Restricted API keys

As far as I know there are only 2 API keys for any account:

  • The Global API key
  • The Origin CA API key

the global CA key is essentially like the authentication to your whole account, it can do ANYTHING.

The Origin CA key is essentially the first step to this Idea since it is restricted to only obtain certificates from Cloudflare’s origin CA.

the problem is if for example you want to automate ANYTHING except for the Origin certs in your account (for example dynamically update a DNS Record to make a dynamic DNS, or have a software obtain wildcard Letsencrypt certificates which need a certain TXT record set) you have to entrust the system your Global API key.

This means that, if anything happens to the key, for example if the machine is hacked or whatever, the entity who obtained the key can do EVERYTHING in your whole account even things that arent even remotely related to what the client has to do, an attacker could for example mess with the complete domain data of even totally different domains or whatever.

however if such a restricted API key would be inplace, that for example could only mess with

  • _acme-challenge.*
  • (and so on)

and only their TXT records, an attacker would be able to get a rogue certificate, but that’s it anything else is relatively safe.
same if you yor example had a restricted API key that can only change the A records on, an attacker can do a lot less damage if there would be restricted API keys.

and not only that, if you need to run multiple API clients on your account (for example multiple servers each for a domain or whatever, such split API keys would also mean that if one of the servers get hacked you don’t need to revoke the key for all the servers, but just the ones that got hit.

obviously this is also helpful for companies, when they have seperate departments they can get seperate keys and not accidentially (or purposely) mess with each other, and when


I would certainly like to be to create API keys with restricted scope, like github keys work.


Indeed. I’d like to be able to create as many API keys as I like, with each having a flexible set of permissions.

Ideally this would include account wide permissions (listing, adding/removing domains, similar).

Domain level permissions, and specific features. A request would need both the domain and feature to be permitted.


+1 :+1:

Full support for this request. At the barest minimum, I would like to have one key per domain


Everything you said here @My1 is true. Stay tuned as we know this is a gap in our product, and are planning to make this experience better.


Already voted, but I wanted to add that my desired use case is /exactly/ the one described by @My1. I’m not willing to put my main API key on a server that needs to update a letsencrypt certificate and it’s behind a firewall which leaves me in the position of having to do manual updates every three months. :frowning:


+1 please

1 Like

I am trying to create a service user - eg a user that is restricted to do only the work it needs to do to get its job done - eg security principal of least privilege. The current granularity of basic user access inside of a company account is not flexible enough to create a user account that only has access to control a single service (eg dns) in a single domain.

I am not going to request full user access along the lines of AWS IAM, however granting a single user access to a single service, in a single domain seems like a request of reasonable constraint and consistent with best practices.


Has this feature been implemented just yet? I’m using fail2ban and there’s a Cloudflare ban action that I thought was going to be useful until I found out that Cloudflare only has 2 APIs, neither which can have their permissions customized.

If my server gets compromised, I probably wouldn’t mind them having control over banning/unbanning IPs, but having full access is a whole different ball game.

Hoping for this to get implemented soon so I can avoid the alternatives.


+1 for this feature!


+1 from me as well.
That would be a very useful feature.

1 Like

+1 it’s a must have. i hope it will add even the new feature la Stream

1 Like

+1 from me as well. This is a blocker to enable proxy.

1 Like

@g2theg any update on this? Is this officially on the roadmap?


+1 from me this should be top priority feature request.

1 Like

+1. I’ve always seen Cloudflare as a security-minded company. Having a global API key is, unfortunately, a deal breaker for many of my use cases. While a fine-grained permission system like AWS AMI would be the ideal, at least having a custom key per domain is the bare minimum I’d expect from Cloudflare. Currently I have to create a different account to workaround this, which is just insane.


Hi all,

Wanted to give an updated since I know many of you have been patiently waiting. We feel your pain regarding the lack of functionality here as we use Cloudflare ourselves in many places.

The good news is that we have been hard at work on this, and currently we are in an internal (Cloudflare only) beta. Once we are ready to start bringing in customers into an external beta, I will reach back out here as I’m sure many of you might be interested in using this and helping us make this great for everyone.


Happy holidays, all. Just wanted to add a +1 on this, and I’d love to be involved in an external beta for per-zone or permissioned API keys.

I’ve been building out a custom API integration just now for a continuous integration scenario where every build automatically generates new versions of assets that I might want to purge from the Cloudflare edge, but with the current security implications I don’t feel comfortable putting a global key even into an environment variable with my CI provider. I’m kinda surprised this wasn’t a feature already, but I’m glad it’s now being worked on.


hallo @g2theg as the creator of this Request I want to formally issue a HUGE amount of Thanks.

I am really grateful that this request has a chance of being integrated in the Cloudflare system.

Best Regards,