Cloudflare Replaces API Tokens with Secure Logins

Cloudflare is replacing API tokens with a more secure OAuth system, giving developers and security teams better control over third-party app access.

Cloudflare has rolled out self-service OAuth for all developers, providing a modern and more secure way for third-party applications to integrate with its platform. This new system moves away from the traditional use of long-lived API tokens, which often carried broad permissions and posed a security risk if exposed. Instead of sharing a static key that acts like a password, developers can now build applications that request specific, limited permissions from a user through a standard authorization flow. This means users grant access only for the tasks an app needs to perform, such as managing DNS records or updating firewall rules, without handing over full control of their account. The change is designed to make building on Cloudflare's extensive API ecosystem both easier and significantly safer for everyone involved.

This update is a major step forward for security and developer experience. For security teams and administrators, OAuth provides granular control and better visibility into which applications have access to their Cloudflare environment. They can approve or revoke access for a specific application at any time without disrupting other services. This is a stark contrast to API tokens, where revoking a compromised token could break multiple critical automations that shared it. For developers, this change simplifies the process of building trustworthy integrations. They no longer need to securely store and manage sensitive API tokens for their users, reducing their own security burden and making their applications more appealing to security-conscious customers.

By making OAuth widely available, Cloudflare is fostering a more robust and secure application ecosystem. This move aligns the company with industry-wide best practices for authentication and authorization, similar to how users connect apps to their Google or GitHub accounts. As a result, businesses and individual developers can more confidently connect their favorite CI/CD tools, monitoring services, and other management software to their Cloudflare accounts. Over time, this will likely lead to a wider variety of high-quality, trusted integrations, allowing users to automate more of their infrastructure management securely.

This is a significant security upgrade for anyone using third-party tools with Cloudflare. It replaces risky, all-or-nothing API tokens with a modern system that gives users granular control over what each app can access, improving security and visibility.

By adopting a more secure standard (OAuth), Cloudflare reduces the risk of account takeovers from leaked API tokens. This enhances security posture for businesses using its platform and encourages a safer, more integrated ecosystem of third-party developer tools, which can increase operational efficiency.