Skip to content

API token permissions

Permissions are segmented into three categories based on resource:

  • Zone permissions
  • Account permissions
  • User permissions

Each category contains permission groups related to those resources. DNS permissions belong to the Zone category, while Billing permissions belong to the Account category. Below is a list of the available token permissions.

To obtain an updated list of token permissions, including the permission ID and the scope of each permission, use the List permission groups endpoint.

User permissions

The applicable scope of user permissions is com.cloudflare.api.user.

NameDescription
API Tokens ReadGrants read access to user's API tokens.
API Tokens EditGrants write access to user's API tokens.
Memberships ReadGrants read access to a user's account memberships.
Memberships EditGrants write access to a user's account memberships.
User Details ReadGrants read access to user details.
User Details EditGrants write access to user details.

Account permissions

The applicable scope of account permissions is com.cloudflare.api.account.

NameDescription
Access: Apps and Policies ReadGrants read access to Cloudflare Access account resources.
Access: Apps and Policies RevokeGrants ability to revoke all tokens to Cloudflare Access account resources.
Access: Apps and Policies EditGrants write access to Cloudflare Access account resources.
Access: Audit Logs ReadGrants read access to Cloudflare Access audit logs.
Access: Custom Pages ReadGrants read access to Cloudflare Access Custom Pages.
Access: Custom Pages EditGrants write access to Cloudflare Access Custom Pages.
Access: Device Posture ReadGrants read access to Cloudflare Access Device Posture.
Access: Device Posture EditGrants write access to Cloudflare Access Device Posture.
Access: Mutual TLS Certificates ReadGrants read access to Cloudflare Access mTLS certificates.
Access: Mutual TLS Certificates EditGrants write access to Cloudflare Access mTLS certificates.
Access: Organizations, Identity Providers, and Groups ReadGrants read access to Cloudflare Access account resources.
Access: Organizations, Identity Providers, and Groups RevokeGrants ability to revoke user sessions to Cloudflare Access account resources.
Access: Organizations, Identity Providers, and Groups EditGrants write access to Cloudflare Access account resources.
Access: Service Tokens ReadGrants read access to Cloudflare Access Service Tokens.
Access: Service Tokens EditGrants write access to Cloudflare Access Service Tokens.
Access: SSH Auditing ReadGrants read access to SSH Auditing.
Access: SSH Auditing EditGrants write access to SSH Auditing.
Account Analytics ReadGrants read access to account analytics.
Account Custom Pages ReadGrants read access to account-level Custom Pages.
Account Custom Pages EditGrants write access to account-level Custom Pages.
Account Filter Lists ReadGrants read access to Account Filter Lists.
Account Filter Lists EditGrants write access to Account Filter Lists.
Account Firewall Access Rules ReadGrants read access to account firewall access rules.
Account Firewall Access Rules EditGrants write access to account firewall access rules.
Account Rulesets ReadGrants read access to Account Rulesets.
Account Rulesets EditGrants write access to Account Rulesets.
Account Settings ReadGrants read access to Account resources, account membership, and account level features.
Account Settings EditGrants write access to Account resources, account membership, and account level features.
Account: SSL and Certificates ReadGrants read access to SSL and Certificates.
Account: SSL and Certificates EditGrants write access to SSL and Certificates.
