Cloudflare Docs
Cloudflare Fundamentals
Visit Cloudflare Fundamentals on GitHub
Set theme to dark (⇧+D)

API token permissions

Permissions are segmented into three categories based on resource:

  • Zone permissions
  • Account permissions
  • User permissions

Each category contains permission groups related to those resources. DNS permissions belong to the Zone category, while Billing permissions belong to the Account category. Below is a list of the available token permissions.

To obtain an updated list of token permissions, including the permission ID and the scope of each permission, use the List permission groups endpoint.

​​ User permissions

The applicable scope of user permissions is com.cloudflare.api.user.

NameDescription
API Tokens ReadGrants read access to user’s API tokens.
API Tokens EditGrants write access to user’s API tokens.
Memberships ReadGrants read access to a user’s account memberships.
Memberships EditGrants write access to a user’s account memberships.
User Details ReadGrants read access to user details.
User Details EditGrants write access to user details.

​​ Account permissions

The applicable scope of account permissions is com.cloudflare.api.account.

NameDescription
Access: Apps and Policies ReadGrants read access to Cloudflare Access account resources.
Access: Apps and Policies RevokeGrants ability to revoke all tokens to Cloudflare Access account resources.
Access: Apps and Policies EditGrants write access to Cloudflare Access account resources.
Access: Audit Logs ReadGrants read access to Cloudflare Access audit logs.
Access: Certificates ReadGrants read access to Cloudflare Access mTLS certificates.
Access: Certificates EditGrants write access to Cloudflare Access mTLS certificates.
Access: Device Posture ReadGrants read access to Cloudflare Access Device Posture.
Access: Device Posture EditGrants write access to Cloudflare Access Device Posture.
Access: Organizations, Identity Providers, and Groups ReadGrants read access to Cloudflare Access account resources.
Access: Organizations, Identity Providers, and Groups RevokeGrants ability to revoke user sessions to Cloudflare Access account resources.
Access: Organizations, Identity Providers, and Groups EditGrants write access to Cloudflare Access account resources.
Access: Service Tokens ReadGrants read access to Cloudflare Access Service Tokens.
Access: Service Tokens EditGrants write access to Cloudflare Access Service Tokens.
Account Analytics ReadGrants read access to analytics.
Account Firewall Access Rules ReadGrants read access to account firewall access rules.
Account Firewall Access Rules EditGrants write access to account firewall access rules.
Account Rule Lists ReadGrants read access to Rule Lists.
Account Rule Lists EditGrants write access to Rule Lists.
Account Rulesets ReadGrants read access to Account Rulesets.
Account Rulesets EditGrants write access to Account Rulesets.
Account Settings ReadGrants read access to Account resources, account membership, and account level features.
Account Settings EditGrants write access to Account resources, account membership, and account level features.
Account WAF ReadGrants read access to Account WAF.
Account WAF EditGrants write access to Account WAF.
Billing ReadGrants read access to billing profile, subscriptions, and access to fetch invoices and entitlements.
Billing EditGrants write access to billing profile, subscriptions, and access to fetch invoices and entitlements.
Cloudflare Pages ReadGrants access to view Cloudflare Pages projects.
Cloudflare Pages EditGrants access to create, edit and delete Cloudflare Pages projects.
Cloudflare Tunnel ReadGrants access to view Cloudflare Tunnels.
Cloudflare Tunnel EditGrants access to create and delete Cloudflare Tunnels.
DDoS Protection ReadGrants read access to DDoS protection.
DDoS Protection EditGrants write access to DDoS protection.
DNS Firewall ReadGrants read access to DNS Firewall.
DNS Firewall EditGrants write access to DNS Firewall.
IP Prefixes: BGP On Demand ReadGrants access to read IP prefix BGP configuration.
IP Prefixes: BGP On Demand EditGrants access to read and change IP prefix BGP configuration.
IP Prefixes: ReadGrants access to read IP prefix settings.
IP Prefixes: EditGrants access to read/write IP prefix settings.
Images ReadGrants read access to Images.
Images EditGrants write access to upload Images.
L4 DDoS Managed Ruleset ReadGrants read access to L4 DDoS managed ruleset.
L4 DDoS Managed Ruleset EditGrants write access to L4 DDoS managed ruleset.
Load Balancing: Monitors and Pools ReadGrants read access to account level load balancer resources.
Load Balancing: Monitors and Pools EditGrants write access to account level load balancer resources.
Logs ReadGrants read access to logs using Logpull or Instant Logs.
Logs EditGrants read and write access to Logpull, Logpush and Instant Logs.
Magic Firewall Packet Captures - Read PCAPs APIGrants read access to Packet Captures.
Magic Firewall Packet Captures - Edit PCAPs APIGrants write access to Packet Captures.
Magic Firewall ReadGrants read access to Magic Firewall.
Magic Firewall EditGrants write access to Magic Firewall.
Magic Transit Prefix ReadGrants read access to manage a user’s Magic Transit prefixes.
Magic Transit Prefix EditGrants write access to manage a user’s Magic Transit prefixes.
Bulk URL Redirects ReadGrants read access to Bulk URL Redirects.
Bulk URL Redirects EditGrants write access to Bulk URL Redirects.
Rule Policies ReadGrants read access to Rule Policies.
Rule Policies EditGrants write access to Rule Policies.
Stream ReadGrants read access to Cloudflare Stream.
Stream EditGrants write access to Cloudflare Stream.
Teams ReadGrants read access to teams.
Teams ReportGrants reporting access to teams.
Teams EditGrants write access to teams.
Transform Rules ReadGrants read access to Transform Rules.
Transform Rules EditGrants write access to Transform Rules.
Workers KV Storage ReadGrants read access to Cloudflare Workers KV Storage.
Workers KV Storage EditGrants write access to Cloudflare Workers KV Storage.
Workers R2 Storage ReadGrants read access to Cloudflare R2 Storage.
Workers R2 Storage EditGrants write access to Cloudflare R2 Storage.
Workers Scripts ReadGrants read access to Cloudflare Workers scripts.
Workers Scripts EditGrants write access to Cloudflare Workers scripts.
Workers Tail ReadGrants wrangler tail read permissions.

