Restricted API keys

Please, can we have an invite? One of our team members would love to be able to implement a cache busting system for some folks.

Not really wanting to give a full control key out.

Please. Thank you.

Please include us in the beta as well.

@g2theg please include me in the beta as well. This would be super useful to automate a bunch of stuff without having to worry over having all my domains under the same API key.

I would also like to try the beta. Looking to create a limited API key for domain updates only.

Hi all,

Glad to see so many folks are interested in this. We won’t be inviting any more folks to the beta since we will be shipping the feature broadly soon.

Sorry to keep you waiting, but the wait is almost over!


If you want to try out API Tokens, we just went into Open Beta! You can create a token here:
The help section talks about how to use them with the API as it is different than API Keys.


Great to hear that this is publicly available. Any word on having finer grain permissions on DNS updates? see my previous comment quoted below about my concerns with the current ability to have unrestricted access to update DNS zones.


Indeed, it would be great to know whether RR-specific API keys are on the roadmap. That is the killer feature for a lot of people.

Some feedback about the existing functionality:

  • When you’re on the API token was successfully created screen. It would be nice if clicking on the API Tokens item in the header worked to navigate back to the API Tokens home page. I realize there’s a link below to the same effect, but I didn’t see it the first two times around.
  • On the modal interface to delete the API Token, upon clicking the Delete button, the interface seems to stall for a while and disappear. If the operation is long/slow, some indication of progress/loading would be nice. Otherwise I click the button repeatedly and then get “token not found” errors.
1 Like

+1 on this point. Having API key linked to a limited list of DNS entries is a must have feature for security reasons.

Does python-Cloudflare support this stuff?

Doesn’t look like it. This uses different headers for authentication, so clients will need to be updated/changed.

+1 This is the only obstacle keeping me from becoming a Cloudflare customer.

We will be updating the client libraries we own to be compatible with API Tokens. The python library has not yet been updated.


I’m getting a 500 without any explanation while trying to use the purge_cache command. I’ve provisioned the api token with appropriate permissions and can use the “tokens/verify” to see that its valid. Is purge_cache implemented yet?

curl -i -X POST "<redacted>/purge_cache" \
>      -H "Authorization: Bearer <redacted>" \
>      -H "Content-Type: application/json" \
>      --data '{"purge_everything":true}'
HTTP/2 500

Thanks for reporting. Someone else reported this issue and we are investigating. This seems to be a bug. Will let you know when we have a fix.

1 Like

Hey @g2theg - exciting to see this in open beta! Thanks for your team’s work on this feature. Is there any chance that the wordpress plugin will get updated to handle the new scoped API keys in the next couple of months? Wondering whether I should wait for it or just use the worker edge cache plugin.

@kevin.g The purge cache issue should be resolved now. Let me know if you still run into issues.

1 Like

Brilliant - looking forward to trying it out!

It’s not supported yet. I created an issue to track this feature request.

1 Like