API token template URLs
Use template URLs to generate Cloudflare API tokens with pre-configured permissions. Template URLs allow you to share token requirements with users without manually selecting permissions in the dashboard.
Template URLs use query parameters to pre-fill the API token creation page in the Cloudflare dashboard. When a user clicks a template URL, the dashboard automatically configures the specified permissions and settings.
The basic template URL structure is:
|Parameter
|Required
|Description
permissionGroupKeys
|Yes
|URL-encoded JSON array of permission objects
accountId
|Yes
|Account scope (use
* for all accounts)
zoneId
|Yes
|Zone scope (use
all for all zones)
name
|No
|Pre-filled token name
Permissions are encoded as a JSON array with the following structure:
|Type
|Description
read
|Read-only access
edit
|Full access (create, read, update, delete)
revoke
|Revoke permissions
run
|Execute permissions
purge
|Purge permissions
List the permissions your use case needs. Refer to the permission reference table.
Format your permissions as a JSON array:
Use a URL encoder to convert the JSON string:
Combine all components into the final template URL:
Use this table to find permission keys for your custom templates.
|Permission key
|Description
|Common use cases
account_analytics
|Account analytics
|Reporting, monitoring
account_api_tokens
|API token management
|Token automation
account_settings
|Account configuration
|Account management
billing
|Billing information
|Cost tracking, invoicing
workers_scripts
|Workers scripts
|Serverless functions
workers_kv
|Workers KV storage
|Data storage
workers_routes
|Workers routes
|Traffic routing
|Permission key
|Description
|Common use cases
zone_dns
|DNS records
|Domain management
zone
|Zone management
|Domain configuration
analytics
|Zone analytics
|Performance monitoring
firewall_services
|Firewall rules
|Security management
page_rules
|Page rules
|Traffic control
cache_purge
|Cache purging
|Content updates
|Permission key
|Description
|Common use cases
access
|Access applications
|Zero Trust apps
access_acct
|Access organizations
|Identity management
access_audit_log
|Access audit logs
|Compliance, security
access_custom_page
|Custom pages
|Branding, user experience
Use these ready-to-use template URLs for common scenarios.
Create tokens for DNS record management.
|Use case
|Template URL
|DNS read-only
text<br>https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22zone_dns%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=DNS%20Read%20Token<br>
|DNS read/write
text<br>https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22zone_dns%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=DNS%20Management%20Token<br>
Create tokens for Workers, KV storage, and related services.
|Use case
|Template URL
|Workers scripts only
text<br>https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22workers_scripts%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=Workers%20Scripts%20Token<br>
|Workers full access
text<br>https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22workers_scripts%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers_kv%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers_routes%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=Workers%20Full%20Access%20Token<br>
Create tokens for accessing analytics and logs.
|Use case
|Template URL
|Account analytics
text<br>https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account_analytics%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Account%20Analytics%20Token<br>
|Zone analytics
text<br>https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22analytics%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Zone%20Analytics%20Token<br>
Create tokens for Cloudflare Zero Trust management.
|Use case
|Template URL
|Access applications read
text<br>https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22access%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Access%20Read%20Token<br>
|Access full management
text<br>https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22access%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22access_acct%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=Access%20Management%20Token<br>
Follow these guidelines when creating and sharing template URLs.
- Principle of least privilege: Only request the minimum permissions necessary for your use case. This reduces security risks if a token is compromised.
- Use descriptive token names: Include clear, descriptive names in your template URLs to help users understand the token's purpose.
- Document token usage: Provide clear documentation about what each token is used for and how to revoke it when no longer needed.
- Regular token rotation: Encourage users to regularly rotate tokens and review permissions.
- Test before sharing: Always test template URLs in a staging environment before sharing them with users.
Review the list of common issues and solutions.
|Issue
|Solution
|URL does not pre-fill permissions
|Verify the JSON is properly URL-encoded
|Permissions are missing
|Check permission keys in the reference table
|Token name does not appear
|Ensure the name parameter is URL-encoded
|Access denied error
|Verify the user has required permissions in their account
Additionally, review the checklist before sharing a template URL.
- All permission keys are correct
- JSON syntax is valid
- URL encoding is proper
- Token name is descriptive
- Permissions follow least privilege principle
