--- title: Cloudflare Fundamentals description: Cloudflare is one of the world's largest connectivity cloud networks. Today, anyone with an Internet presence can have faster and more secure websites and applications thanks to Cloudflare. This includes bloggers, businesses, and even non-profits. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Fundamentals Cloudflare is one of the world's largest [connectivity cloud networks ↗](https://blog.cloudflare.com/welcome-to-connectivity-cloud). Today, anyone with an Internet presence can have faster and more secure websites and applications thanks to Cloudflare. This includes bloggers, businesses, and even non-profits. Millions of Internet properties are on Cloudflare, and our network is growing by tens of thousands each day. Cloudflare powers Internet requests for millions of websites and serves 55 million HTTP requests per second on average. Before you get started, we recommend reviewing [Concepts](https://developers.cloudflare.com/fundamentals/concepts/) to learn about key concepts related to using different Cloudflare products. ## Additional resources Refer to the list below for additional Cloudflare resources. * [Cloudflare blog ↗](https://blog.cloudflare.com) * [Cloudflare's Go library ↗](https://github.com/cloudflare/cloudflare-go) * [Cloudflare system status ↗](https://www.cloudflarestatus.com/) * [Cloudflare Radar ↗](https://radar.cloudflare.com) * [Cloudflare TV ↗](https://cloudflare.tv/schedule) * [Terraform ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}}]} ``` --- --- title: Get started description: Before you can begin using Cloudflare products, first create an account. If multiple people manage your Cloudflare account, set up member permissions to control which resources each person can access. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/get-started.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Get started Before you can begin using Cloudflare products, first [create an account](https://developers.cloudflare.com/fundamentals/account/create-account/). If multiple people manage your Cloudflare account, [set up member permissions](https://developers.cloudflare.com/fundamentals/manage-members/) to control which resources each person can access. ## Learn about Cloudflare's offerings ### Build **Build** is where developers create and deploy simple sites and full-stack applications on the [Workers compute platform](https://developers.cloudflare.com/workers/), and connect them to storage and database primitives like [KV](https://developers.cloudflare.com/kv/) (key-value data store), [D1](https://developers.cloudflare.com/d1/) (SQL database), [R2](https://developers.cloudflare.com/r2/) (object storage), [Queues](https://developers.cloudflare.com/queues/) (asynchronous messaging), [Durable Objects](https://developers.cloudflare.com/durable-objects/) (stateful coordination), and more. Our compute, orchestration, AI, storage, media, and security services are integrated, so you can quickly extend existing apps or launch new ones while Cloudflare's global network takes care of infrastructure, scaling, and performance for you. ### Protect & Connect **Protect & Connect** is where you establish fast and reliable connections between your websites, apps, and users, while protecting them from attackers and unwanted traffic. Application security and performance focuses on resources available on the public Internet. Manage delivery performance by controlling and speeding up primarily [Layer 7 (Application) traffic](https://developers.cloudflare.com/fundamentals/reference/network-layers/), in addition to managing media such as video and images. Get started by [onboarding a domain](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/). Zero Trust protects private, internal users/devices and the resources they access. [Get started with Zero Trust](https://developers.cloudflare.com/cloudflare-one/setup/). Network services extend protection and acceleration to cloud, on-premise, or hybrid networks, and you can also manage network connections and optimize Layer 3 (Network) and 4 (Transport) traffic. Get started with [Magic Transit](https://developers.cloudflare.com/magic-transit/) or [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/) (formerly Magic WAN). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/get-started/","name":"Get started"}}]} ``` --- --- title: Organizations description: Cloudflare Organizations simplify the way you manage multiple accounts, domains (also known as zones), and teams by centralizing this information in one location. You can also share configurations between accounts and view aggregate analytics. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/organizations/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Organizations Cloudflare Organizations simplify the way you manage multiple accounts, domains (also known as zones), and teams by centralizing this information in one location. You can also share configurations between accounts and view aggregate analytics. Note Cloudflare Organizations is currently in closed beta. ## Create an Organization 1. Log in to the [Cloudflare dashboard. ↗](https://dash.cloudflare.com) 2. Select **Organizations**. 3. From the **Organizations** page, select **Create organization**. 4. Enter a name for the organization and select **Create**. The organization overview page displays. Note Users can only create one organization. ## Organization Overview From the Organization overview, you can view which accounts are assigned to your organization. After you assign an account, you can view the account, copy an account's ID, or rename the account. ### Assign an account to an organization After you create an organization, determine which accounts will be assigned to the organization. 1. From **Organization Overview**, select **Assign an account**. The list displays Enterprise accounts where you are listed as a Super Administrator. 2. In the text field, search for the account name and select it. 3. When you are done, select **Assign to organization**. The organization overview page displays with the newly assigned account. Note To remove an account from your organization, contact your Cloudflare account team. ## Analytics & Logs Review incoming HTTP traffic for all domains connected to Cloudflare through your organization. The data includes traffic for proxied hostnames, does not reflect your billable usage, and may be based on an adaptive sample. To view specific data associated with your HTTP traffic, add optional filters. You can also choose to print a report of your data or download the data. ## Shared Configurations Create and enforce global policies across your organization or sub-organization with [WAF custom rulesets](https://developers.cloudflare.com/waf/account/custom-rulesets/) and [Gateway policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). By utilizing shared configurations, you can define a WAF custom ruleset that can apply to one or more accounts to be managed in a single place. ## Manage Organization Rename your organization and add or edit customer identification data related to the organization. ### Rename an organization 1. Select **Organizations** \> **Manage Organization**. 2. From **Organization name**, select **Rename**. 3. Enter the new name for the organization and select **Rename**. ### Edit customer identification data 1. Select **Organizations** \> **Manage Organization**. 2. From **Customer identification data**, select **Edit**. 3. Enter the information in the text fields and select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/organizations/","name":"Organizations"}}]} ``` --- --- title: Limitations description: The following limitations apply during the public beta. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/organizations/limitations.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Limitations The following limitations apply during the public beta. | Limitation | Description | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Enterprise accounts only | Only Enterprise accounts can be added to an organization. Free and Pay-as-you-go accounts are not supported. | | Account and zone limits | Each organization supports up to 500 accounts and 500 zones. | | Roles | Organization Super Administrator is the only role available during the beta. Additional roles will be available in a future release. | | Organization deletion | Organizations cannot be deleted. To remove an account from your organization, contact [Cloudflare Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/). | | Sub-organizations | Sub-organizations are not available to Enterprise customers during the public beta. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/organizations/","name":"Organizations"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/organizations/limitations/","name":"Limitations"}}]} ``` --- --- title: Set up description: This guide covers how to create an organization, assign accounts, and invite members. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/organizations/setup.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Set up This guide covers how to create an organization, assign accounts, and invite members. ## Prerequisites Before you create an organization: * You must have an Enterprise plan. * You must have [two-factor authentication (2FA)](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/) or [single sign-on (SSO)](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) enabled. * You must be a Super Administrator on the accounts you want to assign. Note All organization members must have 2FA or SSO enabled. ## Create an organization 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com). 2. Select **Organizations**. 3. Select **Create organization**. 4. Enter a name for the organization. 5. Select **Create**. The organization overview page displays after creation. ## Assign accounts After creating an organization, you can assign accounts to manage them centrally: 1. From the organization overview, select **Assign an account**. 2. Search for an account name. Only Enterprise accounts where you are a Super Administrator will appear. 3. Select the account. 4. Select **Assign to organization**. The assigned account now appears on the organization overview page. From here, you can view the account, copy its ID, or rename it. To remove an account from your organization, contact [Cloudflare Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/). ## Organization Super Administrator When you create an organization, you become the Organization Super Administrator. This role provides implicit access to all accounts in your organization. Implicit access means you do not need explicit membership on each account. When you access any account within your organization, you automatically have Super Administrator permissions. ### Invite members You can invite additional members to your organization. Invited members receive implicit Super Administrator access to all accounts in the organization. 1. From the organization overview, select **Members**. 2. Select **Invite member**. 3. Enter the email address. 4. Select **Send invitation**. The user receives an email invitation. After accepting, they have implicit access to all accounts in the organization. Invited members must have 2FA or SSO enabled to join. ## View audit logs You can view, filter, and download audit logs for HTTP traffic across all domains in your organization: 1. From the organization overview, select **Analytics & Logs**. 2. Use filters to narrow results by date range, account, domain, or other criteria. 