Restricted API keys

+1 it’s a must have. i hope it will add even the new feature la Stream

+1 from me as well. This is a blocker to enable proxy.

@g2theg any update on this? Is this officially on the roadmap?

1 Like

+1 from me this should be top priority feature request.

+1. I’ve always seen Cloudflare as a security-minded company. Having a global API key is, unfortunately, a deal breaker for many of my use cases. While a fine-grained permission system like AWS AMI would be the ideal, at least having a custom key per domain is the bare minimum I’d expect from Cloudflare. Currently I have to create a different account to workaround this, which is just insane.

Hi all,

Wanted to give an updated since I know many of you have been patiently waiting. We feel your pain regarding the lack of functionality here as we use Cloudflare ourselves in many places.

The good news is that we have been hard at work on this, and currently we are in an internal (Cloudflare only) beta. Once we are ready to start bringing in customers into an external beta, I will reach back out here as I’m sure many of you might be interested in using this and helping us make this great for everyone.


Happy holidays, all. Just wanted to add a +1 on this, and I’d love to be involved in an external beta for per-zone or permissioned API keys.

I’ve been building out a custom API integration just now for a continuous integration scenario where every build automatically generates new versions of assets that I might want to purge from the CloudFlare edge, but with the current security implications I don’t feel comfortable putting a global key even into an environment variable with my CI provider. I’m kinda surprised this wasn’t a feature already, but I’m glad it’s now being worked on.

1 Like

hallo @g2theg as the creator of this Request I want to formally issue a HUGE amount of Thanks.

I am really grateful that this request has a chance of being integrated in the cloudflare system.

Best Regards,



I’d also love to see this implemented and it is good to hear that it being worked on.

One thing I would like to add though is that it would be good if the API keys could be restricted to allow only updating of certain DNS entries, or at a minimum, subdomains… otherwise if the key gets leaked then the domain can be hijacked resulting in widespread compromising of other systems (ie. updating MX records to compromise email delivery is one attach vector that could have catastrophic results).


Same here. I have several clients I manage under my account and I do not want to setup my global key in automation scripts used for only specific clients.

1 Like

@g2theg can you add me to the beta when it releases please?

1 Like

@g2theg aslo if it’s possible add me to beta tests …
I bought Cloudflare Stream and I need restricted api key for js to manage uploads of users in my app.

1 Like

Would be nice to have restriction based upon operation. A key to purge certain caches on a pipeline that can’t access critical data would be nice.

1 Like

well of course. the most awesome thing would be fine as hell permissions you can set but templates for common actions like “lets encrypt DNS validation” or “dynDNS” or whatever would surely be great.

and of course you could then set keys to grill the cache and maybe even restrict that to certain domains, but I am sure that’s more like in the realm of my dreams.

1 Like

Most if not everyone whom has replied on the thread should have received an email from me regarding setting up some time to chat with you about this feature. I know folks are busy but if you can spare some time to chat with us, we would be immensely grateful.


certainly not a bad Idea, although I personally dunno when would be good because timezones (I live in germany) but yeah I would be intrested too.

Edit got the mail, reading atm.

1 Like

Personally, my interest in using restricted API access for DNS records - I don’t really want a certificate issuing script that only needs to be able to write to a single TXT record to be able to do anything else at all. I’ll happily chat about it, but I doubt I can contribute much more than what I’ve just written!

1 Like

This pretty much covers my main use-case as well.

1 Like

I really need a API-key just for dyndns updates. It’s insane that I need to use a “full access” api key on hosts/machines/servers/dockers/whatever just to be able to update -their- subdomain ip… One of these gets compromised and baaaam, full access to the cloudflare API?

I would like one APIKEY per-subdomain, only valid for dyndns updat. Eg. one key for, another for, and so on.

I’m from Poland but I will try be on Tuesday.