Restricted API keys


I’d also love to see this implemented and it is good to hear that it being worked on.

One thing I would like to add though is that it would be good if the API keys could be restricted to allow only updating of certain DNS entries, or at a minimum, subdomains… otherwise if the key gets leaked then the domain can be hijacked resulting in widespread compromising of other systems (ie. updating MX records to compromise email delivery is one attach vector that could have catastrophic results).


Same here. I have several clients I manage under my account and I do not want to setup my global key in automation scripts used for only specific clients.


@g2theg can you add me to the beta when it releases please?


@g2theg aslo if it’s possible add me to beta tests …
I bought Cloudflare Stream and I need restricted api key for js to manage uploads of users in my app.


Would be nice to have restriction based upon operation. A key to purge certain caches on a pipeline that can’t access critical data would be nice.


well of course. the most awesome thing would be fine as hell permissions you can set but templates for common actions like “lets encrypt DNS validation” or “dynDNS” or whatever would surely be great.

and of course you could then set keys to grill the cache and maybe even restrict that to certain domains, but I am sure that’s more like in the realm of my dreams.


Most if not everyone whom has replied on the thread should have received an email from me regarding setting up some time to chat with you about this feature. I know folks are busy but if you can spare some time to chat with us, we would be immensely grateful.


certainly not a bad Idea, although I personally dunno when would be good because timezones (I live in germany) but yeah I would be intrested too.

Edit got the mail, reading atm.


Personally, my interest in using restricted API access for DNS records - I don’t really want a certificate issuing script that only needs to be able to write to a single TXT record to be able to do anything else at all. I’ll happily chat about it, but I doubt I can contribute much more than what I’ve just written!


This pretty much covers my main use-case as well.


I really need a API-key just for dyndns updates. It’s insane that I need to use a “full access” api key on hosts/machines/servers/dockers/whatever just to be able to update -their- subdomain ip… One of these gets compromised and baaaam, full access to the cloudflare API?

I would like one APIKEY per-subdomain, only valid for dyndns updat. Eg. one key for, another for, and so on.


I’m from Poland but I will try be on Tuesday.



API key restricted to only one or more sites would be a big step forward (or, if simpler, a different API key for every site)


Another +1 from me.

The ability to generate keys which are scoped to either specific actions and / or Zones would be a huge step forwards.

Our particular use case allows users to link up their CF account so they can have 1-click deploy of a Workers script, but storing a Global API key which could potentially modify anything in their entire account makes us pretty uneasy.


I just recently had my talk with the CF Team and while I cant really talk about the contents the people there seem fairly great and I think I can really look forward to this.