3. To export data, select **Download**. The data includes traffic for proxied hostnames and may be based on a sample. This data does not reflect billable usage. ## Manage your organization ### Rename your organization 1. Go to **Organizations** \> **Manage Organization**. 2. Next to **Organization name**, select **Rename**. 3. Enter the new name. 4. Select **Rename**. ### Edit customer identification data 1. Go to **Organizations** \> **Manage Organization**. 2. Next to **Customer identification data**, select **Edit**. 3. Update the information. 4. Select **Save**. ## Terraform You can manage Organizations using the [Cloudflare Terraform provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/organization). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/organizations/","name":"Organizations"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/organizations/setup/","name":"Set up"}}]} ``` --- --- title: Members and permissions description: On any Cloudflare account, you can collaborate by adding members to your account and assigning them access via one or several policies. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-members/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Members and permissions On any Cloudflare account, you can collaborate by adding members to your account and assigning them access via one or several policies. Configuring permissions for each member helps prevent accidental changes to your account. For example, you can scope a team member to only manage staging domains, so they do not accidentally modify a production site. Use policies to grant each member the minimum level of access they need. Every policy has three parts: 1. The actor 2. The role 3. The scope Refer to the resources below to configure policies to ensure that you can assign only the necessary access permissions to your account members. ## Resources * [ Set up dashboard SSO ](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) * [ Manage ](https://developers.cloudflare.com/fundamentals/manage-members/manage/) * [ Policies ](https://developers.cloudflare.com/fundamentals/manage-members/policies/) * [ Roles ](https://developers.cloudflare.com/fundamentals/manage-members/roles/) * [ Role scopes ](https://developers.cloudflare.com/fundamentals/manage-members/scope/) * [ User Groups ](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-members/","name":"Members and permissions"}}]} ``` --- --- title: Set up dashboard SSO description: Cloudflare offers single sign-on (SSO) for all customers who log in with a custom email domain. By creating a Cloudflare SSO connector, you can enforce SSO to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) ### Tags [ SSO ](https://developers.cloudflare.com/search/?tags=SSO) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-members/dashboard-sso.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Set up dashboard SSO Cloudflare offers single sign-on (SSO) for all customers who log in with a custom email domain. By creating a Cloudflare SSO connector, you can enforce SSO to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain. ## Availability Cloudflare Dashboard SSO is available for free to all plans. | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | ## Prerequisites 1. You must control your email domain and be able to add a TXT record to verify this. * Public email providers such as `@gmail.com` are not allowed. * Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails. 2. You must be a super administrator and be able to access the Cloudflare API. 3. A Cloudflare Zero Trust organization with any subscription tier (including Free) must be created. To set up a Cloudflare Zero Trust organization, refer to [Create a Cloudflare Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization). ## 1\. Set up an IdP Add an IdP to Cloudflare Zero Trust by following [our detailed instructions](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). Once you configure your IdP, make sure you also [test your IdP](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/#test-idps-in-cloudflare-one). ## 2\. Register your domain with Cloudflare for SSO Warning You must create an [Account API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the role `SSO Connector Edit` and store it securely. This acts as a backup plan, allowing you to disable SSO via the API if you are accidentally locked out, such as due to changes in your IdP configuration later. * [ Dashboard ](#tab-panel-4609) * [ API ](#tab-panel-4610) 1. Once you have configured an IdP in Cloudflare One, go to the **Members** page to manage SSO connectors. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 1. If step 1 was successful, a button to add a new SSO domain will be present. Select the button to begin the process of adding a new SSO domain. ![Screenshot of the SSO connector create modal](https://developers.cloudflare.com/_astro/create_modal.UuyGmCgI_ZLWxQJ.webp) 1. Enter your email domain and select **Create** to move to the verification step. Note Some top level domains, such as `.edu`, are prohibited from being used as SSO domains. Using a command line terminal where you have already set the environment variable `CLOUDFLARE_API_TOKEN` to a user or account API token which has the `SSO Connector Edit` permission, run the following command to create an SSO connector. Replace `{account_id}` with your account ID, and `{domain}` with your email domain. cURL command ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{"email_domain":"{domain}"}' ``` ``` { "success": true, "errors": [], "messages": [], "result": { "id": "c3ebcba5c20b42f73e111110d0be67d", "enabled": false, "email_domain": "cool.cats", "verification": { "code": "cloudflare_dashboard_sso=111111111", "status": "pending" }, "created_on": "2025-09-05T20:35:34Z" } } ``` ## 3\. Verify domain ownership * [ Dashboard ](#tab-panel-4611) * [ API ](#tab-panel-4612) If you are unable to change your DNS records right away, the option to verify later is available. The verification process can be manually triggered from the actions menu for that connector in the list. ![Screenshot of the SSO connector create modal](https://developers.cloudflare.com/_astro/verify_modal.DVxZpDs__Z27Ilnd.webp) Copy the verification code and create a TXT record in your DNS configuration with that value. The record must include all of the text including the `cloudflare_dashboard_sso=` prefix. Cloudflare will automatically poll this DNS record until it is found or a timeout is reached within two days. If the verification process fails due to timeout, you can manually reinitiate the polling by selecting **Begin verification** in the actions menu for that connector in the list. Copy the verification code (for example `cloudflare_dashboard_sso=1111111`) and create a `TXT` record in your DNS configuration with that value. To test that the DNS record was correctly configured, you can use the `dig` command to query your email domain: Terminal window ``` dig cool.cats TXT +short ``` ``` "cloudflare_dashboard_sso=111111111" ``` The `TXT` record must include the `cloudflare_dashboard_sso=` prefix along with the numerical code. Cloudflare will automatically poll this DNS record until it is found or a timeout is reached within two days. If verification fails due to timeout, you may manually reinitiate the polling by running the following command: cURL command ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{sso_connector_id}/begin_verification" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Once the verification process has completed or timed out, you will receive an email notification with the verification result. ## 4\. Enable dashboard SSO Warning Enabling Cloudflare Dashboard SSO for an email domain (for example, `@mycompany.com`) will apply globally to all users with that domain, regardless of which accounts those users have access to. All users will be required to authenticate via the specified identity provider, including users registered on Cloudflare prior to the domain being configured for SSO. Once the verification process has completed and successfully verified domain ownership, you may enable the connector. Domains that are associated with an already enabled connector belonging to a different account may not be enabled on a new account until disabled on the old account. * [ Dashboard ](#tab-panel-4613) * [ API ](#tab-panel-4614) Enable the connector by selecting **Enable** in the Actions menu for that connector in the list. ![Screenshot of the SSO connector enable button](https://developers.cloudflare.com/_astro/verified_domain.B1SGjH_l_1biz1k.webp) Enable the connector by running the following — again, replacing the `{account_id}` value with your account ID, and additionally replacing the `{sso_connector_id}` with the value you obtained from the `id` field in the response to the previous call. cURL command ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{sso_connector_id}" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{"enabled": true}' ``` ## Test your IdP before enforcement Before enabling SSO for your domain, verify that your identity provider is configured correctly: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Integrations** \> **Identity providers**. 2. Find your IdP and select **Test**. 3. Confirm that the test returns a successful authentication result. If the test fails, review your IdP configuration against the [identity provider setup instructions](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) before enabling the SSO connector. ### Troubleshoot IdP errors If you encounter errors during IdP setup or testing, provide the following when [contacting support](https://developers.cloudflare.com/support/contacting-cloudflare-support/): 1. The error message returned by the IdP test. 2. A sanitized [HAR file](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file) captured while running the IdP test from the dashboard. ## Limitations Cloudflare dashboard SSO does not support: * Users with plus-addressed emails, such as `example+2@domain.com`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO. * Adding a separate email-based policy to the Zero Trust SSO application that does not match your SSO domain policy. * Multiple Zero Trust domain policies. If another domain policy is required, you can create another SSO connector. This will create a second policy for that new domain in your SSO application. * Deleting the auto-generated Zero Trust `allow email domain` policy. If this policy is deleted, your organization's administrators cannot access the Cloudflare dashboard. ## IdP-initiated SSO IdP-initiated login is supported for Cloudflare dashboard SSO, with configuration available via your identity provider (IdP). A step-by-step guide is currently available for Okta, and similar configurations are possible with other identity providers that support custom SSO endpoints. ### Okta Configure an identity provider (IdP)-initiated single sign-on (SSO) session using Cloudflare Zero Trust and Okta. #### Prerequisites 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications** \> select your **SSO App**. 2. Select **Configure** to access the application settings. 3. In the **Basic Information** section, copy the **SSO Endpoint URL** and **Access Entity ID or Issuer**. You will need these values for your IdP setup. #### Configure Okta as the IdP 1. Log in to your [Okta Admin Dashboard ↗](https://login.okta.com/) and go to **Applications** \> **Applications**. 2. Select **Create App Integration** to start a new SAML integration to handle the IdP-initiated SSO flow. 3. In the pop-up, select **SAML 2.0** and select **Next**. 4. Enter a name for the app and select **Next**. 