API deprecations
Cloudflare occasionally makes updates to our APIs that result in behavior changes or deprecations. When this happens, we will communicate when the API will no longer be available and whether there will be a replacement.
Deprecation date: June 15, 2025
The Firewall Rules API and the Filters API are deprecated, since Firewall Rules was deprecated in favor of WAF custom rules. Refer to Firewall Rules to WAF custom rules migration for more information about this change.
Deprecated APIs:
GET /zones/:zone_id/firewall/rules
POST /zones/:zone_id/firewall/rules
PATCH /zones/:zone_id/firewall/rules
PUT /zones/:zone_id/firewall/rules
DELETE /zones/:zone_id/firewall/rules
GET /zones/:zone_id/firewall/rules/:rule_id
PATCH /zones/:zone_id/firewall/rules/:rule_id
PUT /zones/:zone_id/firewall/rules/:rule_id
DELETE /zones/:zone_id/firewall/rules/:rule_id
GET /zones/:zone_id/filters
POST /zones/:zone_id/filters
PUT /zones/:zone_id/filters
DELETE /zones/:zone_id/filters
GET /zones/:zone_id/filters/:filter_id
PUT /zones/:zone_id/filters/:filter_id
DELETE /zones/:zone_id/filters/:filter_id
Replacement: WAF custom rules
Deprecation date: June 15, 2025
The APIs for managing WAF managed rules (previous version) — namely for managing packages, rule groups, rules, and overrides — are deprecated in favor of WAF Managed Rules. Refer to WAF Managed Rules migration for more information about this change.
Deprecated APIs:
GET /zones/:zone_id/firewall/waf/packages
GET /zones/:zone_id/firewall/waf/packages/:package_id
PATCH /zones/:zone_id/firewall/waf/packages/:package_id
GET /zones/:zone_id/firewall/waf/packages/:package_id/groups
GET /zones/:zone_id/firewall/waf/packages/:package_id/groups/:group_id
PATCH /zones/:zone_id/firewall/waf/packages/:package_id/groups/:group_id
GET /zones/:zone_id/firewall/waf/packages/:package_id/rules
GET /zones/:zone_id/firewall/waf/packages/:package_id/rules/:rule_id
PATCH /zones/:zone_id/firewall/waf/packages/:package_id/rules/:rule_id
GET /zones/:zone_id/firewall/waf/overrides
POST /zones/:zone_id/firewall/waf/overrides
GET /zones/:zone_id/firewall/waf/overrides/:override_id
PUT /zones/:zone_id/firewall/waf/overrides/:override_id
DELETE /zones/:zone_id/firewall/waf/overrides/:override_id
Replacement: WAF Managed Rules (new version)
Deprecation date: June 15, 2025
The Rate Limiting API is deprecated, since the previous version of rate limiting rules was deprecated in favor of the new rate limiting rules based on the Ruleset Engine. Refer to Rate limiting (previous version) deprecation notice for more information about this change.
Deprecated API:
GET /zones/:zone_id/rate_limits
POST /zones/:zone_id/rate_limits
GET /zones/:zone_id/rate_limits/:rate_limit_id
PUT /zones/:zone_id/rate_limits/:rate_limit_id
DELETE /zones/:zone_id/rate_limits/:rate_limit_id
Replacement: Rate limiting rules (new version)
Deprecation date: March 23, 2025
Users can now add custom nameservers that are not part of a zone managed within their account. As a result, any zone is eligible for custom nameservers, regardless of whether it is managed by Cloudflare. Given this change, an endpoint to check for eligible zones is no longer relevant and is therefore being deprecated.
Deprecated APIs:
GET /accounts/:account_id/custom_ns/availability
Deprecation date: March 21, 2025
The Zone Settings API endpoints for managing zone-level CNAME flattening are deprecated. Instead, use the Show DNS Settings and Update DNS Settings endpoints to manage this setting.
Changes via the old endpoints will be reflected in the new ones, and vice versa, so there is no need to migrate existing zones. However, future API calls must use DNS Settings instead of the Zone Settings endpoints.
