Restricted API keys


I’m interested in restricted use API keys. I use Amazon’s IAM feature for this purpose when delegating AWS tasks.



Occassionally need to purge cached files via API, but concerned about use of global API key for this… a read only scope would be useful too.



My use case would be to lock down a key to only allow DNS changes for one of my domains, preferably just specific records. Locking it down to specific features for a single domain would be a very good start though. :slight_smile:


+1 from me on this.
My use case is to be able to create a restricted (read-only) API key for monitoring and analytics tool (Datadog) to use. If/when this is available for beta test I’d appreciate an invite.

Thank you.


+1. Bumping this again


+1 It would be great to have restricted API keys


Adding our +1 and a request for beta access if it becomes available.


Exact same concerns as OP here!


Is there already an update to this issue?


Really looking forward to this one. My requirement would be to create a limited scope token that can complete ACME DNS challenge for a single domain :slight_smile:


On that note, it would be cool if we could create templates or share links (like containing the combination of scopes needed for an API key. This would be great for automated tools (like ACME v2 clients) to prompt the user to enter a key with a link that would allow creating a key with the exact necessary scopes needed.

I am also interested in the beta :slight_smile:

1 Like

API key is well working on google crome web browser but not working on Mozilla Firefox web browser why? just guide me how can i use this software.


This has nothing to do with this topic. Please open an specific Thread for this problem, or use the search.

1 Like

+1 As many above mentioned, I think it’s a big security issue as we’ve had to use CF root API on several projects… I was always suprised about CF not having certain permissions and rules for API yet. However I’m really happy you guys are working on this now :slight_smile:

Hopefully it then won’t be one of those “Business Plan” options… as keep in mind… it’s a security issue we’re dealing with.

What we did so far was (yes keep laughing) we build a own permission/rules API that then used the CF API. Which was hosted on a very strict and secure external system/server…(still bad), so we’re able to generated own keys with certain permissions and rules which allow certain commands or domains etc. But yeah… not perfect and not secure at all, but it worked for us.

1 Like

There is a big security hole to use one key for entire domain.
CF really miss this feature.

I do not understand how API was released without this feature???

1 Like

@devvlad: The API key system is mature, but it didn’t have scopes or restricted access from the start. Cloudflare is widely praised for the stable and fast API, so they must be doing something right.

As you can see in Restricted API keys (post 19), they’re developing the feature currently.

1 Like

The API key system is mature, but it didn’t have scopes or restricted access from the start. Cloudflare is widely praised for the stable and fast API, so they must be doing something right.

And this is quite a mistake imho. If you own a big office building, and just handle out one key to every person, that is now able to walk though the whole building including the money safe without any access control, you will get praised for sure, because life is easy for everyone. But in case of security, this is an desaster.

1 Like

I’m not sure why you would need to give out your Cloudflare API key to too many people in your company. Modifying production domain settings should only be done manually, or at most automated via terraform with a code review system. Also, if you are in an office building and pay for CF Enterprise, they already have sub-accounts that have limited permissions and the API keys generated on them inherit the accounts’ permissions.

1 Like

it’s not just about the number of people. but when you have a webserver which wants to get a DNS validation for whatever reason, like a Let’s encrypt certificate that server needs to get the API key which has all the permissions of the person handling it. which is obviously not pretty and not everyone is big enough to afford enterprise stuff.

1 Like

Im using automated dyndns update via the api. Insane that my account be completely f**ked if one of those machines gets compromised.

I have no idea why an DNS update of a subdomain should need a full account api key?

1 year since this topic was opened and still no solution…


@sebastian5 @My1
I’m not saying this is a non-problem. They are currently working on it, so they know it’s a problem.

It just takes time - big security-related features like this need to be audited and tested to make sure there are no issues upon release.

1 Like