Impossible to revoke our API Token WITHOUT a domain name?

Hi everyone, we are wondering whether we made the wrong choice choosing Cloudflare as a provider and wanted your opinions.

We are a publisher of iOS apps, exclusively. No web products. We have been blocked for several days from releasing a major feature because we need our Cloudflare Images API Token to be revoked and to update our workers before launching.

But we have been unable to do so, despite tons of trying and emails.

The catch 22 is this:

  • It looks like we can’t revoke the API Token ourselves, we need to contact support (does that make sense? It is such an important security feature, why does support need to be contacted)
  • In order to get the right support contacts, it looks like you need to be on a subscription plan linked to a domain name. We don’t use Cloudflare for web services, so we don’t have domain names to associate to it. So we are paying customers (Images, Workers, R2) and yet have no access to support to revoke our API Token.

Do we have a way out of this situation?

Even if this was solved miraculously, would you recommend to avoid Cloudflare if we don’t intend to link domain names to it but only use services for iOS apps, because we will never have any help from support?
Thanks!

Can you explain what problem you encounter when you try to revoke the token yourself?

Thank you. There is simply no button to revoke the token ourselves.
One of the devs in our team managed to briefly get hold of support a few weeks ago through alternative ways, and they confirmed that we would have to reach out to them every time we have a potential leak or need to revoke the key, because only they can do it.
But they stopped answering that email thread when our team member reached out to them this week to actually revoke the key.

So you don’t see your API tokens under https://dash.cloudflare.com/profile/api-tokens?
They should usually be there if you are in the correct super admin account.

Thank you for the help on a Saturday, I appreciate it.
Correct, that key is not visible there.
But I see that there is a way to create a token that can read Images, we could maybe create a new one there? It would still not fix the problem that we can’t revoke the main one that may have leaked, but at least once we manage to get that revoked by the team (if we manage to), we can use the custom token instead of the main one and revoke that one whenever needed.

Just to clarify: there is the Global API Key and the Original CA Key there, in the API Keys table.
But in the API Tokens section, there is nothing, we don’t see the Cloud Images key, the one that we use and can see in https://dash.cloudflare.com/{REDACTED}/images/keys

Ok, I think I understand now. Your problem isn’t with API tokens at all but with the image key used to sign image URLs, as outlined here?

And what exactly do you need to revoke now? The key that you use to sign the URL, or a specific tokenized URL?

Or am I completely wrong? I’m afraid I don’t have access to Images, so I can’t just check what else is on that page.

That’s exactly that, sorry if I made it confusing. What we need to revoke is the key used to sign the URLs.

In the code sample of the page you linked to, this key:
YOUR_KEY_FROM_IMAGES_DASHBOARD

It is not possible for us to revoke it, there is no such option, it has to be done by support. But we don’t have access to support because the pay-per-use plan we use for iOS apps (which include Workers, Images and R2) apparently won’t include the right to email support.

FYI here is all that this page contains, there are no other buttons.

The link to the documentation is broken, it links to https://developers.cloudflare.com/images/keys.
We found the information by searching, but we can’t contact support to let them know about the broken link either.

Hi, sorry for the late answer.

The link to the documentation being broken is indeed very unfortunate.

If you could share your ticket number, I can escalate that so someone from CF support will take a look at it (and the broken documentation).

2 Likes

Thank you, the dev got back to me and it’s 3040497 and 3009697, but to be honest we are worried about our future with CF and the fact of not having access to support, simply because we don’t use Cloudflare on the web but only in iOS applications.
We don’t want to have to be lucky every time and find someone like you that can talk internally, and it doesn’t feel fair to other paid users like us.

In your experience, is Cloudflare indeed not ideal for that scenario, should it only be used by web developers?
Thanks

This topic was automatically closed after 15 days. New replies are no longer allowed.