Skip to content
Fenod Fenod Fenod Stack

Cloudflare API Tokens for AI-Assisted Work

Disponible en francais

Use this guide when creating Cloudflare credentials for local development, CI, deploys, MCP servers, or AI coding agents. The goal is simple: agents can do useful Cloudflare work without receiving broad account control or long-lived secrets they do not need.

Golden Rules

Section titled “Golden Rules”
  1. Prefer OAuth for local Wrangler commands. Do not export CLOUDFLARE_API_TOKEN globally; it overrides Wrangler OAuth and often causes confusing permission failures.
  2. Use narrow, task-specific tokens. Create one token per automation surface: CI deploy, preview deploy, D1 migrations, R2 upload, analytics read, etc.
  3. Use resource-scoped permissions whenever Cloudflare supports them. A deploy token should target one Worker, one Pages project, one D1 database, one R2 bucket, or one zone instead of the whole account.
  4. Never paste tokens into prompts, issues, PRs, logs, or markdown docs. Store secrets in Bitwarden Secrets Manager, Infisical, Cloudflare secrets, or CI secret storage.
  5. Do not give AI agents account-wide edit access by default. Broker sensitive operations through scripts, MCP tools, or CI jobs with limited scopes.
  6. Rotate aggressively after experiments. Any token used during exploratory AI work should be short-lived or deleted after the session.

Local Wrangler Usage

Section titled “Local Wrangler Usage”

For day-to-day human development, use Wrangler OAuth:

Terminal window
wrangler login

When running local commands on a machine that might have a token exported, explicitly unset it:

Terminal window
env -u CLOUDFLARE_API_TOKEN wrangler whoami
env -u CLOUDFLARE_API_TOKEN wrangler pages deploy dist --project-name my-project
env -u CLOUDFLARE_API_TOKEN wrangler d1 migrations apply my-db --local

Only set CLOUDFLARE_API_TOKEN inside a narrow process, CI job, or secret-injected command that truly needs API-token auth.

Token Profiles

Section titled “Token Profiles”

Create separate Cloudflare API tokens for separate jobs. Names should include the project, environment, purpose, and owner.

Recommended naming format:

fenod:<project>:<env>:<purpose>:<owner>

Examples:

fenod:client-app:prod:workers-deploy:github-actions
fenod:client-app:preview:pages-deploy:github-actions
fenod:client-app:prod:d1-migrations:ci
fenod:client-app:dev:r2-upload:agent-broker

Least-Privilege Resource Map

Section titled “Least-Privilege Resource Map”

Use Cloudflare’s token templates as a starting point, then reduce account/resource access to the smallest possible scope. For old tokens, reissue them with the newest Cloudflare token format and resource-scoped policies so leaked tokens are easier to detect and the blast radius is smaller.

JobTypical permissionsResource scopeNotes
Workers deployWorkers Scripts: Edit, Account Settings: Read if required by WranglerOne account, ideally one script/projectUse for CI deploy only; avoid giving this to ad hoc agents.
Pages deployCloudflare Pages: EditOne account, specific Pages project if availablePrefer wrangler pages deploy from CI.
D1 migrationsD1: EditSpecific account/database where possibleKeep separate from app deploy tokens. Migrations can destroy data.
R2 object uploadR2: EditSpecific bucket where possibleFor app assets/backups; avoid account-wide R2 admin.
KV writesWorkers KV Storage: EditSpecific namespace where possibleKV often stores config; treat writes as sensitive.
Queues managementQueues: EditSpecific queue where possibleSeparate runtime producer/consumer bindings from admin tokens.
Analytics/read-only inspectionAnalytics: Read, Logs: Read if neededAccount/project read-onlySafe for dashboards and debugging agents.
DNS automationZone DNS: EditOne zone onlyHigh risk: can hijack traffic. Never bundle with deploy tokens.
Account/user managementAccount Settings/User details: Read/EditAccountAvoid for agents unless building admin automation with explicit approval.

If a token needs many unrelated permissions, split it into multiple tokens or move the operation behind a human-approved CI workflow.

Platform Tokens vs Provider Keys

Section titled “Platform Tokens vs Provider Keys”

Do not mix these credential classes:

Cloudflare token layers

LayerCredentialOwnsPreferred boundary
Cloudflare platformCLOUDFLARE_API_TOKENDeploying Workers, editing DNS, creating D1/R2/KV/QueuesResource-scoped token, CI/broker controlled
AI provider accessOpenAI/Anthropic/Gemini/Replicate keysModel inference spend and data accessCloudflare AI Gateway BYOK or provider secret store
Agent runtime budgetModel context/output tokensCost and context pressure while agents workCode Mode, tool search, summaries, budget caps

A Worker deploy token should not also be the way the app calls LLM providers. Likewise, an LLM provider key should not be available to an infrastructure-management agent unless the task explicitly requires it.