Account WAF ReadGrants read access to Account WAF.
Account WAF EditGrants write access to Account WAF.
Address Maps EditGrants write access to Address Maps
Address Maps ReadGrants read access to Address Maps
Allow Request Tracer ReadGrants read access to Request Tracer.
API Gateway ReadGrants read access to API Gateway (including API Shield) for all domains in an account.
API Gateway EditGrants write access to API Gateway (including API Shield) for all domains in an account.
Billing ReadGrants read access to billing profile, subscriptions, and access to fetch invoices and entitlements.
Billing EditGrants write access to billing profile, subscriptions, and access to fetch invoices and entitlements.
Bulk URL Redirects ReadGrants read access to Bulk URL Redirects.
Bulk URL Redirects EditGrants write access to Bulk URL Redirects.
China Network Steering ReadGrants read access to China Network Steering.
China Network Steering EditGrants write access to China Network Steering.
Cloudchamber ReadGrants read access to Cloudchamber deployments.
Cloudchamber EditGrants write access to Cloudchamber deployments.
Cloudflare Calls ReadGrants read access to Cloudflare Calls.
Cloudflare Calls EditGrants write access to Cloudflare Calls.
Cloudflare DEX ReadGrants read access to Digital Experience Monitoring.
Cloudflare DEX EditGrants write access to Digital Experience Monitoring.
Cloudflare Images ReadGrants read access to Cloudflare Images.
Cloudflare Images EditGrants write access to Cloudflare Images.
Cloudflare One Connector: cloudflared ReadGrants read access to cloudflared Connectors
Cloudflare One Connector: cloudflared EditGrants write access to cloudflared Connectors
Cloudflare One Connector: WARP ReadGrants read access to Warp Connectors
Cloudflare One Connector: WARP EditGrants write access to Warp Connectors
Cloudflare One Connectors ReadGrants read access to Cloudflare One Connectors
Cloudflare One Connectors EditGrants write access to Cloudflare One Connectors
Cloudflare One Networks ReadGrants read access to Cloudflare One Networks
Cloudflare One Networks EditGrants write access to Cloudflare One Networks
Cloudflare Pages ReadGrants access to view Cloudflare Pages projects.
Cloudflare Pages EditGrants access to create, edit and delete Cloudflare Pages projects.
Cloudflare Tunnel ReadGrants access to view Cloudflare Tunnels.
Cloudflare Tunnel EditGrants access to create and delete Cloudflare Tunnels.
Cloudforce One ReadGrants read access to Cloudforce One.
Cloudforce One EditGrants write access to Cloudforce One.
Cloud Email Security ReadGrants read access to Cloud Email Security.
Email Security EditGrants write access to Email Security.
Constellation ReadGrants read access to Constellation.
Constellation EditGrants write access to Constellation.
D1 ReadGrants read access to D1.
D1 EditGrants write access to D1.
DDoS Botnet Feed ReadGrants read access to Botnet Feed reports.
DDoS Botnet Feed EditGrants write access to Botnet Feed configuration.
DDoS Protection ReadGrants read access to DDoS protection.
DDoS Protection EditGrants write access to DDoS protection.
DNS Firewall ReadGrants read access to DNS Firewall.
DNS Firewall EditGrants write access to DNS Firewall.
Email Routing Addresses ReadGrants read access to Email Routing Addresses.
Email Routing Addresses EditGrants write access to Email Routing Addresses.
Hyperdrive ReadGrants read access to Hyperdrive.
Hyperdrive EditGrants write access to Hyperdrive.
Intel ReadGrants read access to Intel.
Intel EditGrants write access to Intel.
Integration EditGrants write access to integrations.
IOT ReadGrants read access to IOT.
IOT EditGrants write access to IOT.
