OpenCode School
← All lessons

Cloudflare setup 1

Laptop setup

Set up your Cloudflare laptop for OpenCode.

Before diving into the OpenCode curriculum, your Cloudflare laptop needs a few tools installed. The setup script handles everything: developer tools, OpenCode, AI gateway authentication, and a smart wrapper that handles re-authentication going forward.

These instructions are for macOS. If you are on Linux or Windows, see the manual steps in the setup script source for guidance.

Run the setup script

  1. Open Terminal: press Cmd+Space to open Spotlight, type Terminal, and press Return
  2. Paste the following command and press Return:
curl -fsSL https://cf2.opencode.school/setup.sh | bash

The script is interactive. It will:

  • Pause once to ask you to upload your SSH key to GitLab (it opens the page and copies the key to your clipboard)
  • Open a browser window for Cloudflare SSO to authenticate with the AI gateway (complete the login with your YubiKey, then return to the terminal)

What the script installs

  1. Homebrew and jq
  2. SSH key (ed25519) in ~/.ssh/cloudflare/, or reuses an existing one
  3. SSH config for *.cfdata.org hosts, with cloudflared as a proxy for *.ssh.cfdata.org
  4. Git identity set to your @cloudflare.com email
  5. cloudflared (Cloudflare Tunnel), plus Rosetta on Apple Silicon
  6. Internal Homebrew tap (cloudflare/engineering) with cfsetup and cf-paste
  7. WARP certificates for internal TLS (may prompt for your laptop password)
  8. OpenCode CLI/TUI (brew install opencode): the opencode command you can run in any terminal
  9. OpenCode Desktop (brew install --cask opencode-desktop): the native app with a graphical interface
  10. AI gateway authentication: connects OpenCode to Cloudflare’s AI models (Claude, GPT, Gemini, and more)
  11. Smart auth wrapper: a shell function that checks your auth tokens every time you run opencode in a terminal, and re-authenticates automatically if they have expired

Both OpenCode interfaces share the same configuration file at ~/.config/opencode/opencode.jsonc, so any settings you configure later apply to both.

About the smart wrapper

The setup script adds a shell function to your ~/.zshrc that wraps the opencode command. Every time you type opencode in a terminal, the wrapper:

  1. Checks if your AI gateway token has expired (every 23 hours)
  2. Checks if your MCP server tokens need refreshing
  3. Re-authenticates automatically if needed, opening your browser for SSO
  4. Launches OpenCode once everything is fresh

You should rarely need to think about authentication. If your tokens are still valid, the wrapper skips straight to launching OpenCode.

A note about OpenCode Desktop

The smart wrapper runs when you launch OpenCode from a terminal. If you use OpenCode Desktop (the app) and your auth expires, Desktop will show an error. To fix it:

  1. Open Terminal
  2. Type opencode and press Return (the wrapper re-authenticates your tokens)
  3. Press Ctrl+C to exit the terminal session
  4. Quit and reopen OpenCode Desktop

Verify

Open OpenCode Desktop from your Applications folder or Spotlight (Cmd+Space, type OpenCode). Open any folder as a project and send a test prompt:

Hello, what model are you?

If you get a response, you are ready to continue with the course.