Create your OAuth client
To create an OAuth client, you must have one of these roles for the associated account: Super Administrator, Administrator, or OAuth Client Write.
- Log in to the Cloudflare dashboard.
- Select your account.
- Go to Manage Account > OAuth clients.
- Select Create client.
- Enter the required configuration details:
- Client name
- Response type
- Grant type
- Token authentication method
- Redirect URLs
- Optional: Add non-required fields.
- Select Continue and define the scopes required for your client.
- Select Create client.
- Save your Client ID and Client Secret in a secure location.
To create OAuth clients with the Cloudflare API, create an API token with the OAuth Clients Write permission.
curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_TOKEN" \ -d '{ "client_name": "Cloudflare OAuth Client", "grant_types": ["authorization_code"], "redirect_uris": ["https://example.com/oauth/callback"], "scopes": ["workers-platform.read"], "post_logout_redirect_uris": ["https://example.com/logout"], "response_types": ["code"], "token_endpoint_auth_method": "client_secret_basic", "logo_uri": "https://example.com/logo.png", "policy_uri": "https://example.com/policy", "tos_uri": "https://example.com/tos", "client_uri": "https://example.com", "allowed_cors_origins": ["https://example.com"] }'OAuth scope names correspond to Cloudflare API token permission names. Use the Cloudflare API documentation to identify the permissions your client needs.
When you create or edit an OAuth client, all available scopes are displayed. Search for and select the scopes required for your client.
Fetch the available scopes from the API. Use the scope ID when you create a client through the API.
curl "https://api.cloudflare.com/client/v4/oauth/scopes" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_TOKEN"Cloudflare OAuth clients support the OAuth 2.0 Authorization Code flow.
Cloudflare does not support Client Credentials, Implicit, Resource Owner Password Credentials, Device Authorization, or other OAuth grant types for third-party clients.
Use the following guidance to choose an OAuth flow:
| Client type | Flow | Token endpoint authentication | PKCE |
|---|---|---|---|
| Server-side web app or backend service | Authorization Code with a client secret | client_secret_basic or client_secret_post | Optional/not required |
| Browser-based, mobile, desktop, or CLI app | Authorization Code with PKCE | none | Required, S256 |
The Authorization Code flow is intended for secure server-side applications that can protect a client secret from exposure.
- Use when: Your OAuth client is a server-side web application or backend service.
- How it works: Your client redirects the user to the authorization page. After authorization, Cloudflare returns an authorization code to your backend. Your backend exchanges the code and client secret for an access token.
- Security note: Never expose your client secret in client-side code or embed it in mobile client binaries.
Proof Key for Code Exchange (PKCE) extends the Authorization Code flow for public clients, such as mobile or single-page apps, where a client secret cannot be securely stored.
- Use when: Your OAuth client is a single-page, mobile, desktop, or CLI application.
- How it works: Your application generates a unique code verifier and code challenge for every login request instead of using a static client secret.
- Security note: Clients that use PKCE do not need a client secret.
New OAuth clients default to private visibility. Private clients can only be authorized by members of the parent Cloudflare account. Public clients allow authorization from any Cloudflare user.
Before you make a client public, complete the required actions and populate the required fields.
- Client name
- Logo
- Client URL
- Scopes
OAuth clients must complete domain verification for the client URL before they can be made public.
- Go to Manage Account > OAuth clients.
- Open the action menu for your client.
- Select Change Visibility.
curl -X PATCH "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients/$CLIENT_ID" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_TOKEN" \ -d '{ "visibility": "public" }'Cloudflare requires client URL domain ownership verification before a client can become public. If your client is only for private use by members of the account, domain ownership verification is not required.
Copy the verification code and create a TXT record in your DNS configuration with that value. The record must include all text, including the cloudflare_oauth_client_publisher= prefix.
Cloudflare polls this DNS record until it is found or until the request times out after two days.
If the verification process times out, select Restart verification in the client action menu.
To restart a failed or timed out verification, send a PATCH request with the existing client_uri unchanged.
curl -X PATCH "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients/$CLIENT_ID" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_TOKEN" \ -d '{ "client_uri": "https://example.com" }'Each client can have two secrets. This lets you create a new secret, update your client to use the new secret, and delete the old secret.
- Go to Manage Account > OAuth clients.
- Open the action menu for your client.
- Select Rotate client secret.
- Save the new secret in a secure location.
- After your client uses the new secret, delete the old secret.
To check whether a client is in the middle of a secret rotation, look for has_rotated_secret in the GET response. If the value is true, delete the old secret before you create another secret.
curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients/$CLIENT_ID/rotate_secret" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_TOKEN"curl -X DELETE "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients/$CLIENT_ID/rotate_secret" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_TOKEN"