Restricted API keys

We would also be interested in participating in the beta. Primarily to enable Let’s Encrypt auto-renewal using certbot with access only to specific sites.

1 Like

I got accepted into the beta, but it seems I failed right away.
The new tokens seem to be of type “bearer”, I guess this needs different tooling then?

For example:

that one does not seem to work out of the box, I guess the problem is it uses “api_key” and not bearer-token?

Did you follow the directions? The new system is working for me.

Yeah stuff worked great once I modified code to use BEARER instead of X-Auth-Email & X-Auth-Key. I was just lazy and hoped the new token-system would be able to use/piggyback the old way.

1 Like

Just adding my +1 here for this (highly needed) feature. Thanks!

Its in the hopper. The beta seems to be working nicely.

Hi guys,

We’d love to be involved in the private beta as well. We’re currently integrating the Cloudflare api into a system that would really benefit from isolated domain/subdomain level keys. We’re in the middle of development now so we’d be able to provide extensive testing / feedback.


I’m open for private Beta testing as well.
It’s a truly important feature.

I’m in. Have an idea of creating a key with access to my dns or a subset of my dns only (subdomains).

@g2theg count me in too! Looking to implement a tool with this as soon as possible and would prefer not to use admin creds

Please, can we have an invite? One of our team members would love to be able to implement a cache busting system for some folks.

Not really wanting to give a full control key out.

Please. Thank you.

Please include us in the beta as well.

@g2theg please include me in the beta as well. This would be super useful to automate a bunch of stuff without having to worry over having all my domains under the same API key.

I would also like to try the beta. Looking to create a limited API key for domain updates only.

Hi all,

Glad to see so many folks are interested in this. We won’t be inviting any more folks to the beta since we will be shipping the feature broadly soon.

Sorry to keep you waiting, but the wait is almost over!


If you want to try out API Tokens, we just went into Open Beta! You can create a token here:
The help section talks about how to use them with the API as it is different than API Keys.


Great to hear that this is publicly available. Any word on having finer grain permissions on DNS updates? see my previous comment quoted below about my concerns with the current ability to have unrestricted access to update DNS zones.


Indeed, it would be great to know whether RR-specific API keys are on the roadmap. That is the killer feature for a lot of people.

Some feedback about the existing functionality:

  • When you’re on the API token was successfully created screen. It would be nice if clicking on the API Tokens item in the header worked to navigate back to the API Tokens home page. I realize there’s a link below to the same effect, but I didn’t see it the first two times around.
  • On the modal interface to delete the API Token, upon clicking the Delete button, the interface seems to stall for a while and disappear. If the operation is long/slow, some indication of progress/loading would be nice. Otherwise I click the button repeatedly and then get “token not found” errors.
1 Like

+1 on this point. Having API key linked to a limited list of DNS entries is a must have feature for security reasons.

Does python-Cloudflare support this stuff?