--- title: API tokens now detectable by secret scanning tools description: Cloudflare API tokens include identifiable patterns for automated leak detection in repositories and code. image: https://developers.cloudflare.com/changelog-preview.png --- [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) [ ← Back to all posts ](https://developers.cloudflare.com/changelog/) ## API tokens now detectable by secret scanning tools Apr 10, 2026 [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Cloudflare API tokens now include **identifiable patterns** that enable secret scanning tools to automatically detect them when leaked in code repositories, configuration files, or other public locations. #### What changed API tokens generated by Cloudflare now follow a standardized format that secret scanning tools can recognize. When a Cloudflare token is accidentally committed to GitHub, GitLab, or another platform with secret scanning enabled, the tool will flag it and alert you. #### Why this matters Leaked credentials are a common security risk. By making Cloudflare tokens detectable by scanning tools, you can: * **Detect leaks faster** — Get notified immediately when a token is exposed. * **Reduce risk window** — Exposed tokens are deactivated immediately, before they can be exploited. * **Automate security** — Leverage existing secret scanning infrastructure without additional configuration. #### What happens when a leak is detected When a third-party secret scanning tool detects a leaked Cloudflare API token: 1. **Cloudflare immediately deactivates the token** to prevent unauthorized access. 2. **The token creator receives an email notification** alerting them to the leak. 3. **The token is marked as "Exposed"** in the Cloudflare dashboard. 4. **You can then roll or delete the token** from the token management pages. #### Supported platforms * **GitHub Secret Scanning** — Automatically enabled for public repositories For more information on token formats and secret scanning, refer to [API token formats](https://developers.cloudflare.com/fundamentals/api/get-started/token-formats/).