Alright, to clarify. I run Cloudflared (and HA for that matter) in separate docker containers. I set up cloudflared for about 2 years ago and it has worked flawlessly. Though I settled for connecting remotly using my browser. The app still pointed at my local instance. In cloudflared zero trust, I only allow cloudflared accounts with specific emails. So you get a pin code that you entee and then you can access HA for 30 days before having to redo the pin authentication.
Last month, I got an idea to just put in the cloudflared domain directly as a server in HA app so that the app always works regardless of the network. I was asked for the pin and it all worked perfectly! But now, my session 30 day limit has expired. I was asked for a pin as usual but then the errors appeared.
Found these threads with the same issue:
There might be some cookie or cache not being cleared in the HA app? Sure I could remove the policy but it would leave my HA instance open to the world. Reinstalling HA app maybe also works but that is not viable to do every month.
The HA Android app does not appear to support token auth (used by the Cloudflare tunnel) at this time. When auth is turned on, the HA app will open a browser, but after sign in the token never makes it back to the app. This is why auth works in a browser, but not in the app. We can however use mTLS to get around this.
I guess setting up the cert is the next step.