What's a permissions for Cloudflare API token to get zero trust user list?

Refer to dashboard https://one.dash.cloudflare.com/XXX/team/users.
Call to https://dash.cloudflare.com/api/v4/accounts/XXX/access/users?per_page=50&page=1&offset=0
So I assume API is https://developers.cloudflare.com/api/operations/zero-trust-users-get-users
So I try set All accounts - Zero Trust:Read

But it’s not working so I try use Read all resources to see if it’s working.
And it work (with all permissions checked) so I uncheck one by one to see which one make it work.(pretty nightmare)

Finally I found that only one Account.Access: Audit Logs is need to make it work. (what?)
So here am I scratching my head and asking what going on here and is this expected?


  1. I need Account.Access: Audit Logs token in Authorization: Bearer XXX to get user list and didn’t seem obvious to me (both permission name and how to figure this out).
  2. Is that’s another easy way to determine which permission I need for each API?

I’ve some more API to call and the first one hit me really hard. Maybe someone can can explain me why.


Wow thank God someone actually went to the trouble. It was the same for me. Could not get the list of users w/o the Account.Access: Audit Logs scope…
I used the endpoint https://api.cloudflare.com/client/v4/accounts/:id/access/users