Note that, with the deprecated zone setting, values "off"
and "apex"
have the same behavior. These are represented as {"flatten_all_cnames": false}
in the new API.
The zone setting "on"
corresponds to {"flatten_all_cnames": true}
in the new API.
Affected APIs:
GET /zones/:zone_id/settings
PATCH /zones/:zone_id/settings
Deprecated APIs:
GET /zones/:zone_id/settings/cname_flattening
PATCH /zones/:zone_id/settings/cname_flattening
Deprecation date: March 14, 2025
The fields "default_nameservers"
and "use_account_custom_ns_by_default"
within the "settings"
object of accounts are deprecated.
Instead, use the Show DNS Settings and Update DNS Settings endpoints to manage this setting.
This setting is available in the new API as .zone_defaults.nameservers.type
, with allowed values "cloudflare.standard"
, "cloudflare.standard.random"
, "custom.account"
and "custom.tenant"
.
Changes via the old endpoints will be reflected in the new ones, and vice versa, so there is no need to migrate existing zones. However, future API calls must use DNS Settings instead of the Accounts endpoints.
Affected APIs:
GET /accounts
POST /accounts
GET /accounts/:account_id
PUT /accounts/:account_id
Deprecation date: February 21, 2025
The following URL parameters for filtering DNS records are deprecated:
name=contains:value
Instead, use the supportedname.contains=value
syntax.name=starts_with:value
Instead, use the supportedname.startswith=value
syntax.name=ends_with:value
Instead, use the supportedname.endswith=value
syntax.name=one,two,three
(searching for one of multiple possible names, separated by commas)
Instead, make multiple requests, one for each possiblename
. Alternatively, if only querying thename
field, the?match=any&name=one&name=two&name=three
syntax can be used instead. This syntax has an extended deprecation date of May 23, 2025.content=contains:value
Instead, use the supportedcontent.contains=value
syntax.content=starts_with:value
Instead, use the supportedcontent.startswith=value
syntax.content=ends_with:value
Instead, use the supportedcontent.endswith=value
syntax.content=one,two,three
(searching for one of multiple possible contents, separated by commas)
Instead, make multiple requests, one for each possiblecontent
. Alternatively, if only querying thecontent
field, the?match=any&content=one&content=two&content=three
syntax can be used instead. This syntax has an extended deprecation date of May 23, 2025.type=contains:value
Searching for substrings of a type name will no longer be supported. Instead, please search for an exact type name, such astype=CNAME
. If the input value is a free-text search from a human user, consider using thesearch
parameter instead.
None of the parameters being deprecated were ever officially supported per our API documentation.
Affected APIs:
GET /zones/:zone_id/dns_records
Deprecation date: November 21, 2025
The self_hosted_domains
field for Access applications is deprecated in favor of destinations
to allow for more flexibility in defining different types of domains.
Before:
{
// ...
"self_hosted_domains": ["foo.example.com", "bar.example.com"]
}
After:
{
// ...
"destinations": [
{
"type": "public",
"uri": "foo.example.com"
},
{
"type": "public",
"uri": "bar.example.com"
}
]
}
The API will accept both fields until the deprecation date. If self_hosted_domains
are provided, then they will be interpreted as public
destinations. However, if destinations
are provided, then self_hosted_domains
will be ignored even if provided.
Additionally, the API will continue to return self_hosted_domains
until the deprecation date. The field will contain the URIs of the subset of destinations that have type public
.
Affected APIs:
GET /accounts/:account_id/access/apps
POST /accounts/:account_id/access/apps
GET /accounts/:account_id/access/apps/:app_id
PUT /accounts/:account_id/access/apps/:app_id
GET /zones/:zone_id/access/apps
POST /zones/:zone_id/access/apps
GET /zones/:zone_id/access/apps/:app_id
PUT /zones/:zone_id/access/apps/:app_id
Deprecation date: November 30, 2024
Currently, each individual DNS record returned by the API contains information about the zone it is on, specifically the zone ID and name.