5. In the **Single Sign-On URL** field, paste the **SSO Endpoint URL** [you copied earlier](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/#prerequisites-1). 6. In the **Audience URI (SP Entity ID)** field, paste the **Access Entity ID or Issuer** [you copied earlier](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/#prerequisites-1). 7. Set the **Name ID Format** to **EmailAddress**. 8. Set the **Application Username** to **Email**. 9. Select **Next** \> **Finish** to save the integration. 10. Test the integration by going to your Okta User Dashboard, locating the new app tile, and selecting it to verify the SSO flow. **(Optional) Enforce single IdP login with Instant Auth** If you use only one IdP (for example, Okta) for Cloudflare SSO and want users to skip the identity provider selection prompt: 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Access controls** \> **Applications** \> select your **SSO App**. 2. Go to **Login methods**. 3. Disable **Accept all available identity providers** and ensure only Okta is selected as the login method. 4. Enable **Instant Auth** to allow users to skip identity provider selection. ## Bypass dashboard SSO This section describes how to restore access to the Cloudflare dashboard in case you are unable to login with SSO. ### Option 1: Add a backup IdP If there is an issue with your SSO IdP provider, you can add an alternate IdP using the API. The following example shows how to add [Cloudflare One-time PIN](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/) as a login method: 1. [Add](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/identity%5Fproviders/methods/create/) one-time PIN login: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Organizations, Identity Providers, and Groups Write` Add an Access identity provider ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "type": "onetimepin", "config": {} }' ``` 2. [Get](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/list/) the `id` of the `dash_sso` Access application. You can use [jq ↗](https://jqlang.github.io/jq/download/) to quickly find the correct application: cURL command ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ | jq '.result[] | select(.type == "dash_sso")' ``` ``` { "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", "uid": "3537a672-e4d8-4d89-aab9-26cb622918a1", "type": "dash_sso", "name": "SSO App" // ... } ``` 1. Using the `id` obtained above, [update](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/update/) **SSO App** to accept all identity providers. To avoid overwriting your existing configuration, the PUT request body should contain all fields returned by the previous GET request. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Apps and Policies Write` Update an Access application ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "id": "3537a672-e4d8-4d89-aab9-26cb622918a1", "uid": "3537a672-e4d8-4d89-aab9-26cb622918a1", "type": "dash_sso", "name": "SSO App", "allowed_idps": [] }' ``` Users will now have the option to log in using a one-time PIN. ### Option 2: Disable dashboard SSO Warning Before disabling SSO, make sure you have access to your Cloudflare user email. This will allow you to reset your password in case you get logged out of the Cloudflare dashboard. * [ Dashboard ](#tab-panel-4605) * [ API ](#tab-panel-4606) 1. Navigate to the **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 1. Go to **Settings**. 2. Select the actions menu for the SSO connector in the list and select **Disable**. 3. Type the domain of the connector and click confirm to complete the disable action. The following API calls will disable SSO enforcement for an account. This action can only be performed by API tokens with the `SSO connectors edit` role or Super Administrators. 1. Get your SSO connector `id`: cURL command ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": [ { "id": "d616ac82cc7f87153112d75a711c5c3c", "email_domain": "cool.cats", "enabled": true // ... } ], "success": true, "errors": [], "messages": [] } ``` 1. Disable the SSO connector: cURL command ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "enabled": false }' ``` ``` { "result": [ { "id": "d616ac82cc7f87153112d75a711c5c3c", "email_domain": "cool.cats", "enabled": false // ... } ], "success": true, "errors": [], "messages": [] } ``` Users can now log in using their Cloudflare account email and password. If a user does not have a password, they can use the [forgot password](https://developers.cloudflare.com/fundamentals/user-profiles/change-password-or-email/#forgot-your-password) method on the login page to create one. ## Change your Zero Trust team name Cloudflare does not allow you to change your team name while a SSO connector is created. To change your team name, you must disable and delete your SSO connector(s). * [ Dashboard ](#tab-panel-4607) * [ API ](#tab-panel-4608) 1. Navigate to the **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 1. Go to **Settings**. 2. Disable all SSO connectors. 3. Delete all SSO connectors. 1. Get all SSO connectors for your account. cURL command ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 2. Disable any active SSO connectors using the `id` of each connector from the previous step. cURL command ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "enabled": false }' ``` 3. Delete all SSO connectors using the `id` of each connector from the previous step. cURL command ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Reusable components** \> **Custom pages**. 2. Under **Team domain**, select **Edit** to enter the new team name. Select **Save**. 3. In your identity provider, update your Cloudflare integration with the new team name. For example, if you are using a SAML IdP, you will need to update the Single Sign-on URL and Entity ID to `https://.cloudflareaccess.com/cdn-cgi/access/callback`. 4. Recreate any deleted SSO connectors using the steps in [Register your domain with Cloudflare for SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/#2-register-your-domain-with-cloudflare-for-sso). 5. Follow the verification and enable steps after recreating the SSO connectors. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-members/","name":"Members and permissions"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-members/dashboard-sso/","name":"Set up dashboard SSO"}}]} ``` --- --- title: Manage description: Granting access to others on your account is done with several sets of data principles: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-members/manage.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage Granting access to others on your account is done with several sets of data principles: 1. Accounts have Account Members. 2. Account Members have policies. 3. Policies are constructed out of actors, roles, and scopes. When assigning a new user, you can assign a policy to them directly. If multiple policies are needed, they can be added or revoked at a later time. Learn how to add new account members, edit or revoke their access, and resend verification emails. Note To manage account members, you must have a role of **Super Administrator** and have a [verified email address](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/). ## View account members To manage account members, you must have a role of **Super Administrator** and have a [verified email address](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/). * [ Dashboard ](#tab-panel-4615) * [ API ](#tab-panel-4616) To view members using the dashboard: In the \[Cloudflare dashboard, go to the **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) To view members using the API, send a [GET request](https://developers.cloudflare.com/api/resources/accounts/subresources/members/methods/list/). ## Add account members To manage account members, you must have a role of **Super Administrator** and have a [verified email address](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/). * [ Dashboard ](#tab-panel-4617) * [ API ](#tab-panel-4618) To add a member to your account: 1. In the Cloudflare dashboard, go to the **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 2. Select **Invite**. 3. Fill out the following information: * **Invite members**: Enter one or more email addresses (if multiple, separate addresses with commas). * **Scope**: Use a variety of fields to adjust the [scope](https://developers.cloudflare.com/fundamentals/manage-members/roles/) of your roles. * **Roles**: Choose one or more [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) to assign your members. 4. Select **Continue to summary**. 5. Review the information, then select **Invite**. Note If a user already has an account with Cloudflare and you have an Enterprise account, you can also select **Direct Add** to add them to your account without sending an email invitation. To add a member using the API, send a [POST request](https://developers.cloudflare.com/api/resources/accounts/subresources/members/methods/create/). ## Edit member permissions To manage account members, you must have a role of **Super Administrator** and have a [verified email address](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/). * [ Dashboard ](#tab-panel-4619) * [ API ](#tab-panel-4620) To edit member permissions using the dashboard: 1. In the Cloudflare dashboard, go to the **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 2. Select a member record, then select **Edit**. 3. Update the scope and roles of their permissions. 4. Select **Continue to summary**. 5. Review the information, then select **Update**. To edit member permissions using the API, get a [list of roles](https://developers.cloudflare.com/api/resources/accounts/subresources/roles/methods/list/) available for an account. Then, send a [PUT request](https://developers.cloudflare.com/api/resources/accounts/subresources/members/methods/update/) to edit their permissions. Request ``` curl --request PUT \ --url https://api.cloudflare.com/client/v4/accounts/{account_id}/members/{member_id} \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' \ --data '{ "roles": [ { "id": "" }, { "id": "" } ] }' ``` ## Resend an invitation If you invited a member to your account but they cannot find the invitation or the invitation expires, you can resend the invitation through the Cloudflare dashboard: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login) and select your account[1](#user-content-fn-1). 2. Go to **Manage Account** \> **Members**. 3. Select a member record where their **Status** is **Invite Pending**. 4. Select **Resend invite**. ## Footnotes 1. To manage account members, you must have a role of **Super Administrator** and have a [verified email address](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/). [↩](#user-content-fnref-1) ## Remove account members To manage account members, you must have a role of **Super Administrator** and have a [verified email address](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/). * [ Dashboard ](#tab-panel-4621) * [ API ](#tab-panel-4622) To revoke a member's access to your account: 1. In the Cloudflare dashboard, go to the **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 2. Locate an account member and expand their record. 3. Click **Revoke**. 