AI Gateway BYOK for Provider Keys

Section titled “AI Gateway BYOK for Provider Keys”

For deployed AI apps, prefer Cloudflare AI Gateway with BYOK / stored provider keys over raw provider keys in Worker secrets.

Recommended production pattern:

  1. Security/admin owner stores provider keys in Cloudflare AI Gateway or a secret manager integrated with it.
  2. Application code references the stored key or gateway route, not the plaintext provider key.
  3. Developers and agents can deploy code that references approved keys, but cannot read the key value.
  4. AI Gateway enforces budgets, rate limits, caching, fallback, and audit logging.
  5. Dynamic routes or gateway policies cap runaway loops before they become billing incidents.

Use direct Worker secrets for provider keys only when AI Gateway does not support the provider/workflow yet, or during short-lived local development. Document the exception and migrate it back behind Gateway when possible.

Provider caveat: some SDKs/providers still require direct API-key signing or are not fully OpenAI-compatible. Treat those as explicit exceptions with narrower secrets and tighter budgets.

AI Agent Safety Pattern

Section titled “AI Agent Safety Pattern”

AI agents should not directly hold broad Cloudflare tokens. Prefer this hierarchy:

  1. Read-only context: docs, wrangler.jsonc, generated types, and sanitized command output.
  2. Local OAuth commands: human-authenticated Wrangler with env -u CLOUDFLARE_API_TOKEN.
  3. Broker scripts: checked-in scripts expose safe operations like deploy-preview, apply-local-migrations, or tail-logs.
  4. CI workflows: production deploys and migrations run from GitHub Actions with scoped secrets.
  5. Break-glass token: temporary, time-boxed, manually revoked after the task.

Good agent-facing command:

Terminal window
pnpm cf:deploy-preview

Risky agent-facing command:

Terminal window
CLOUDFLARE_API_TOKEN=... wrangler deploy --env production

Repository Scripts to Prefer

Section titled “Repository Scripts to Prefer”

Add project scripts so agents do not invent privileged commands:

{
  "scripts": {
    "cf:whoami": "env -u CLOUDFLARE_API_TOKEN wrangler whoami",
    "cf:types": "env -u CLOUDFLARE_API_TOKEN wrangler types",
    "cf:d1:local": "env -u CLOUDFLARE_API_TOKEN wrangler d1 migrations apply DB --local",
    "cf:deploy:preview": "pnpm build && env -u CLOUDFLARE_API_TOKEN wrangler pages deploy dist --project-name PROJECT"
  }
}

For CI-only scripts, document that they require injected secrets and should not be run locally by agents.

Secret Storage

Section titled “Secret Storage”
ContextStore tokens inAvoid
Local human machineBitwarden Secrets Manager or InfisicalShell profile exports, .env, notes apps
Local app runtimeCloudflare wrangler secret put or local secret manager injectionCommitted .dev.vars with real values
CI/CDGitHub Actions secrets/environments, Infisical, Bitwarden Secrets ManagerPlain workflow YAML values
Worker runtimeCloudflare secrets/bindingsBundled frontend env vars
AI/MCP toolingBrokered commands or short-lived narrow tokensShared all-purpose account token

Never commit real Cloudflare credentials. .env.example may list variable names only.

Production Gates

Section titled “Production Gates”

For production-affecting operations, require at least one gate:

  • protected GitHub environment approval
  • manual workflow_dispatch approval
  • branch protection + reviewed PR
  • a broker service that validates allowed resource IDs
  • Cloudflare token with only the target resource and permission

Production D1 migrations, DNS edits, Worker route changes, and account-level settings should never be silent side effects of an AI coding session.

Incident Response

Section titled “Incident Response”

If a token may have leaked:

  1. Revoke the token in Cloudflare immediately.
  2. Search repo, PRs, logs, CI output, issue comments, and agent transcripts for the value or prefix.
  3. Rotate any downstream credentials the token could access or overwrite.
  4. Review Cloudflare audit logs for deploys, DNS edits, data writes, and new tokens.
  5. Add a narrower replacement token only after the incident is understood.

Agent Checklist

Section titled “Agent Checklist”

Before asking an AI agent to run Cloudflare commands, confirm:

  • The command uses OAuth locally or a scoped CI secret.
  • CLOUDFLARE_API_TOKEN is not globally exported.
  • The token cannot edit DNS unless the task is explicitly DNS-related.
  • The token cannot edit D1/R2/KV resources outside the target project.
  • The operation is scripted and reviewable.
  • Production deploys/migrations require human approval.
  • Any temporary token has an owner and deletion date.
Section titled “Related Guides”