{
"result": [
{
// ...
"zone_id": "ab922473c42f4e50819d7c1c9b81b16b",
"zone_name": "example.com"
}
],
// ...
}
This information is redundant because both affected API routes are already within the zone scope. In particular, the zone ID will already be known to any user of these routes because it appears in the URL. The zone name can be retrieved by making a GET
request to /zones/:zone_id
if it is necessary.
After November 30th, 2024, Cloudflare will stop including the zone_id
and zone_name
fields on individual DNS records in API responses. These fields are currently ignored when sent to the API as part of a request body, so no changes to request bodies are required.
Modified API:
GET /zones/:zone_id/dns_records
POST /zones/:zone_id/dns_records
GET /zones/:zone_id/dns_records/:dns_record_id
PATCH /zones/:zone_id/dns_records/:dns_record_id
PUT /zones/:zone_id/dns_records/:dns_record_id
Deprecation date: October 1, 2024
Cloudflare is making a minor change to the representation of certain errors when creating DNS records. Currently, when the DNS record to be created is invalid, an error similar to the following may be returned:
{
"result": null,
"success": false,
"errors": [
{
"code": 1004,
"message": "DNS Validation Error",
"error_chain": [
{
"code": 9999,
"message": "This is an example."
}
]
}
],
"messages": []
}
After October 1st, 2024, the error_chain
will be omitted, returning the root cause directly without wrapping it in another "DNS Validation Error" error:
{
"result": null,
"success": false,
"errors": [
{
"code": 9999,
"message": "This is an example."
}
],
"messages": []
}
Deprecation date: September 13, 2024
The dedicated endpoints for DNS settings use_apex_ns
and secondary_overrides
are being deprecated.
Instead, use the Show DNS Settings and Update DNS Settings endpoints to manage these settings.
- Instead of the
.../use_apex_ns
endpoint, use themulti_provider
field. - Instead of the
.../secondary_overrides
endpoint, use thesecondary_overrides
field.
Deprecated APIs:
GET /zones/:zone_id/dns_settings/use_apex_ns
PATCH /zones/:zone_id/dns_settings/use_apex_ns
GET /zones/:zone_id/dns_settings/secondary_overrides
PATCH /zones/:zone_id/dns_settings/secondary_overrides
Deprecation date: August 15, 2024
The Brotli setting and its API endpoints are deprecated. Brotli compression is available for all non-Enterprise zones, and it will be extended to Enterprise zones in the coming year.
Deprecated APIs:
GET /zones/:zone_id/settings/brotli
PATCH /zones/:zone_id/settings/brotli
Enterprise customers can override Cloudflare's default compression behavior using Compression Rules.
Deprecation date: August 5, 2024
The Auto Minify API endpoints are deprecated since the Auto Minify feature was deprecated.
Deprecated APIs:
GET /zones/:zone_id/settings/minify
PATCH /zones/:zone_id/settings/minify
Deprecation date: July 14, 2024
The "locked"
field of DNS records in API responses is unused and has been guaranteed to always be false
for more than a year. This deprecation means that the field will be omitted from API responses entirely. If received from a client, the field will continue to be ignored, just as it is today.
Modified API:
GET /zones/:zone_id/dns_records
POST /zones/:zone_id/dns_records
GET /zones/:zone_id/dns_records/:dns_record_id
PATCH /zones/:zone_id/dns_records/:dns_record_id
PUT /zones/:zone_id/dns_records/:dns_record_id
Deprecation date: June 30, 2024
This endpoint and its related APIs are deprecated in favor of Single Redirects. Refer to Perform mobile redirects to migrate Mobile Redirect to Redirect Rules.
Deprecated API:
GET /zones/:zone_identifier/settings/mobile_redirect
PATCH /zones/:zone_identifier/settings/mobile_redirect
Replacement: Single Redirects
Deprecation date: June 14, 2024
The Server-side Excludes feature and its API endpoints are deprecated.
