API tokens now detectable by secret scanning tools
Cloudflare API tokens now include identifiable patterns that enable secret scanning tools to automatically detect them when leaked in code repositories, configuration files, or other public locations.
API tokens generated by Cloudflare now follow a standardized format that secret scanning tools can recognize. When a Cloudflare token is accidentally committed to GitHub, GitLab, or another platform with secret scanning enabled, the tool will flag it and alert you.
Leaked credentials are a common security risk. By making Cloudflare tokens detectable by scanning tools, you can:
- Detect leaks faster — Get notified immediately when a token is exposed.
- Reduce risk window — Exposed tokens are deactivated immediately, before they can be exploited.
- Automate security — Leverage existing secret scanning infrastructure without additional configuration.
When a third-party secret scanning tool detects a leaked Cloudflare API token:
- Cloudflare immediately deactivates the token to prevent unauthorized access.
- The token creator receives an email notification alerting them to the leak.
- The token is marked as "Exposed" in the Cloudflare dashboard.
- You can then roll or delete the token from the token management pages.
- GitHub Secret Scanning — Automatically enabled for public repositories
For more information on token formats and secret scanning, refer to API token formats.