IP Prefixes: ReadGrants access to read IP prefix settings.
IP Prefixes: EditGrants access to read/write IP prefix settings.
IP Prefixes: BGP On Demand ReadGrants access to read IP prefix BGP configuration.
IP Prefixes: BGP On Demand EditGrants access to read and change IP prefix BGP configuration.
L3/4 DDoS Managed Ruleset ReadGrants read access to L3/4 DDoS managed ruleset.
L3/4 DDoS Managed Ruleset EditGrants write access to L3/4 DDoS managed ruleset.
Load Balancing: Monitors and Pools ReadGrants read access to account level load balancer resources.
Load Balancing: Monitors and Pools EditGrants write access to account level load balancer resources.
Logs ReadGrants read access to logs using Logpull or Instant Logs.
Logs EditGrants read and write access to Logpull, Logpush, and Instant Logs.
Magic Firewall ReadGrants read access to Magic Firewall.
Magic Firewall EditGrants write access to Magic Firewall.
Magic Firewall Packet Captures - Read PCAPs APIGrants read access to Packet Captures.
Magic Firewall Packet Captures - Edit PCAPs APIGrants write access to Packet Captures.
Magic Network Monitoring ReadGrants read access to Magic Network Monitoring.
Magic Network Monitoring EditGrants write access to Magic Network Monitoring.
Magic Transit ReadGrants read access to manage a user's Magic Transit prefixes.
Magic Transit EditGrants write access to manage a user's Magic Transit prefixes.
Notifications ReadGrants read access to Notifications.
Notifications EditGrants write access to Notifications.
Page Shield ReadGrants read access to Page Shield.
Page Shield EditGrants write access to Page Shield.
Pipelines ReadGrants read access to Cloudflare Pipelines.
Pipelines EditGrants write access to Cloudflare Pipelines.
Pub/Sub ReadGrants read access to Pub/Sub.
Pub/Sub EditGrants write access to Pub/Sub.
Queues ReadGrants read access to Queues.
Queues EditGrants write access to Queues.
Rule Policies ReadGrants read access to Rule Policies.
Rule Policies EditGrants write access to Rule Policies.
Stream ReadGrants read access to Cloudflare Stream.
Stream EditGrants write access to Cloudflare Stream.
Transform Rules ReadGrants read access to Transform Rules.
Transform Rules EditGrants write access to Transform Rules.
Turnstile ReadGrants read access to Turnstile.
Turnstile EditGrants write access to Turnstile.
URL Scanner ReadGrants read access to URL Scanner.
URL Scanner EditGrants write access to URL Scanner.
Vectorize ReadGrants read access to Vectorize.
Vectorize EditGrants write access to Vectorize.
Workers AI ReadGrants read access to Workers AI.
Workers AI EditGrants write access to Workers AI.
Workers CI ReadGrants read access to [Workers CI] (/workers/).
Workers CI EditGrants write access to Workers CI.
Workers KV Storage ReadGrants read access to Cloudflare Workers KV Storage.
Workers KV Storage EditGrants write access to Cloudflare Workers KV Storage.
Workers R2 Storage ReadGrants read access to Cloudflare R2 Storage.
Workers R2 Storage EditGrants write access to Cloudflare R2 Storage.
Workers Scripts ReadGrants read access to Cloudflare Workers scripts.
Workers Scripts EditGrants write access to Cloudflare Workers scripts.
Workers Tail ReadGrants wrangler tail read permissions.
Zero Trust ReadGrants read access to Cloudflare Zero Trust.
Zero Trust ReportGrants reporting access to Cloudflare Zero Trust.
Zero Trust EditGrants write access to Cloudflare Zero Trust.
Zero Trust PII ReadGrants read access to Cloudflare Zero Trust PII.
Zero Trust PII EditGrants write access to Cloudflare Zero Trust PII.
Zero Trust Seats EditGrants write access to the number of Zero Trust Seats your organization can use (and be billed for).

