It would be nice if the Cloudflare API can support OpenID Connection authentication. In essence, one would establish trust between Cloudflare and our environment (such as a CI / CD pipeline) before hand. During runtime, when we need to access the Cloudflare API, we would exchange a signed JWT that is verified by Cloudflare’s authentication in exchange for an access token.
We have been updating our pipelines to use oidc to access resources in AWS, Azure and Vault while running GitHub Actions pipelines and it works really well. We have now completely eliminated static credentials from our pipelines.
Examples from GitHub’s documentation: About security hardening with OpenID Connect - GitHub Docs