User Permissions and API Security

I am very happy to see that the ability to create sub-users has been lowered to all customers. It is still really needed to have the ability to modify the permissions of sub-users.

I have several people I would like to grant access to be able to clear the Cloudflare Cache, but I do not want them to have full administrator access to the entire account.

The API is not really a solution to this problem for me as the security around that is very weak. Using the API completely removes the security benefit of having 2FA on your account. There is also no ability to restrict the use of the API to certain IP’s. It’s essentially a root password to your account with no additional security around it.

I would love it if Cloudflare could add the ability to limit permissions on user and API accounts. It would also be very great if you could limit API usage to specific IP’s.

Thank you!


It would also be nice to have API keys that provide access only to certain features (e.g. the aforementioned cache clearing, which I could then setup CI to automatically clear the cache once a build completes successfully and the site gets updated).

1 Like

Bump. This is so important. The API is useless to me without additional permissions. I’m not giving an intern root API access when I want him to just be able to perform some data analytic collection.


I am happy to know that Cloudflare is working on this, but man this is a HUGE security bug! Whether you use the API or not, any malicious actor could completely overtake your entire account just by knowing your login email and API Key. There’s not even an option to turn off the API for users that don’t want to use it! And since one of the API functions allows you to turn off 2-factor Auth, the 2FA system for Cloudflare is basically rendered useless! Is this real life? Can a company that handles such high profile websites as Cloudflare really have such a glaring security bug that hasn’t been fixed yet? More attention needs to be called to this issue, as it is one of the most glaring security oversights I’ve witnessed. This is simply unacceptable.