Detect Cloudflare API tokens with DLP
The Credentials and Secrets DLP profile now includes three new predefined entries for detecting Cloudflare API credentials:
| Entry name | Token prefix | Detects |
|---|---|---|
| Cloudflare User API Key | cfk_ | User-scoped API keys |
| Cloudflare User API Token | cfut_ | User-scoped API tokens |
| Cloudflare Account Owned API Token | cfat_ | Account-scoped API tokens |
These detections target the new Cloudflare API credential format, which uses a structured prefix and a CRC32 checksum suffix. The identifiable prefix makes it possible to detect leaked credentials with high confidence and low false positive rates — no surrounding context such as Authorization: Bearer headers is required.
Credentials generated before this format change will not be matched by these entries.
- In the Cloudflare dashboard ↗, go to Zero Trust > DLP > DLP Profiles.
- Select the Credentials and Secrets profile.
- Turn on one or more of the new Cloudflare API token entries.
- Use the profile in a Gateway HTTP policy to log or block traffic containing these credentials.
Example policy:
| Selector | Operator | Value | Action |
|---|---|---|---|
| DLP Profile | in | Credentials and Secrets | Block |
You can also enable individual entries to scope detection to specific credential types — for example, enabling Account Owned API Token detection without enabling User API Key detection.
For more information, refer to predefined DLP profiles.