4. Click **Yes, revoke access**. To revoke a member's access to your account using the API, send a [DELETE request](https://developers.cloudflare.com/api/resources/accounts/subresources/members/methods/delete/). Note If you have been invited to an account and want to remove yourself from the account, go to **Manage Account** \> **Members**. Under your email address, select **Leave**. ## Super Administrator access If you are a Super Administrator for an account that has existing domains and you decide to leave the account, you can invite a new Super Administrator who will have access to the same account privileges. You can delete your user as a Super Administrator, but you cannot delete your account. Other Super Administrators will continue to have access to the appropriate privileges to manage the account, including billing information. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-members/","name":"Members and permissions"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-members/manage/","name":"Manage"}}]} ``` --- --- title: Policies description: Policies define what access a given user has to your account or domains, and are constructed out of three parts: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-members/policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Policies Policies define what access a given user has to your account or domains, and are constructed out of three parts: 1. An actor (your user). 2. A `ResourceGroup` (a scope). 3. A `PermissionGroup` (roles). An account member can have one or several of these policies to represent the most appropriate access. A member’s effective permissions are the union of all policies assigned to them—whether directly, or through group membership. To increase the usability and flexibility of Cloudflare's role system, changes to the API have been made to expose these underlying data principles and allow users to interact with them. For example, you may want to assign multiple policies and use scopes to control access to an account where you have a single account with both Production and Staging domains, and a user that should be able see the whole account, purge the production domains, but have the ability to configure the staging domains. ## Manage policies A set of standard API endpoints is present on every account that allow access to your members, which has recently been enhanced by a list of `resourceGroups` and `PermissionGroups`. * A `resourceGroup` is a unique identifier for the scope for which a policy applies. * A `permissionGroup` is a unique identifier for the set of roles that are assigned to a given policy. Refer to the [API documentation](https://developers.cloudflare.com/api/) for more information. ## Viewing Effective Permissions Cloudflare supports assigning permissions to members both directly and through [User Groups](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/). A member’s effective permissions are additive; they represent the union of all permissions granted directly to a member and those inherited through a member's group membership. Note To understand a member’s full access, check both the **Members** and **User Groups** views: * The **Members** view shows only the permissions explicitly assigned to the user. * Permissions inherited through [User Groups](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/) are not shown on the Members page. To see these, go to the Groups tab, find the groups the user belongs to, and review the policies assigned to each group. Cloudflare is actively working on improvements to consolidate this view in a future update. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-members/","name":"Members and permissions"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-members/policies/","name":"Policies"}}]} ``` --- --- title: Roles description: Whenever you add a new member to your account, you can assign policies to those users and make use of the available roles. Roles can only ever be assigned to their given scope and multiple roles can be assigned to a given policy. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-members/roles.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Roles Whenever you [add a new member](https://developers.cloudflare.com/fundamentals/manage-members/manage/) to your account, you can assign policies to those users and make use of the available roles. Roles can only ever be assigned to their given scope and multiple roles can be assigned to a given policy. ## Account-scoped roles Account-scoped roles apply across an entire Cloudflare account, and through all domains in that account. | Role | Description | | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Administrator | Can access the full account and edit subscriptions. Cannot manage members nor billing profile. | | Super Administrator - All Privileges | Can edit any Cloudflare setting, make purchases, update billing, manage members, and create account-owned API tokens. Super Administrators can revoke the access of other Super Administrators. | | Administrator Read Only | Can access the full account in read-only mode. | | Analytics | Can read Analytics. | | API Gateway | Grants full access to [API Gateway (including API Shield)](https://developers.cloudflare.com/api-shield/) for all domains in an account. | | API Gateway Read | Grants read access to [API Gateway (including API Shield)](https://developers.cloudflare.com/api-shield/) for all domains in an account. | | Application Security Reports Read | Can read Application Security Reports. | | Audit Logs Viewer | Can view [Audit Logs](https://developers.cloudflare.com/fundamentals/account/account-security/review-audit-logs/). | | Bot Management (Account-Wide) | Can edit [Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/)) configurations for all domains in account. | | Billing | Can edit the account's [billing profile](https://developers.cloudflare.com/billing/create-billing-profile/) and subscriptions | | Cache Purge | Can purge the edge cache and allows the reading of zone settings. | | Cloudflare Access | Can edit [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) and [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). | | Cloudflare CASB | Can edit [Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/). | | Cloudflare CASB Read | Can read [Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/). | | Cloudchamber Admin | Can manage Cloudchamber deployments. | | Cloudchamber Admin Read Only | Can manage Cloudchamber deployments in read-only mode. | | Cloudflare DEX | Can edit [Cloudflare DEX](https://developers.cloudflare.com/cloudflare-one/insights/dex/). | | Cloudflare Gateway | Can edit [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) and read [Access](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). | | Cloudflare Images | Can access [Cloudflare Images](https://developers.cloudflare.com/images/) data. | | Cloudflare R2 Admin | Can edit Cloudflare [R2](https://developers.cloudflare.com/r2/) buckets, objects, and associated configurations. | | Cloudflare R2 Read | Can read Cloudflare [R2](https://developers.cloudflare.com/r2/) buckets, objects, and associated configurations. | | Cloudflare Stream | Can edit [Cloudflare Stream](https://developers.cloudflare.com/stream/) media. | | Cloudflare Zero Trust | Can edit [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/). Grants administrator access to all Zero Trust products including Access, Gateway, the Cloudflare One Client, Tunnel, Browser Isolation, CASB, DLP, DEX, and Email security. | | Cloudflare Zero Trust Secure DNS Locations Write | Can view [Gateway DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations) and create and edit [secure DNS locations](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations). | | Cloudflare Zero Trust PII | Can access [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/) PII. | | Cloudflare Zero Trust Read Only | Can access [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/) read only mode. | | Cloudflare Zero Trust Reporting | Can access [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/) reporting data. | | Connectivity Directory Admin | Can view, edit, create, and delete [Workers VPC Services](https://developers.cloudflare.com/workers-vpc/) and bind to [Cloudflare Tunnel](https://developers.cloudflare.com/workers-vpc/configuration/tunnel/). | | Connectivity Directory Bind | Can read, list, and bind to [Workers VPC Services](https://developers.cloudflare.com/workers-vpc/), as well as read and list [Cloudflare Tunnels](https://developers.cloudflare.com/workers-vpc/configuration/tunnel/). | | Connectivity Directory Read | Can view [Workers VPC Services](https://developers.cloudflare.com/workers-vpc/) and [Cloudflare Tunnels](https://developers.cloudflare.com/workers-vpc/configuration/tunnel/). | | DNS | Can edit [DNS records](https://developers.cloudflare.com/dns/manage-dns-records/). | | Email Configuration Admin | Grants administrator access to Email security. Cannot take actions on emails, or read emails. | | Email Integration Admin | Grants read and write access to integrations only. | | Email Security Analyst | Grants analyst access. Can take action on emails and read emails. | | Email Security Read only | Grants read only access to all of Email security. | | Email Security Reporting | Grants read access to Email security metrics. | | Email Security Policy Admin | Grants read access to all settings, and write access to [allow policies](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/allow-policies/), [trusted domains](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/trusted-domains/), and [blocked senders](https://developers.cloudflare.com/cloudflare-one/email-security/settings/detection-settings/blocked-senders/) | | Firewall | Can edit [WAF](https://developers.cloudflare.com/waf/), [IP Access rules](https://developers.cloudflare.com/waf/tools/ip-access-rules/), [Zone Lockdown](https://developers.cloudflare.com/waf/tools/zone-lockdown/) settings, and [Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/). | | HTTP Applications | Grants full access to HTTP Applications. | | HTTP Applications Read | Grants read-only access to HTTP Applications. | | Load Balancer | Can edit [Load Balancers](https://developers.cloudflare.com/load-balancing/), Pools, Origins, and Health Checks. | | Load Balancing Account Read | Can read [Load Balancing](https://developers.cloudflare.com/load-balancing/) resources such as Load Balancers, Monitors, Monitor Groups, Pools, and Health Checks. | | Log Share | Can edit [Log Share](https://developers.cloudflare.com/logs/) configuration. | | Log Share Reader | Can read Enterprise [Log Share](https://developers.cloudflare.com/logs/). | | Magic Network Monitoring | Can view and edit [Network Flow configuration](https://developers.cloudflare.com/network-flow/). | | Magic Network Monitoring Admin | Can view, edit, create, and delete [Network Flow configuration](https://developers.cloudflare.com/network-flow/). | | Magic Network Monitoring Read-Only | Can view [Network Flow configuration](https://developers.cloudflare.com/network-flow/). | | Network Services Write (Magic) | Grants write access to network configurations for Magic services. Magic Tunnel health checks require the Analytics role for non-admin users. | | Network Services Read (Magic) | Grants read access to network configurations for Magic services. Magic Tunnel health checks require the Analytics role for non-admin users. | | Minimal Account Access | Can view account, and nothing else. | | Page Shield | Grants write access to [client-side security](https://developers.cloudflare.com/client-side-security/) (formerly Page Shield) across the whole account. | | Page Shield Read | Grants read access to [client-side security](https://developers.cloudflare.com/client-side-security/) (formerly Page Shield) across the whole account. | | Realtime | Grants access to Realtime configuration excluding sensitive data. | | Realtime Admin | Grants