Deprecated APIs:
GET /zones/:zone_id/settings/server_side_exclude
PATCH /zones/:zone_id/settings/server_side_exclude
Deprecation date: May 31, 2024
The name of an SRV record normally consists of three parts: the service (e.g., _xmpp
), the protocol (e.g., _tcp
), and the base name (example.com
).
The complete name would then be, e.g., _xmpp._tcp.example.com
.
When interacting with DNS records through the API, SRV records contain both a full name
as well as a data
map containing the individual components of the name:
{
"name": "_xmpp._tcp.example.com",
"data": {
"service": "_xmpp",
"proto": "_tcp",
"name": "example.com",
...
},
...
}
We are deprecating the service
, proto
and name
fields within the data
map in favor of the name
field outside the data map, which is the same name field that's used by all other record types.
Before the end of life date, please ensure that:
- when reading SRV records, you use only the
name
outside of the data map and ignoreservice
,proto
andname
within the data map if they exist; and - when writing SRV records, you set the
name
outside of the data map and do not setservice
,proto
orname
within the data map.
After the end of life date, the API will stop producing the service
, proto
and name
data fields, and if any of them are received from a client, an error will be returned.
This deprecation does not affect other SRV data fields not mentioned above (priority
, weight
, port
, target
) or data fields for any other record type other than SRV.
Modified API:
GET /zones/:zone_id/dns_records
POST /zones/:zone_id/dns_records
GET /zones/:zone_id/dns_records/:dns_record_id
PATCH /zones/:zone_id/dns_records/:dns_record_id
PUT /zones/:zone_id/dns_records/:dns_record_id
Deprecation date: March 31, 2024
In 2017, Cloudflare announced support for Privacy Pass, a recent protocol to let users prove their identity across multiple sites anonymously without enabling tracking. The initial use case was to provide untraceable tokens to sites to vouch for users who might otherwise have been presented with a CAPTCHA challenge. In the time since this release, Privacy Pass has evolved both at the IETF and within Cloudflare. The version announced in 2017 is now considered legacy, and these legacy Privacy Pass tokens are no longer supported as an alternative to Cloudflare challenges. As has been discussed on our blog The end road for CAPTCHA, Cloudflare uses a variety of signals to infer if incoming traffic is likely automated. The (legacy) Privacy Pass zone setting is no longer meaningful to Cloudflare customers as Cloudflare now operates CAPTCHA free, and supports the latest Privacy Pass draft.
In September 2023, support for legacy Privacy Pass tokens as an alternative to Cloudflare Managed Challenge was removed. By the end of March 2024, the current public-facing API will be removed as well.
Deprecated API:
GET zones/:zone_identifier/settings/privacy_pass
POST zones/:zone_identifier/settings/privacy_pass
Deprecation date: February 4, 2024
This endpoint and its related APIs are deprecated in favor of the Cloudflare Tunnels equivalent APIs.
Deprecated API:
GET accounts/:account_identifier/tunnels
POST accounts/:account_identifier/tunnels
GET accounts/:account_identifier/tunnels/:tunnel_id
DELETE accounts/:account_identifier/tunnels/:tunnel_id
Replacement: Cloudflare Tunnel API
Deprecation date: July 1, 2023
Back in 2016, Cloudflare introduced support for ChaCha20-Poly1305
cipher suites for TLS 1.2. At the time, we introduced two variants of these new suites, the "standard" suites as defined by the IETF RFC 7905, and "draft" suites that followed an earlier draft of said specification. The draft suites were added for compatibility with some older Android devices that at the time did not yet support the proper ChaCha20-Poly1305
standard versions. This was in 2016, and in the meantime the standard ChaCha20-Poly1305
cipher suites have gained much wider adoption, to the point were traffic using the old suites has dropped significantly. Due to the current low usage and the non-standard nature of these cipher suites, we are now deprecating their support on the Cloudflare network.
This should not affect customer zones in any way, as clients that might currently use these cipher suites will be able to fallback to different ones. In addition, unlike the standard variants, these legacy cipher suites are not exposed directly through our API (e.g. through the TLS cipher suites preferences endpoint), and their deprecation will not affect customer configurations in any way.
