Restricted API keys


I just recently had my talk with the CF Team and while I cant really talk about the contents the people there seem fairly great and I think I can really look forward to this.


I too, would like to sign up for the beta (I have been following this thread for a few months now).

My use‑case is clearing the  cache when my CI infrastructure finishes building my website and deploys it, so that the changed files can be updated (I cache static HTML in Cloudflare’s edge).


Looking forward to seeing this - it’s a reason we’ve held off on commercial use, as automation is such a big part of our processes.

I’m hoping that at a minimum, it permits per-domain, feature level access.

Is there a timeline for GA?



The ability to create restricted api keys would be realy good. If any beta testing help is needed I would be more than welcome to help.


We need this as well. If there’s a private beta, an invite would be appreciated! Our use case has already been mentioned here - we want to purge cache when assets change, that’s it.

At a minimum, the feature should allow us to create an API key and specify “Allow to purge_cache in zone 123”. It should work as a restriction to my user account, that is, it’s still me who is doing the request, I’m just limited in what I can do. This means I can create an API key even for a zone which belongs to a different account (to which I have been invited to).

It would be great (but not essential) if I could (in no particular order):

  • see the last time the API key was used
  • regenerate the key’s value without having to create a new key (and specify the all permissions again)
  • temporarily disable the key
  • make the key usable only from a set of IP addresses
  • see a log of actions performed by the key over time

@g2theg I’m happy to answer any questions you might have over email.

1 Like


My basic use case is to dynamically update an a / aaa record.

1 Like

I’m interested in restricted use API keys. I use Amazon’s IAM feature for this purpose when delegating AWS tasks.



Occassionally need to purge cached files via API, but concerned about use of global API key for this… a read only scope would be useful too.



My use case would be to lock down a key to only allow DNS changes for one of my domains, preferably just specific records. Locking it down to specific features for a single domain would be a very good start though. :slight_smile:


+1 from me on this.
My use case is to be able to create a restricted (read-only) API key for monitoring and analytics tool (Datadog) to use. If/when this is available for beta test I’d appreciate an invite.

Thank you.


+1. Bumping this again


+1 It would be great to have restricted API keys


Adding our +1 and a request for beta access if it becomes available.


Exact same concerns as OP here!


Is there already an update to this issue?


Really looking forward to this one. My requirement would be to create a limited scope token that can complete ACME DNS challenge for a single domain :slight_smile:


On that note, it would be cool if we could create templates or share links (like containing the combination of scopes needed for an API key. This would be great for automated tools (like ACME v2 clients) to prompt the user to enter a key with a link that would allow creating a key with the exact necessary scopes needed.

I am also interested in the beta :slight_smile:

1 Like

API key is well working on google crome web browser but not working on Mozilla Firefox web browser why? just guide me how can i use this software.


This has nothing to do with this topic. Please open an specific Thread for this problem, or use the search.

1 Like

+1 As many above mentioned, I think it’s a big security issue as we’ve had to use CF root API on several projects… I was always suprised about CF not having certain permissions and rules for API yet. However I’m really happy you guys are working on this now :slight_smile:

Hopefully it then won’t be one of those “Business Plan” options… as keep in mind… it’s a security issue we’re dealing with.

What we did so far was (yes keep laughing) we build a own permission/rules API that then used the CF API. Which was hosted on a very strict and secure external system/server…(still bad), so we’re able to generated own keys with certain permissions and rules which allow certain commands or domains etc. But yeah… not perfect and not secure at all, but it worked for us.

1 Like

There is a big security hole to use one key for entire domain.
CF really miss this feature.

I do not understand how API was released without this feature???

1 Like