As far as I know there are only 2 API keys for any account:
- The Global API key
- The Origin CA API key
the global CA key is essentially like the authentication to your whole account, it can do ANYTHING.
The Origin CA key is essentially the first step to this Idea since it is restricted to only obtain certificates from cloudflare’s origin CA.
the problem is if for example you want to automate ANYTHING except for the Origin certs in your account (for example dynamically update a DNS Record to make a dynamic DNS, or have a software obtain wildcard Letsencrypt certificates which need a certain TXT record set) you have to entrust the system your Global API key.
This means that, if anything happens to the key, for example if the machine is hacked or whatever, the entity who obtained the key can do EVERYTHING in your whole account even things that arent even remotely related to what the client has to do, an attacker could for example mess with the complete domain data of even totally different domains or whatever.
however if such a restricted API key would be inplace, that for example could only mess with
- (and so on)
and only their TXT records, an attacker would be able to get a rogue certificate, but that’s it anything else is relatively safe.
same if you yor example had a restricted API key that can only change the A records on dyn.example.com, an attacker can do a lot less damage if there would be restricted API keys.
and not only that, if you need to run multiple API clients on your account (for example multiple servers each for a domain or whatever, such split API keys would also mean that if one of the servers get hacked you don’t need to revoke the key for all the servers, but just the ones that got hit.
obviously this is also helpful for companies, when they have seperate departments they can get seperate keys and not accidentially (or purposely) mess with each other, and when