As of July 1st, 2023, the ChaCha20-Poly1305 ciphers have been deprecated and are deemed End of Life by Cloudflare. If you have clients that currently rely on these ciphers, it is strongly recommended to upgrade them to newer, more secure ciphers. Be aware that these deprecated ciphers will be completely removed in the first quarter of 2024, and requests using them will start to fail. Take proactive measures to ensure a smooth transition and maintain the security of your systems.
Deprecation date: July 1, 2023
Previously, RFC 2616 allowed the use of Transfer-Encoding
and Content-Length
HTTP headers in the same request. RFC 7230 supersedes RFC 2616 and prohibits the use of Transfer-Encoding
and Content-Length
headers in the same request because they can cause HTTP request smuggling vulnerabilities.
Starting on July 1st, 2023, Cloudflare will decline requests with both Transfer-Encoding
and Content-Length
HTTP headers.
Deprecation date: June 6, 2023
There is no API replacement for these endpoints. As an alternative, please log in to your Cloudflare account to view your:
Deprecated API:
GET accounts/{account_identifier}/billing/profile
GET user/billing/profile
GET user/billing/history
Deprecation date: April 3, 2023
This field is deprecated and has been moved to Cloudflare centralized notification service.
notification_email
is the email address to send health status notifications to. This can be an individual mailbox or a mailing list. Multiple emails can be supplied as a comma delimited list.
Deprecation date: March 19, 2023
This endpoint is deprecated in favor of using a specialized Access Application App Type API.
Deprecated API:
GET accounts/:identifier/access/bookmarks
GET accounts/:identifier/access/bookmarks/:uuid
POST accounts/:identifier/access/bookmarks/:uuid
PUT accounts/:identifier/access/bookmarks/:uuid
DELETE accounts/:identifier/access/bookmarks/:uuid
Replacement: Access applications app type API
Deprecation date: October 11, 2022
Replace script_monitor
in Page Shield API routes with page_shield
.
Deprecation date: July 1, 2022
This endpoint is deprecated in favor of using v2, which allows you to control metadata, define an access policy, and get the image ID.
Deprecated API:
POST accounts/:account_identifier/images/v1/direct_upload
Replacement:
POST accounts/:account_identifier/images/v2/direct_upload
Deprecation date: March 1, 2021
This API is deprecated in favor of the GraphQL Analytics API, which provides equivalent data and more features, including the ability to select only the metrics that you need. For more information, refer to the Zone analytics to GraphQL analytics migration guide.
Deprecated API:
GET zones/:zone_identifier/analytics/dashboard
GET zones/:zone_identifier/analytics/colos
Replacement: GraphQL Analytics API
Deprecation date: April 2, 2020
This endpoint and its related APIs are deprecated in favor of the /accounts
equivalent API, which has a broader range of features and is backwards compatible with the /organizations
API.
Deprecated API:
GET organizations/:identifier
PATCH organizations/:identifier
GET organizations/:organization_identifier/invites
POST organizations/:organization_identifier/invites
GET organizations/:organization_identifier/invites/:identifier
PATCH organizations/:organization_identifier/invites/:identifier
DELETE organizations/:organization_identifier/invites/:identifier
GET organizations/:organization_identifier/members
GET organizations/:organization_identifier/members/:identifier
PATCH organizations/:organization_identifier/members/:identifier
DELETE organizations/:organization_identifier/members/:identifier
GET organizations/:organization_identifier/roles
GET organizations/:organization_identifier/roles/:identifier
GET organizations/:organization_identifier/audit_logs
GET organizations/:organization_identifier/railguns
POST organizations/:organization_identifier/railguns
GET organizations/:organization_identifier/railguns/:identifier
PATCH organizations/:organization_identifier/railguns/:identifier
DELETE organizations/:organization_identifier/railguns/:identifier
GET organizations/:organization_identifier/railguns/:identifier/zones
Replacement: Accounts API