administrator access to Realtime configuration. | | Hyperdrive Read only | Grants read access to [Hyperdrive](https://developers.cloudflare.com/hyperdrive/) database configuration. | | Hyperdrive Admin | Grants write access to [Hyperdrive](https://developers.cloudflare.com/hyperdrive/) database configuration. | | SSL/TLS, Caching, Performance, Page Rules, and Customization | Can edit most Cloudflare settings except for [DNS](https://developers.cloudflare.com/dns/) and [Firewall](https://developers.cloudflare.com/waf/). | | Secrets Store Admin | Can create, edit, duplicate, delete, and view secrets metadata. Can also [add a Secrets Store binding to a Worker](https://developers.cloudflare.com/secrets-store/integrations/workers/). | | Secrets Store Deployer | Can view secrets metadata but cannot create, edit, duplicate, nor delete secrets. Can also [add a Secrets Store binding to a Worker](https://developers.cloudflare.com/secrets-store/integrations/workers/). | | Secrets Store Reporter | Can view secrets metadata. Cannot perform any actions (create, edit, duplicate, delete secrets), nor add a Secrets Store binding to a Worker. | | Brand Protection | Can access the Brand Protection feature on the API and Cloudflare dashboard. Brand Protection role also gives you access to the Investigate platform. | | Cloudforce One Admin | Grants write access to [Cloudforce One](https://developers.cloudflare.com/security-center/cloudforce-one/). | | Cloudforce One Read | Grants read access to [Cloudforce One](https://developers.cloudflare.com/security-center/cloudforce-one/), and cannot create and/or edit RFIs or PIRs. | | Trust and Safety | Can access trust and safety related services. | | Turnstile | Grants full access to [Turnstile](https://developers.cloudflare.com/turnstile/). | | Turnstile Read | Grants read access to [Turnstile](https://developers.cloudflare.com/turnstile/). | | Vectorize Admin | Can edit [Vectorize](https://developers.cloudflare.com/vectorize/) configurations. | | Vectorize Read only | Can read [Vectorize](https://developers.cloudflare.com/vectorize/) configurations. | | Waiting Room Admin | Can edit [Waiting Room](https://developers.cloudflare.com/waiting-room/) configuration. | | Waiting Room Read | Can read [Waiting Room](https://developers.cloudflare.com/waiting-room/) configuration. | | Workers Editor | Can use the [Workers Playground](https://developers.cloudflare.com/workers/playground/). | | Workers Platform Admin | Grants edit and read access to all products typically used as part of Cloudflare's Developer Platform, including [Workers](https://developers.cloudflare.com/workers/), [Pages](https://developers.cloudflare.com/pages/), [Durable Objects](https://developers.cloudflare.com/durable-objects/), [KV](https://developers.cloudflare.com/kv/), [R2](https://developers.cloudflare.com/r2/), Zones, [Zone Analytics](https://developers.cloudflare.com/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](https://developers.cloudflare.com/rules/). Cloudflare may add additional read-only permissions to this role as new products are introduced. | | Workers Platform (Read-only) | Grants read-only access to all products typically used as part of Cloudflare's Developer Platform, including [Workers](https://developers.cloudflare.com/workers/), [Pages](https://developers.cloudflare.com/pages/), [Durable Objects](https://developers.cloudflare.com/durable-objects/), [KV](https://developers.cloudflare.com/kv/), [R2](https://developers.cloudflare.com/r2/), Zones, [Zone Analytics](https://developers.cloudflare.com/analytics/account-and-zone-analytics/zone-analytics/) and [Page Rules](https://developers.cloudflare.com/rules/). Cloudflare may add additional read-only permissions to this role as new products are introduced. | | Connectivity Directory Read | Can view [Workers VPC Services](https://developers.cloudflare.com/workers-vpc/) and [Cloudflare Tunnels](https://developers.cloudflare.com/workers-vpc/configuration/tunnel/). | | Connectivity Directory Bind | Can read, list, and bind to [Workers VPC Services](https://developers.cloudflare.com/workers-vpc/), as well as read and list [Cloudflare Tunnels](https://developers.cloudflare.com/workers-vpc/configuration/tunnel/). | | Connectivity Directory Admin | Can view, edit, create, and delete [Workers VPC Services](https://developers.cloudflare.com/workers-vpc/), including the ability to create VPC Services that bind to [Cloudflare Tunnel](https://developers.cloudflare.com/workers-vpc/configuration/tunnel/). | | Zaraz Admin | Can edit and publish [Zaraz](https://developers.cloudflare.com/zaraz/) configuration. | | Zaraz Edit | Can edit [Zaraz](https://developers.cloudflare.com/zaraz/) configuration. | | Zaraz Read only | Can read [Zaraz](https://developers.cloudflare.com/zaraz/) configuration. | | Zone Versioning (Account-Wide) | Can view and edit [Zone Versioning](https://developers.cloudflare.com/version-management/) for all domains in account. | | Zone Versioning Read (Account-Wide) | Can view [Zone Versioning](https://developers.cloudflare.com/version-management/) for all domains in account. | ## Domain-scoped roles Domain-scoped roles apply for a given domain within an account. | Role | Description | | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | AI Crawl Control Read Only | Can read [AI Crawl Control](https://developers.cloudflare.com/ai-crawl-control/) and metrics. | | Bot Management | Can edit [Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/) (including [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/)) configurations. | | Cache Domain Purge | Grants access to [purge the edge cache](https://developers.cloudflare.com/cache/how-to/purge-cache/) for a specific domain and allows the reading of zone settings. | | Domain Administrator | Grants full access to domains in an account, and read-only access to account-wide [Firewall](https://developers.cloudflare.com/waf/account/managed-rulesets/deploy-dashboard/), [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/), and [Worker](https://developers.cloudflare.com/workers/) resources. | | Domain Administrator Read Only | Grants read-only access to domains in an account, as well as account-wide [Firewall](https://developers.cloudflare.com/waf/account/managed-rulesets/deploy-dashboard/), [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/), and [Worker](https://developers.cloudflare.com/workers/) resources. | | Domain API Gateway | Grants full access to API Gateway (including [API Shield](https://developers.cloudflare.com/api-shield/)). | | Domain API Gateway Read | Grants read access to API Gateway (including [API Shield](https://developers.cloudflare.com/api-shield/)). | | Domain DNS | Grants access to edit [DNS settings](https://developers.cloudflare.com/dns/) for domains in an account. | | Domain Page Shield | Grants write access to [client-side security](https://developers.cloudflare.com/client-side-security/) for domains in an account. | | Domain Page Shield Read | Grants read access to [client-side security](https://developers.cloudflare.com/client-side-security/) for domains in an account. | | Domain Waiting Room Admin | Can edit [waiting rooms](https://developers.cloudflare.com/waiting-room/) configuration. | | Domain Waiting Room Read | Can read [waiting rooms](https://developers.cloudflare.com/waiting-room/) configuration. | | Zone Versioning | Grants full access to [Zone Versioning](https://developers.cloudflare.com/version-management/). | | Zone Versioning Read | Grants read-only access to [Zone Versioning](https://developers.cloudflare.com/version-management/). | ## Resource-scoped roles Resource-scoped roles apply for a specific resource within an account. Note Resource-scoped roles is currently in Beta. | Role | Description | | ----------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Cloudflare Access App Admin | Can edit a specific [Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) in an account. | | Cloudflare Access Identity Provider Admin | Can edit a specific [Cloudflare One identity provider (IdP)](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) in an account. | | Cloudflare Access Policy Admin | Can edit a specific [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) in an account. | | Cloudflare Access Service Token Admin | Can edit a specific [Access service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) in an account. | | Access for Infrastructure Target Admin | Can edit a specific [Access for Infrastructure target](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) in an account. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-members/","name":"Members and permissions"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-members/roles/","name":"Roles"}}]} ``` --- --- title: Role scopes description: Scopes are one of three constituent parts of a policy that allows granting of access to users. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-members/scope.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Role scopes Scopes are one of three constituent parts of a policy that allows granting of access to users. To allow for flexible combinations of access to users, Cloudflare currently has account-level scopes, domain scopes, and resource-specific scopes. Each scope is associated with a different set of [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/). * **Account scope:** Use when the member needs access across the entire account, for example, billing or account-level settings. * **Specific domains:** Use when the member should only manage certain domains, for example, a developer who works on staging domains but should not modify production. * **Domain groups:** Use when you have related domains that share the same access needs, for example, all production domains. * **Specific resources:** Use when access should be limited to individual resources. --- ## Choose the scope of roles Each policy has a limitation of a single scope, but you can assign multiple policies to a given user. You can choose the scope of a policy when you [add a member](https://developers.cloudflare.com/fundamentals/manage-members/manage/). ### Account scope If you want the member to have a policy that applies across your account, use the following combination of fields. | Field | Value | | -------- | ------------- | | Operator | _Include_ | | Type | _All domains_ | Note You can only assign [account-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#account-scoped-roles) as part of these types of policies ### Specific domains If you want the member to have a policy that applies to a specific domain, use the following combination of fields. When applying these roles to this policy, only domain-scoped roles can be used. | Field | Value | | -------- | ------------------- | | Operator | _Include_ | | Type | _A specific domain_ | | Name | _A specific domain_ | ### Domain groups If you have a set of domains that are all categorized similarly (e.g. all of your sensitive/production domains, all domains around a given project or geography), you can pre-assign them into a domain group and then create policies that provide access to all domains within this group. #### Create group To create a domain group: 1. In the Cloudflare dashboard, go to the **Settings** \> **Lists** page. (You must be logged in as a **Super Administrator** and have a [verified email address](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/)). [ Go to **Configurations** ](https://dash.cloudflare.com/?to=/:account/configurations) 2. For **Domain Group Manager**, select **Create**. 3. Create your domain group: 1. Select the domains to include. 2. Add a **Name**. 