Zone permissions

The applicable scope of zone permissions is com.cloudflare.api.account.zone.

NameDescription
Access: Apps and Policies ReadGrants read access to Cloudflare Access zone resources.
Access: Apps and Policies RevokeGrants ability to revoke all tokens to Cloudflare Access zone resources.
Access: Apps and Policies EditGrants write access to Cloudflare Access zone resources.
Analytics ReadGrants read access to analytics.
API Gateway ReadGrants read access to API Gateway zone resources.
API Gateway EditGrants write access to API Gateway zone resources.
Apps EditGrants full access to Cloudflare Apps.
Bot Management ReadGrants read access to Bot Management.
Bot Management EditGrants write access to Bot Management.
Bot Management Feedback ReadGrants read access to Bot Management feedback.
Bot Management Feedback EditGrants write access to Bot Management feedback.
Cache PurgeGrants access to purge cache.
Cache Rules ReadGrants read access to Cache Rules.
Cache Rules EditGrants write access to Cache Rules.
Cloud Connector ReadGrants read access to Cloud Connector rules.
Cloud Connector EditGrants write access to Cloud Connector rules.
Config Rules ReadGrants read access to Configuration Rules.
Config Rules EditGrants write access to Configuration Rules.
Custom Errors ReadGrants read access to Custom Errors Phase.
Custom Errors EditGrants write access to Custom Errors Phase.
Custom Error Rules ReadGrants read access to Custom Error Rules.
Custom Error Rules EditGrants write access to Custom Error Rules.
Custom Pages ReadGrants read access to Custom Pages.
Custom Pages EditGrants write access to Custom Pages.
DMARC Management ReadGrants read access to DMARC Management.
DMARC Management EditGrants write access to DMARC Management.
DNS ReadGrants read access to DNS.
DNS WriteGrants write access to DNS.
Email Routing Rules ReadGrants read access to Email Routing Rules.
Email Routing Rules EditGrants write access to Email Routing Rules.
Firewall Services ReadGrants read access to Firewall resources.
Firewall Services EditGrants write access to Firewall resources.
Health Checks ReadGrants read access to Health Checks.
Health Checks EditGrants write access to Health Checks.
HTTP DDoS Managed Ruleset ReadGrants read access to HTTP DDoS managed ruleset.
HTTP DDoS Managed Ruleset EditGrants write access to HTTP DDoS managed ruleset.
Load Balancers ReadGrants read access to load balancer resources.
Load Balancers EditGrants write access to load balancer resources.
Logs ReadGrants read access to logs using Logpull.
Logs EditGrants write access to Logpull and Logpush.
Managed Headers ReadGrants read access to Managed Headers.
Managed Headers EditGrants write access to Managed Headers.
Origin Rules ReadGrants read access to Origin Rules.
Origin Rules EditGrants write access to Origin Rules.
Page Rules ReadGrants read access to Page Rules.
Page Rules EditGrants write access to Page Rules.
Page Shield ReadGrants read access to Page Shield.
Page Shield EditGrants write access to Page Shield.
Response Compression ReadGrants read access to Response Compression.
Response Compression EditGrants write access to Response Compression.
Sanitize ReadGrants read access to sanitization.
Sanitize EditGrants write access to sanitization.
Single Redirect ReadGrants read access to zone-level Single Redirects.
Single Redirect EditGrants write access to zone-level Single Redirects.
SSL and Certificates ReadGrants read access to SSL configuration and certificate management.
SSL and Certificates EditGrants write access to SSL configuration and certificate management.
Transform Rules ReadGrants read access to Transform Rules.
Transform Rules EditGrants write access to Transform Rules.
Waiting Room ReadGrants read access to Waiting Room.
Waiting Room EditGrants write access to Waiting Room.
Web3 Hostnames ReadGrants read access to Web3 Hostnames.
Web3 Hostnames EditGrants write access to Web3 Hostnames.
Workers Routes ReadGrants read access to Cloudflare Workers and Workers KV Storage.
Workers Routes EditGrants write access to Cloudflare Workers and Workers KV Storage.
Zaraz ReadGrants read access to Zaraz zone level settings.
Zaraz EditGrants write access to Zaraz zone level settings.
Zone ReadGrants read access to zone management.
Zone EditGrants write access to zone management.
Zone Settings ReadGrants read access to zone settings.
Zone Settings EditGrants write access to zone settings.
Zone Versioning ReadGrants read access to Zone Versioning at zone level.
Zone Versioning EditGrants write access to Zone Versioning at zone level.
Zone WAF ReadGrants read access to Zone WAF.
Zone WAF EditGrants write access to Zone WAF.