​​ Zone permissions

The applicable scope of zone permissions is com.cloudflare.api.account.zone.

NameDescription
API Gateway ReadGrants read access to API Gateway zone resources.
API Gateway EditGrants write access to API Gateway zone resources.
Access: Apps and Policies ReadGrants read access to Cloudflare Access zone resources.
Access: Apps and Policies RevokeGrants ability to revoke all tokens to Cloudflare Access zone resources.
Access: Apps and Policies EditGrants write access to Cloudflare Access zone resources.
Analytics ReadGrants read access to analytics.
Apps EditGrants full access to Cloudflare Apps.
Bot Management ReadGrants read access to Bot Management.
Bot Management EditGrants write access to Bot Management.
Cache PurgeGrants access to purge cache.
DNS ReadGrants read access to DNS.
DNS WriteGrants write access to DNS.
Dynamic Redirect ReadGrants read access to zone-level Single Redirects.
Dynamic Redirect EditGrants write access to zone-level Single Redirects.
Email Routing Rules ReadGrants read access to Email Routing Rules.
Email Routing Rules EditGrants write access to Email Routing Rules.
Firewall Services ReadGrants read access to Firewall resources.
Firewall Services EditGrants write access to Firewall resources.
HTTP DDoS Managed Ruleset ReadGrants read access to HTTP DDoS managed ruleset.
HTTP DDoS Managed Ruleset EditGrants write access to HTTP DDoS managed ruleset.
Health Checks ReadGrants read access to Health Checks.
Health Checks EditGrants write access to Health Checks.
Load Balancers ReadGrants read access to load balancers and associated resources.
Load Balancers EditGrants write access to load balancers and associated resources.
Logs ReadGrants read access to logs using Logpull.
Logs EditGrants read and write access to Logpull and Logpush.
Origin ReadGrants read access to Origin Rules.
Origin EditGrants write access to Origin Rules.
Page Rules ReadGrants read access to Page Rules.
Page Rules EditGrants write access to Page Rules.
SSL and Certificates ReadGrants read access to SSL configuration and certificate management.
SSL and Certificates EditGrants write access to SSL configuration and certificate management.
Sanitize ReadGrants read access to sanitization.
Sanitize EditGrants write access to sanitization.
Waiting Room ReadGrants read access to Waiting Room.
Waiting Room EditGrants write access to Waiting Room.
Web3 Hostnames ReadGrants read access to Web3 Hostnames.
Web3 Hostnames EditGrants write access to Web3 Hostnames.
Workers Routes ReadGrants read access to Cloudflare Workers and Workers KV Storage.
Workers Routes EditGrants write access to Cloudflare Workers and Workers KV Storage.
Zaraz Settings ReadGrants read access to Zaraz zone level settings.
Zaraz Settings EditGrants write access to Zaraz zone level settings.
Zone ReadGrants read access to zone management.
Zone EditGrants write access to zone management.
Zone Settings ReadGrants read access to zone settings.
Zone Settings EditGrants write access to zone settings.
Transform Rules ReadGrants read access to Transform Rules at zone level.
Transform Rules EditGrants write access to Transform Rules at zone level.
Zone WAF ReadGrants read access to Zone WAF.
Zone WAF EditGrants write access to Zone WAF.