Token formats
Cloudflare API credentials use a prefixed, scannable format that makes them identifiable by credential scanning tools. Each credential type has a distinct prefix followed by 40 characters and a checksum.
| Credential type | Description | Format |
|---|---|---|
| Global API Key | Global key tied to your user account (full access) | cfk_[40 characters][checksum] |
| User API Token | Scoped token you create for specific permissions | cfut_[40 characters][checksum] |
| Account API Token | Token owned by the account, not tied to a specific user | cfat_[40 characters][checksum] |
Existing tokens continue to work. Every new token you create or roll uses the scannable format automatically.
The prefixed format and checksum allow credential scanning tools to detect leaked Cloudflare tokens with high confidence. Cloudflare partners with scanning providers to find your tokens before they can be used maliciously.
When a leaked token is detected, Cloudflare automatically revokes it and sends an email to the token owner so you can generate a replacement.
Tokens created before the scannable format was introduced use unprefixed strings. These tokens continue to work. Cloudflare scans for and revokes leaked tokens in both the old and new formats.
| Credential type | Old format |
|---|---|
| Global API Key | 37–45 character lowercase hex string |
| User API Token | 40-character alphanumeric string |
| Account API Token | 40-character alphanumeric string |