Join the community today
Register Now

Cloudflare Cloudflare API Tokens Announced No Longer Need Global API Key !

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, Sep 1, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    45,986
    10,446
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,208
    Local Time:
    10:06 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Finally Cloudflare has publicly announced Cloudflare API Tokens feature which allows you to narrow and restrict Cloudflare permissions to what a specific Cloudflare API Token can do. This is as opposed to the normal Cloudflare Global API Key. As a Cloudflare MVP member, I have been beta testing Cloudflare API Tokens for the past few months and it's great that I can now deploy Cloudflare API Tokens with minimal restricted permissions to only do some specific tasks via Cloudflare API, instead of using a Cloudflare Global API Key which has access to your entire Cloudflare account/billing etc.

    Cloudflare also updated their official Wordpress plugin to support Cloudflare API Tokens instead of CF Global API Key as well.

    I have been very hesitant in recommending to Centmin Mod users the use of Cloudflare Global API token in the past as compromise of your server or the web app utilising the Cloudflare Global API token, would mean potential compromise of your entire Cloudflare account and any and all web sites within that Cloudflare account. But now with restricted limited permission based Cloudflare API Tokens, you can restrict it to a specific domain site Cloudflare zone only etc :cool: This means I will be planning extended Cloudflare integration into Centmin Mod LEMP stack for supporting Cloudflare API to enhance your sites via Cloudflare API Token based API usage :)

    And yes Cloudflare is moving from Global API Keys to API Token method eventually, so your scripts and setups should start looking at conversion to support Cloudflare API Tokens ;)
    Example of some of my Cloudflare API Token's I created for my custom Cloudflare Analytics/Argo API query stats reporting script and my generic Wordpress API Token restricted permissions (yes I now also use Cloudflare custom Workers for more advanced caching :) )

    cloudflare-api-tokens-01.png

    Custom zone restricted Analytics/logs and Argo stats API query API Token permssions

    cloudflare-api-tokens-02.png
    Which allow me to write custom scripts which report Argo analytics stats like this

    [​IMG]

    Then my custom Wordpress Cloudflare API Token permissions for a restricted zone only.

    cloudflare-api-tokens-03.png

    AFAIK, for general Cloudflare Wordpress plugin usage, you don't need the Account level permissions, only Zone ones for:
    • Zone Settings:Edit
    • DNS:Read
    • Zone:Edit
    • Cache Purge:Edit
    • Analytics:Read