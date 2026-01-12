 Skip to content
Roll back per-hostname AOP

If you need to disable or remove your per-hostname Authenticated Origin Pulls configuration, follow these steps.

  1. Use a PUT request to disable Authenticated Origin Pulls on the hostname.

    Required API token permissions

     At least one of the following token permissions is required:
    • SSL and Certificates Write
    Enable or Disable a Hostname for Client Authentication
    curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames" \
      --request PUT \
      --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
      --json '{
        "config": [
            {
                "enabled": false,
                "cert_id": "<CERT_ID>",
                "hostname": "<YOUR_HOSTNAME>"
            }
        ]
      }'

  2. (Optional) Use a GET request to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step.

    Required API token permissions

     At least one of the following token permissions is required:
    • SSL and Certificates Write
    • SSL and Certificates Read
    List Certificates
    curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames/certificates" \
      --request GET \
      --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

  3. Use the Delete hostname client certificate endpoint to remove the certificate you had uploaded.

    Required API token permissions

     At least one of the following token permissions is required:
    • SSL and Certificates Write
    Delete Hostname Client Certificate
    curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames/certificates/$CERTIFICATE_ID" \
      --request DELETE \
      --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"