Audit Log API Token accepted permission is too broad

mickp · March 6, 2025, 1:16am

For Workers & Pages, what is the name of the domain?

What is the issue or error you’re encountering

What steps have you taken to resolve the issue?

I have created an API Token too allow an external service to read and store the Cloudflare audit logs for an account.

It works by assigning the Account Settings Read permission to the token, but I don’t want the service to have access to any other account settings. The Account Settings Read permission is too broad.

I tested with a token assigned the “Access: Audit Log” permission which is available in the portal, but that doesn’t work.

Is there a more constrained permission that I could use?

Screenshot of the error

ikmal · March 12, 2025, 2:42am

It seems the audit log is only available at the account scope. Enabling this role alone will not cause the token to read other settings.

Topic		Replies	Views
Need Help with API Token Permissions for Audit Logs API	3	360	April 19, 2024
Permissions for API token required for Audit Logs API	7	504	March 30, 2024
What permission is needed for an API token to fetch all auditlogs from the account? General	2	11	January 1, 2025
What permission do I need to be able to read permission groups? API	1	2382	December 14, 2022
Audit log API return error code 10000 when using API token API	1	4047	September 11, 2020

Audit Log API Token accepted permission is too broad

For Workers & Pages, what is the name of the domain?

What is the issue or error you’re encountering

What steps have you taken to resolve the issue?

Screenshot of the error

Related topics