Restricted API keys


I’d also love to see this implemented and it is good to hear that it being worked on.

One thing I would like to add though is that it would be good if the API keys could be restricted to allow only updating of certain DNS entries, or at a minimum, subdomains… otherwise if the key gets leaked then the domain can be hijacked resulting in widespread compromising of other systems (ie. updating MX records to compromise email delivery is one attach vector that could have catastrophic results).


Same here. I have several clients I manage under my account and I do not want to setup my global key in automation scripts used for only specific clients.


@g2theg can you add me to the beta when it releases please?


@g2theg aslo if it’s possible add me to beta tests …
I bought Cloudflare Stream and I need restricted api key for js to manage uploads of users in my app.


Would be nice to have restriction based upon operation. A key to purge certain caches on a pipeline that can’t access critical data would be nice.


well of course. the most awesome thing would be fine as hell permissions you can set but templates for common actions like “lets encrypt DNS validation” or “dynDNS” or whatever would surely be great.

and of course you could then set keys to grill the cache and maybe even restrict that to certain domains, but I am sure that’s more like in the realm of my dreams.


Most if not everyone whom has replied on the thread should have received an email from me regarding setting up some time to chat with you about this feature. I know folks are busy but if you can spare some time to chat with us, we would be immensely grateful.


certainly not a bad Idea, although I personally dunno when would be good because timezones (I live in germany) but yeah I would be intrested too.

Edit got the mail, reading atm.


Personally, my interest in using restricted API access for DNS records - I don’t really want a certificate issuing script that only needs to be able to write to a single TXT record to be able to do anything else at all. I’ll happily chat about it, but I doubt I can contribute much more than what I’ve just written!


This pretty much covers my main use-case as well.


I really need a API-key just for dyndns updates. It’s insane that I need to use a “full access” api key on hosts/machines/servers/dockers/whatever just to be able to update -their- subdomain ip… One of these gets compromised and baaaam, full access to the cloudflare API?

I would like one APIKEY per-subdomain, only valid for dyndns updat. Eg. one key for, another for, and so on.


I’m from Poland but I will try be on Tuesday.



API key restricted to only one or more sites would be a big step forward (or, if simpler, a different API key for every site)


Another +1 from me.

The ability to generate keys which are scoped to either specific actions and / or Zones would be a huge step forwards.

Our particular use case allows users to link up their CF account so they can have 1-click deploy of a Workers script, but storing a Global API key which could potentially modify anything in their entire account makes us pretty uneasy.


I just recently had my talk with the CF Team and while I cant really talk about the contents the people there seem fairly great and I think I can really look forward to this.


I too, would like to sign up for the beta (I have been following this thread for a few months now).

My use‑case is clearing the  cache when my CI infrastructure finishes building my website and deploys it, so that the changed files can be updated (I cache static HTML in Cloudflare’s edge).


Looking forward to seeing this - it’s a reason we’ve held off on commercial use, as automation is such a big part of our processes.

I’m hoping that at a minimum, it permits per-domain, feature level access.

Is there a timeline for GA?



The ability to create restricted api keys would be realy good. If any beta testing help is needed I would be more than welcome to help.


We need this as well. If there’s a private beta, an invite would be appreciated! Our use case has already been mentioned here - we want to purge cache when assets change, that’s it.

At a minimum, the feature should allow us to create an API key and specify “Allow to purge_cache in zone 123”. It should work as a restriction to my user account, that is, it’s still me who is doing the request, I’m just limited in what I can do. This means I can create an API key even for a zone which belongs to a different account (to which I have been invited to).

It would be great (but not essential) if I could (in no particular order):

  • see the last time the API key was used
  • regenerate the key’s value without having to create a new key (and specify the all permissions again)
  • temporarily disable the key
  • make the key usable only from a set of IP addresses
  • see a log of actions performed by the key over time

@g2theg I’m happy to answer any questions you might have over email.



My basic use case is to dynamically update an a / aaa record.