Cache only API key


#1

I find myself wanting to integrate Cloudflare with the applications behind it for automatic cache purging. The main issue I have is not wanting to give over the API key for my whole account to these apps just for purging their items from cache.

It would be good if there was a separate API key for this one purpose much like the API key for SSL certificates.


#2

This is meant to be the Origin CA Key.


#3

Yes please! Last thing I want to do is deploy full-powered Global API key to multiple different client sites just to refresh the cache.


#4

Yes is this really essential for security.

I’d love to start using the API for clearing caches and basic stuff like that. But having to put full admin keys with DNS admin access etc on all my web servers is a massive security risk.

Especially given the fact that an attacker can could point the DNS to their own origin server, and Cloudflare will continue to serve the same valid SSL certificate to users of the website.


#5

Hey @xtal,

Makes sense, this feature is available since the Enterprise plan, with the multi-tenancy logic you can invite and then have different accesses to a given Organization with role-based access. In this role list, the cache purge role is doing exactly what you need.


#6

but as far as this looks this is for managing people, not API keys, meaning that the API key of any given person still has full access to anything the person can access.


#7

@My1, this is true. So the Cache Purge is fitting the need here, will only give the purge right either through the Dashboard or API calls, not more.

Every user gets his own API key that he can rotate as well, for information.


#8

@stephane
but the issue is obviously if your people should be able to do more stuff, you essentially need to create a complete user just for the server, and then the question is whether it’s allowed to created CF users for non-human entities, like servers. and also if info of the person is needed to be entered, what to enter.

in my opinion it would be really helpful to add the ability that a user can have more seperate API keys and set permissions for those, instead of needing to create more users, see here:


#9

It seems like a very basic requirement of any CDN / caching system to have the ability to clear caching on URLs or entire domains from an API key that has very limited (hopefully non-destructive) access.

I was quite surprised to see CF want big $ to upgrade the your plan to enterprise to get something as simple as this.


#10

+1 This addresses a major use case (possibly THE biggest with the API) and no need to implement permission/role management for various plans.


#11

+1 This is a major security issue and makes me not use the API at all, period. I have two-factor on my own login, but I obviously can’t do that with my API key. I can’t even limit it to IP’s, so there is very little security here. The enterprise fix is completely unreachable for small organizations, just so one can be able to have what is a basic and essential feature.