Restricted API keys

I know that they are developing this feature. I even hangouted with someone from them about the whole thing.


Any ETA on this issue? A year has passed now, and we are still spending a tremendous amount of time clearing cache manually on all our websites.

it has been about just 3 months since the session with the CF employee about the design thing.

1 Like

My company is also very interested in this feature. Our basic requirements are as follows:

  1. Allow restriction on what a given API key can do, e.g. only invalidate cache.
  2. Allow restriction on where a given API key can be applied, e.g. only on website X, but not website Y (where both websites X and Y are administered by the user account to which the API key belongs).
  3. Allow creation of multiple API keys per user account, although this is optional for version 1 since it would be possible to create multiple user accounts, with a single API key per account.

Please do let me know when you launch a public beta of this feature, thanks.

well this is how about 90% of decent API keys work, so I doubt it would be different here.

1 Like

+1 need key only for clear cache.

1 Like

+1 for possibilities of more Cloudflare related products

+1 for a more granular API, security will be increased!

1 Like

+1 I really think this is a must to be fast-tracked.

1 Like

We know this is a highly desired improvement, and we are working hard on this. It is such a critical piece of functionality that we have to make sure we get things right. We appreciate the patience in the meantime.

I’ll be reaching out to folks soon about participating in a closed beta for this. Those that we spoke with earlier this year will be first to be invited as thanks for speaking with us. We will bring in more folks over the coming weeks as we progress.


We are interested in participating. Otherwise, is this targeted for release in 2019?

We would also be very very interested in helping test this feature.

Our use case is to be able to automatically update/add ip addresses to the IP access rules list remotely without exposing our entire account permissions.

I’d also be up for testing. :slight_smile:

I’d have the Caddy web server using DNS challenges to automatically obtain Let’s Encrypt SSL certificates, but I’m not comfortable with putting an API key that’s authorised for everything on my webservers. I have a few free domains and one Pro domain. Thanks.

We are going to use a restricted (read-only) Cloudflare API to be able to use monitoring and analytics tool (Datadog).

If this is available for beta test I’d appreciate an invite.



We would like to participate too!

This is an absolute must-have. Using the API in any kind of untrusted environment is a non-starter without this. Honestly surprised this issue is open for so long.


+1 on this. We cannot possibly give a developer total and complete access to our entire Cloudflare account, if all they are doing is building out a Worker which uses the KV store.

I’m amazed this issue is still open.

I would like to participate in the beta if are still looking for beta users.

1 Like

I’m open to testing the Beta.

I have many different scenarios that we require this feature for and would love to help test and provide feedback.