What permission do I need to be able to read permission groups?

Well, the documentation at API token permissions · Cloudflare Fundamentals docs says that there is an API Token permission (Read Only or Edit).

Which is exactly what I want to grant to a token. (FYI, we are migrating from the Global API Key with Email to API Token … all of this works fine for us with the deprecated credentials … the use case here is to allow us to programmatically construct a set of API tokens specifically to be shared to an application to deal with custom hostname configuration … all working fine with the deprecated credentials).

The documentation says there are 3 sets of permissions: API Token, Membership, and User Details.

But, for me (as a super admin) when I’m manually defining the permissions for the API Token, I only see Membership and User Details as options. No API Token option. Also, in my personal account and in an account I’m just a normal admin in … all seem to be missing the ability to grant API Token Edit permission to an API Token.

As a consequence, I’m unable to read the list of permission groups.

Calling curl https://api.cloudflare.com/client/v4/user/tokens/permission_groups -H "Authorization: Bearer *********" outputs

{
  "success": false,
  "errors": [
    {
      "code": 9109,
      "message": "Unauthorized to access requested resource"
    }
  ],
  "messages": [],
  "result": null
}

Any help/suggestions/documentation would be greatly appreciated.

As a confirmation, calling curl https://api.cloudflare.com/client/v4/user/tokens/permission_groups -H "X-Auth-Email: [email protected]" -H "X-Auth-Key: ab....a7" outputs …

{
  "result": [
   {
      "id": "6ced5d0d69b1422396909a62c38ab41b",
      "name": "API Gateway Read",
      "description": "Grants read access to API-Gateway Management",
      "scopes": [
        "com.cloudflare.api.account.zone"
      ]
    },
    {
      "id": "f0235726de25444a84f704b7c93afadf",
      "name": "API Gateway Write",
      "description": "Grants write access to API-Gateway Management",
      "scopes": [
        "com.cloudflare.api.account.zone"
      ]
    },
    {
      "id": "0cc3a61731504c89b99ec1be78b77aa0",
      "name": "API Tokens Read",
      "description": "Grants read access to user's API Tokens",
      "scopes": [
        "com.cloudflare.api.user"
      ]
    },
    {
      "id": "686d18d5ac6c441c867cbf6771e58a0a",
      "name": "API Tokens Write",
      "description": "Grants write access to user's API Tokens",
      "scopes": [
        "com.cloudflare.api.user"
      ]
    },
   ...
}

And there are the permissions that I can see via my Global API Key, but I can’t add them to my API Token!

So the answer is to use the “Create Additional Tokens” and then add your additional requirements. Only the template contains the appropriate permission.