mv(ioChannelFactory), kj::mv(metrics), waitUntilTasks, tunnelExceptions,
-      kj::mv(workerTracer), kj::mv(cfBlobJson), kj::mv(versionInfo),
+      kj::mv(workerTracer), kj::mv(cfBlobJson), kj::mv(versionInfo), kj::mv(accessInfo),
       kj::mv(maybeTriggerInvocationSpan), isDynamicDispatch);
 }
 

src/workerd/io/worker-entrypoint.h

@@ -4,6 +4,7 @@
 
 #pragma once
 
+#include <workerd/io/access-info.h>
 #include <workerd/io/frankenvalue.h>
 #include <workerd/io/worker.h>
 
@@ -42,6 +43,9 @@ kj::Own<WorkerInterface> newWorkerEntrypoint(ThreadContext& threadContext,
     kj::Maybe<kj::Own<BaseTracer>> workerTracer,
     kj::Maybe<kj::String> cfBlobJson,
     kj::Maybe<Worker::VersionInfo> versionInfo,
+    // Per-request Cloudflare Access info. Supplied by the embedding application; standalone
+    // workerd passes kj::none, which causes `ctx.access` to be `undefined` in JS.
+    kj::Maybe<kj::Own<AccessInfo>> accessInfo = kj::none,
     // The trigger invocation span may be propagated from other request. If it is provided,
     // the implication is that this worker entrypoint is being created as a subrequest or
     // subtask of another request. If it is kj::none, then this invocation is a top-level

src/workerd/io/worker.c++

@@ -526,10 +526,6 @@ jsg::Optional<jsg::Ref<api::CacheContext>> Worker::Api::getCtxCacheProperty(jsg:
   return kj::none;
 }
 
-jsg::Optional<jsg::Ref<api::AccessContext>> Worker::Api::getCtxAccessProperty(jsg::Lock& js) const {
-  return kj::none;
-}
-
 struct Worker::Impl {
   kj::Maybe<jsg::JsContext<api::ServiceWorkerGlobalScope>> context;