3. Select **Create**. You can also edit and delete these groups as needed. #### Use group To assign a member permissions to a domain group, use the following combination of fields: | Field | Value | | -------- | --------------- | | Operator | _Include_ | | Type | _Domain Group_ | | Name | _Example Group_ | Note With Domain Groups, you can only assign [domain-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#domain-scoped-roles) to these members. ### Specific resources If you want the member to have a policy that applies to a specific resource, use the following combination of fields. | Field | Value | | -------- | ------------------- | | Operator | _Include_ | | Type | _Granular_ | | Product | _Product Name_ | | Resource | _Specific Resource_ | #### Available scopes You can assign the following resource-specific scopes to members: | Scope | Description | | ------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Individual Access applications | Grant access to manage a specific [Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/). | | Individual Access identity providers (IdPs) | Grant access to manage a specific [Cloudflare One identity provider (IdP)](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). | | Individual Access policies | Grant access to manage a specific [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). | | Individual Access service tokens | Grant access to manage a specific [Access service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). | | Individual Access infrastructure targets | Grant access to manage a specific [Access for Infrastructure target](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/). | Note When using scopes for specific resources, you can only assign [resource-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#resource-scoped-roles) to these members. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-members/","name":"Members and permissions"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-members/scope/","name":"Role scopes"}}]} ``` --- --- title: User Groups description: User Groups are a collection of account members that are treated equally from an access control perspective. User Groups can be assigned permission policies, with individual members in the group receiving all permissions of the roles assigned to the User Group. If users also have individually assigned permissions, then their effective permissions are the union of all of their individual permissions, plus the permissions for all of the User Groups they are a member of. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-members/user-groups.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # User Groups User Groups are a collection of [account members](https://developers.cloudflare.com/fundamentals/manage-members/) that are treated equally from an access control perspective. User Groups can be assigned permission policies, with individual members in the group receiving all permissions of the roles assigned to the User Group. If users also have individually assigned permissions, then their effective permissions are the union of all of their individual permissions, plus the permissions for all of the User Groups they are a member of. Note User Group permissions are inherited by each member of the group but are not currently reflected in the role field on the **Members** page. To view a member’s full set of permissions, check both: * The **Members** page for any directly assigned policies * The **Groups** tab to identify which groups the member belongs to, and the policies applied to those groups Cloudflare is actively working on improving this experience to make inherited and direct permissions easier to view. ## Create a User Group manually 1. In the Cloudflare dashboard, go to the **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 2. Select the **Groups** tab. 3. Select **Create a Group** and enter a name and description for your new group. 4. Select **Create group** to confirm your changes. The **Group members** tab displays. 5. Select **Add members**. 6. Select the relevant members you want to include in the group and select **Add to Group**. ### Assign a Permission Policy With your Group created, you can now add a [Permission Policy](https://developers.cloudflare.com/fundamentals/manage-members/policies/) to your Group. * [ Dashboard ](#tab-panel-4623) * [ API ](#tab-panel-4624) 1. In the **Groups** tab under **Permission policies**, select **Add a Policy**. 2. Specify the scope and permissions you want applied to the members of the group. 3. Select **Create Policy** to apply it to the group. Using the role identifiers from the previous section, you can create a permission policy for your group. `export ADMIN_ROLE='...' # id field from admin or desired role entry from permission_groups API response` Example request ``` $ cat <<-PAYLOAD | curl -XPUT -H "Authorization: Bearer $AOT" -H "Content-type: application/json" --data-binary @- https://api.cloudflare.com/client/v4/accounts/$ACCT/iam/user_groups/$PUSHED_GROUP | jq . { "policies": [ { "access": "allow", "permission_groups": [{"id": "$ADMIN_ROLE"}], "resource_groups": [{ "scope": { "key": "com.cloudflare.api.account.$ACCT", "objects": [{"key":"*"}] } }] } ] } PAYLOAD ``` **Reset a policy to an empty state** If you made a mistake while creating the group policy or need to reset the policy to an empty state, send another PUT request to the group API with an empty policy array to overwrite with your new policy. ``` $ cat <<-PAYLOAD | curl -XPUT -H "Authorization: Bearer $AOT" -H "Content-type: application/json" --data-binary @- https://api.cloudflare.com/client/v4/accounts/$ACCT/iam/user_groups/$PUSHED_GROUP | jq . { "policies": [] } PAYLOAD ``` ## Create a User Group with SCIM Customers with the SCIM integration configured can sync User Groups from an upstream identity provider to Cloudflare. Cloudflare's SCIM integration requires one external application per account. Note If you use the [Cloudflare dashboard SCIM integration](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/), you can sync Groups from an upstream Identity Provider. This allows you to centralize user and group management at your identity provider. Note that when managing User Groups via SCIM: * You cannot change the name, members, or delete the group manually from the Cloudflare dashboard or API. * The integration requires one external SCIM application per Cloudflare account. * Cloudflare does not currently support updating user profile fields (`firstName`, `lastName`, or `email`) via SCIM. If those attributes change in your IdP, they will not be updated in Cloudflare. These values are only set during initial provisioning. To set up a user group with SCIM, refer to the [Provisioning with SCIM guide](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/). ### Set up permissions for User Groups After a user group is created either manually in Cloudflare dashboard or through SCIM integration the final step is to attach permissions to it. * [ Dashboard ](#tab-panel-4625) * [ API ](#tab-panel-4626) 1. Go to **Manage members** \> **Members** \> **User groups**. 2. Select the user group you want to attach permissions to. 3. Select the **Permission policies** tab and select **Add policy**. 4. Choose the scope and role that you want to apply to the policy. 5. Select **Save** to apply the policy. Before you begin, confirm the groups that were created internally or have been pushed to Cloudflare by using the command below. **1\. Get user groups** Example request ``` $ curl -X GET -H "Authorization: Bearer $AOT" https://api.cloudflare.com/client/v4/accounts/$ACCT/iam/user_groups | jq . ``` Example response ``` { "errors": [], "messages": [], "result": [ { "created_on": "2025-01-24T15:31:36.759979Z", "id": "f234f49f66df4db8864c5189fe78c87f", "modified_on": "2025-01-24T15:35:50.151764Z", "name": "My Cool Demo Group", "status": "V" }, { "created_on": "2025-01-16T20:43:01.019311Z", "id": "7148c1e4d9f247f5b6dcd3ef20f998f9", "modified_on": "2025-01-16T20:44:07.627233Z", "name": "My Cool Demo Group, now with policies!", "policies": [ { "access": "allow", "created_on": "2025-01-16T20:44:07.627233Z", "id": "8d82cf8c15c64e07a4bee58e00d80bca", "modified_on": "2025-01-16T20:44:07.627233Z", "permission_groups": [ { "created_on": "2023-06-21T18:58:29.907496Z", "id": "a1a099e3256942259bfde18c688b67d5", "meta": { "description": "Grants write access to Page Shield for domain", "editable": "false", "label": "domain_page_shield", "scopes": "com.cloudflare.api.account.zone" }, "modified_on": "2023-06-21T18:58:29.907496Z", "name": "Domain Page Shield", "permissions": ["dev note: snipped for length"], "status": "V" } ], "resource_groups": [ { "created_on": "2025-01-16T20:44:07.627233Z", "modified_on": "2025-01-16T20:44:07.627233Z", "scope": { "key": "com.cloudflare.api.account.a3324a084cd290080b563ab39c91545a", "objects": [ { "key": "*" } ] } } ], "status": "V" } ], "status": "V" } ], "result_info": { "count": 2, "page": 1, "per_page": 100, "total_count": 2, "total_pages": 1 }, "success": true } ``` **2\. Make a query against the resource ID** Locate the tag of the group you pushed from the IdP and use it to make a direct query against its resource ID: `export PUSHED_GROUP='...' # Pull this value from the "id" json field in the group list response` Example request ``` $ curl -XGET -H "Authorization: Bearer $AOT" https://api.cloudflare.com/client/v4/accounts/$ACCT/iam/user_groups/$PUSHED_GROUP | jq . ``` The response for this should have the group name that was specified in the identity provider with no attached policies. **3\. Review available permission groups** Before you modify the group's policies, review the available permission groups (roles) on the account by querying its API. Example request ``` $ curl -XGET -H "Authorization: Bearer $DEMO_AOT" https://api.cloudflare.com/client/v4/accounts/$ACCT/iam/permission_groups | jq . ``` Example response ``` { "result": [ { "id": "1a0fc8bdeae24387b64d5b8de1ad052a", "name": "Administrator Read Only", "status": "V", "meta": { "description": "Can access the full account in read-only mode.", "editable": "false", "label": "admin_readonly", "scopes": "com.cloudflare.api.account" }, "created_on": "2020-07-06T12:19:13.099114Z", "modified_on": "2020-10-13T11:18:00.208228Z" }, { "id": "ce2c69b09baf4ca38223910a8b7e07a9", "name": "Administrator", "status": "V", "meta": { "description": "Can access the full account, except for membership management and billing.", "editable": "false", "label": "admin", "scopes": "com.cloudflare.api.account" }, "created_on": "2020-07-06T12:19:13.099114Z", "modified_on": "2020-10-13T11:18:00.208228Z" } ], "success": true, "errors": [], "messages": [] } ``` Note These permission groups are from our staging environment and tags will not function in your production deployment. ## Inspect Group Members To verify the IdP synchronized the group and user members pushed in the SCIM operation, query the Group Members API. Example request ``` $ curl -XGET -H "Authorization: Bearer $DEMO_AOT" https://api.cloudflare.com/client/v4/accounts/$ACCT/iam/user_groups/$PUSHED_GROUP/members | jq . ``` Example response ``` { "result": [ { "id": "a4366a09c43a0b0c4606dc5528472bb6", "email": "luke.skywalker@rebelalliance.net" }, { "id": "0329c17f6c13f5202dc38d2036efb1a9", "email": "arya.stark@winterfell.place" } ], "result_info": { "page": 1, "per_page": 100, "total_pages": 1, "count": 2, "total_count": 2 }, "success": true, "errors": [], "messages": [] } ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-members/","name":"Members and permissions"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-members/user-groups/","name":"User Groups"}}]} ``` --- --- title: User profiles description: Each user has a profile that contains several settings, such as Communication preferences and Language preferences. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/user-profiles/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # User profiles Each user has a profile that contains several settings, such as [Communication preferences](https://developers.cloudflare.com/fundamentals/user-profiles/customize-account/#notifications) and [Language preferences](https://developers.cloudflare.com/fundamentals/user-profiles/customize-account/#language). To access your profile, select the user icon and then **My Profile** from any page within the [Cloudflare dashboard ↗](https://dash.cloudflare.com). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/user-profiles/","name":"User profiles"}}]} ``` --- --- title: Two-factor authentication description: We recommend that all Cloudflare user account holders enable two-factor authentication (2FA) to keep your accounts secure. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/user-profiles/2fa.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Two-factor authentication We recommend that all Cloudflare user account holders enable two-factor authentication (2FA) to keep your accounts secure. 2FA can only be enabled successfully on an account with a [verified email address](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/). If you do not verify your email address first, you may lock yourself out of your account. Warning Super Administrators can turn on **2FA Enforcement** to require all members to enable 2FA. If you are not a Super Administrator, you will be forced to turn on 2FA prior to accepting the invitation to join a Cloudflare account as a member. To enable two-factor authentication for your Cloudflare login: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login). 2. Under the **My Profile** dropdown, select **My Profile**. 3. Select **Authentication**. 4. Select **Manage** in the Two-Factor Authentication card. 5. Configure either a [TOTP mobile app](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/#configure-totp-mobile-application-authentication), [security key](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/#configure-security-key-authentication-for-two-factor-cloudflare-login), or [email 2FA](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/#configure-email-two-factor-authentication). Note Cloudflare recommends that users enable at least two different 2FA factors, as well as safely store [backup codes](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/#regenerate-backup-codes)) to prevent lockouts. ## Configure security key authentication for two-factor Cloudflare login Warning Security keys only work with browsers that support the WebAuthn protocol. A security key provides phishing-resistant multifactor authentication to your Cloudflare account using a built-in authenticator (Apple Touch ID, Android fingerprint, or Windows Hello) or an external hardware key (like [YubiKey ↗](https://www.yubico.com/works-with-yubikey/catalog/cloudflare/)) that connects to your computer through USB-A, USB-C, NFC, or Bluetooth. Cloudflare recommends configuring multiple security keys. With multiple keys, you can still use 2FA if the primary key is unavailable or if you are working on a different device. After [enabling 2FA on your Cloudflare account](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/#configure-totp-mobile-application-authentication), you can select **Manage** to configure 2FA security key authentication. ### Built-in authenticators You can configure a built-in authenticator such as Apple Touch ID, Android fingerprint, or Windows Hello. 1. In **Security Key Authentication**, select **Add**. 2. On the **Add a Security Key**, enter your Cloudflare password and select **Next**. 3. Interact with your built-in authenticator to add it to your Cloudflare account. 4. Enter a name for the built-in authenticator. If this is the initial setup, you will be prompted to generate backup codes. If not, skip to Step 8. 5. Enter your Cloudflare password. 6. Select **Next** to review your backup codes. Backup codes can be used to access your user account without your mobile device. 7. Select **Download**, **Print**, or **Copy** to save your backup codes in a secure location. 8. Select **Next** to finish the configuration. ### Security keys You can configure a security key, such as a Yubikey, to use with your account. Before you begin, ensure your hardware security key is configured and plugged in. On a Windows device, you may need to set up Windows Hello or register your security key to your Microsoft account. Review the Windows documentation for more details. 1. Once your security key is plugged in, go to **Profile** \> **Authentication**. 2. From **Two-Factor Authentication**, select **Set up**. 3. From **Security Key Authentication**, select **Add**. 4. Enter your Cloudflare password on the **Add a Security Key** screen, then select **Next**. 5. Interact with your security key to add it to your Cloudflare account. Ensure that the dialog is for the security key setup. If the Windows Hello dialog appears on a Windows device, select **Cancel**. The security key dialog box will then appear. Depending on your system, you may be required to register a PIN for the security key. 6. Enter a name for the security key. If this is the initial setup, you will be prompted to generate backup codes. If not, skip to Step 8. 7. Enter your Cloudflare password. 8. Select **Next** to review your backup codes. Backup codes can be used to access your user account without your mobile device. 9. Select **Download**, **Print**, or **Copy** to save your backup codes in a secure location. 10. Select **Next** to finish the configuration. ## Configure TOTP mobile application authentication Time-based one-time password (TOTP) authentication works by using an authenticatior app, such as Google Authenticator or Microsoft Authenticator, which generates a secret code shared between the app and a website. When you log in to the website, you enter your username, password, and the secret code generated from the authenticator app. The secret code is only valid for a short period of time, about 30 to 60 seconds, before a new code is generated. 1. Once your security key is plugged in, go to **Profile** \> **Authentication**. 2. From **Two-Factor Authentication**, select **Set up**. 3. Under **Mobile App Authentication**, select **Add**. 4. Scan the QR code with your mobile device and enter the code from your authenticator application. 5. Enter your Cloudflare password, then select **Next**. If you cannot scan the QR code, select **Can't scan QR code, Follow alternative steps** to configure your authenticator application manually. ![You can enable 2FA by scanning a QR code with your mobile device.](https://developers.cloudflare.com/_astro/2FA_scan_QR_code.t5BNYUYn_VVv4H.webp) 1. Enter your Cloudflare password again. 2. Select **Next** to review your backup codes. You can use backup codes to access your account without your mobile device. 3. Select **Download**, **Print**, or **Copy** to save your backup codes in a secure location. Note To avoid being locked out of your account, be sure to generate and save your recovery codes. If you forget your password and cannot receive the reset code or lose access to your phone with the authenticator app, you can use the recovery codes to access your account. You can regenerate your backup codes at any time using the Cloudflare dashboard. 1. Select **Next** on the backup code page to complete the recovery code setup. ### Reconfigure TOTP mobile application authentication You may need to reconfigure your mobile application authentication if you join a new organization or lose access to your mobile device. When you reconfigure your mobile application authentication, your previous TOTP codes are invalid. Note Reconfiguring TOTP mobile application authentication does not turn off 2FA. To reconfigure, follow [Steps 1-7](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/#configure-totp-mobile-application-authentication) as detailed above. ## Configure email two factor authentication Email 2FA works by sending you a TOTP code to your email address. This is a good option particularly if you are concerned about losing a hardware based key. 1. Navigate to **User Profile**, then **Authentication**. 2. Under **Two-Factor Authentication**, select **Set up**. 3. Under **Email Authentication**, select **Enable**. 4. You will be prompted to enter your password twice, and then be shown recovery codes. Save these somewhere safe like a password manager. ## Regenerate backup codes Each backup code is one-time use only, but you can always request a new set of backup codes using the Cloudflare dashboard. This is useful if you have lost access to or used all of your previous backup codes. Note Regenerating your backup codes will invalidate your previous codes. 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Select **My Profile**. 3. Select **Authentication**. 4. For **Two-Factor Authentication**, select **Manage**. 5. For **Backup codes**, select **Regenerate** to generate and save a new set of two-factor backup codes. ## Disable two-factor authentication for your Cloudflare account To disable 2FA for your Cloudflare account, you must delete all security keys and TOTP authenticators from your account. Note If you are not the Super Administrator of an organization with **2FA Enforcement** enabled, you may not have permission to disable 2FA. 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Select **Profile**. 3. Select the **Authentication**. * To remove your security key: 1. Select **Edit** in the **Security Key Authentication** card. A drop-down menu shows more details about your security key. 2. Select **Delete**. 3. Enter your Cloudflare password, then select **Remove**. * To remove your TOTP mobile application authentication: 1. Select **Delete method** in the **Mobile App Authentication** card. 2. Enter your Cloudflare password, authenticator application code, or a recovery code, then select **Disable**. ![how to disable your TOTP mobile application authentication.](https://developerdocsgifs.cloudflaretraining.com/resampled_5fps_disable_mobile_auth_v2_final.gif) ## Use a backup code If you lose access to a mobile device, security key, or authentication code, you can solve these issues by using a backup code or retrieving a backup code from your preferred authentication app. Refer to Google's documentation to [transfer Google Authenticator codes from one Android device to another ↗](https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DAndroid&hl=en&oco=0). When setting up 2FA, you should have saved your backup codes in a secure location. To restore lost access using a Cloudflare backup code: 1. Retrieve the backup code from where you stored it. 2. Go to the [Cloudflare login page ↗](https://dash.cloudflare.com/login), enter your username and password and select **Log in**. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 3. You should see a page titled **Two-Factor Authentication** * If it has a text box, enter one of your backup codes and select **Log in**. * If instead you see "Insert your security key and touch it", cancel any prompts from your browser that appear and select **try another authentication method or backup code**. Proceed to enter one of your backup codes and select **Log in**. Note Once you use a backup code, it becomes invalid. ## Related resources * [Google Authentication documentation ↗](https://support.google.com/accounts/answer/1066447?hl=en&ref%5Ftopic=2954345&co=GENIE.Platform%3DiOS&oco=0) * [YubiKey documentation ↗](https://www.yubico.com/works-with-yubikey/catalog/cloudflare/) * [Set up multi-user accounts on Cloudflare](https://developers.cloudflare.com/fundamentals/manage-members/) * [Account recovery](https://developers.cloudflare.com/fundamentals/user-profiles/account-recovery/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/user-profiles/","name":"User profiles"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/user-profiles/2fa/","name":"Two-factor authentication"}}]} ``` --- --- title: Account recovery description: If you do not have access to your 2FA account or backup codes and cannot currently generate a 2FA code, use a verified device that you have logged in from before to request a temporary access code. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/user-profiles/account-recovery.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Account recovery If you do not have access to your 2FA account or backup codes and cannot currently generate a 2FA code, use a verified device that you have logged in from before to request a temporary access code. 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login). [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. On the **Two-Factor Authentication** page, select **Try recovery** on **Lost all 2FA devices and backup codes?**. 3. Select **Begin recovery**. 4. An access code will be sent to the email address associated with your Cloudflare account. 5. Enter the temporary access code into the Cloudflare Dashboard and select **Verify email**. 6. Select **Verify device**. This checks whether you are using a device that has previously logged into your account. If you see **Device verified**, you will receive an email within 3-5 days with instructions to regain access to your account. It is important to note this process cannot be expedited, so you will need to wait until that email arrives before you can proceed. If you see **Device verification failed**, you may be able to try again considering the following: * If you clear your cookies often or are logging in from a different IP address, you have wiped Cloudflare's memory of your device and will need to use a different device to verify. * Your browser may be set to clear cookies on exit or after browser or OS upgrades. This interferes with the device verification process. * You may be using anti-malware or other software that automatically clears your browser cookies and makes your device unregognizable by Cloudflare's Dashboard. If you are still unable to verify your device, follow the instructions to _Request manual verification_ on the **Device verification failed** page. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/user-profiles/","name":"User profiles"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/user-profiles/account-recovery/","name":"Account recovery"}}]} ``` --- --- title: Email address and password description: Learn how to change your email address or password associated with your account. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/user-profiles/change-password-or-email.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Email address and password ## Change email address Note You cannot change your email address if your administrator has [enabled single sign-on (SSO)](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) or if you did not successfully verify the original email address. For example, if the email address was entered incorrectly or is a non-working email address, you will need to create a new account with a working email address and [move domains](https://developers.cloudflare.com/fundamentals/manage-domains/move-domain/). To change the email address associated with your Cloudflare account: 1. Go to your [Profile ↗](https://dash.cloudflare.com/?to=/:account/profile). 2. Select your account. 3. In the Email Address panel, select **Change Email Address**. 4. In the dialog, enter your new email address in **New email** and **Confirm email**. 5. Enter your current password. 6. Select **Save**. Billing and notification email addresses must be updated separately The process above will update your user profile email, but you may have specified separate emails to receive [billing invoices](https://developers.cloudflare.com/billing/invoices/#enable-email-invoices-from-cloudflare) and other types of [notifications](https://developers.cloudflare.com/notifications/get-started/#edit-a-notification). You will also need to update those email addresses if you want to receive those emails at your new address. ## Change password Note If your administrator has [enabled Single sign-on (SSO)](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/), you cannot change your **Authentication** settings. To change your Cloudflare password: 1. Go to your [Profile ↗](https://dash.cloudflare.com/?to=/:account/profile). 2. Select your account. 3. Select **Authentication**. 4. On **Password**, select **Change Password**. 5. Change your password and select **Save**. For added account security, consider changing your [API tokens](https://developers.cloudflare.com/fundamentals/api/how-to/roll-token/) as well. ## Forgot your email address Note If you are an Enteprise customer and forgot the email address associated with your account, contact your Customer Success Manager. If you forget the email address associated with your application: 1. Go to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login) and select **Forgot your email?**. 2. Enter your domain name. 3. Cloudflare will send an email to the email address associated with your domain name. If you do not receive an email within 20 minutes, check your spam folder. The message will be sent from `no-reply@cloudflare.com` or `noreply@notify.cloudflare.com`. ## Forgot your password You must be logged out of the Cloudflare dashboard to view the **Forgot your password?** option. If you forget the password associated with your email address: 1. Go to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login) and select **Forgot your password?**. 2. Enter your email address. 3. Cloudflare will send an email with instructions to reset your password. If you do not receive an email within 20 minutes, check your spam folder. The message will be sent from `no-reply@cloudflare.com` or `noreply@notify.cloudflare.com`. Note This process does not affect your account or share your email address with anyone. If you still cannot access the email address associated with your Cloudflare account, you may need to [move your domain to another account](https://developers.cloudflare.com/fundamentals/manage-domains/move-domain/). Cloudflare requires these steps to prevent account hijacking. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/user-profiles/","name":"User profiles"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/user-profiles/change-password-or-email/","name":"Email address and password"}}]} ``` --- --- title: Profile settings description: From your Profile, you can modify settings that affect the Cloudflare dashboard. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/user-profiles/customize-account.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Profile settings From your Profile, you can modify settings that affect the Cloudflare dashboard. ## Language Change the language used throughout the Cloudflare dashboard. 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 1. Go to **Profile**. 2. From **Settings** \> **Language**, select a language. Your dashboard will update to the new language automatically. ## Dashboard appearance Adjust how the Cloudflare dashboard appears on your device. 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **Profile**. 3. From **Settings** \> **Dashboard appearance**, choose a value: * **Dark**: Defaults to darker colors. * **Light**: Defaults to lighter colors. * **Use system setting**: Defaults to the option used on your device. Your dashboard display will update to the new appearance setting automatically. ## Notifications Choose the type of notifications you receive from Cloudflare, such as marketing announcements or insights about your domain. To update the communication preferences for your profile (which requires a [verified email address)](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/): 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **Profile**. 3. Select **Notifications**. 4. Choose the categories of notifications you want to receive. Your choices are saved automatically. Note All email notifications from Cloudflare are sent from [noreply@notify.cloudflare.com](mailto:noreply@notify.cloudflare.com). If you are not receiving emails from Cloudflare, you may have marked Cloudflare as spam. To continue receiving emails, make sure Cloudflare is added as a trusted sender. Refer to [Cloudflare Notifications](https://developers.cloudflare.com/notifications/) to receive information about your account, such denial-of-service attacks or server issues. ## Timezone Choose to set the timezone in the Cloudflare dashboard as Coordinated Universal Time (UTC) or your browser or system's timezone. 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Select your **Profile**. 3. Select **Set Timezone** and choose either **Standard (UTC)** or **Local (CST)**. The page reloads to apply the new setting. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/user-profiles/","name":"User profiles"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/user-profiles/customize-account/","name":"Profile settings"}}]} ``` --- --- title: Delete your Cloudflare account description: If your account uses Single-Sign On (SSO), your super administrator may need to delete your account on your behalf. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/user-profiles/delete-account.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Delete your Cloudflare account Note These steps do not apply to accounts under contract. Contact your account team for more information. ## Who can delete their account If your account uses [Single-Sign On (SSO)](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/), your super administrator may need to delete your account on your behalf. If your account does not use SSO, you can delete your account on your own. ## Prerequisites Before Cloudflare can cancel your account and delete your personal information, you will need to follow the process below for each domain associated with your Cloudflare account: * [Cancel your subscriptions or add-on services](https://developers.cloudflare.com/billing/cancel-subscription/) * [Remove your domain from Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/remove-domain/) * [Remove Cloudflare nameservers at your domain registrar](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/) * [Disable auto-renew for your Registrar domain(s)](https://developers.cloudflare.com/registrar/account-options/renew-domains#set-up-automatic-renewals) * If you are using a Cloudflare [CNAME setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/), [update your DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/#edit-dns-records) at your DNS provider to point to your website IPs or hostnames instead of Cloudflare. * [Delete payment information](https://developers.cloudflare.com/billing/update-billing-info/#delete-a-payment-method) * (_Optional_) [Download a copy of your invoices](https://developers.cloudflare.com/billing/invoices/#download-invoice). Once deleted, the invoices will no longer be accessible and cannot be re-sent to you. ## Delete your Cloudflare account When you sign up for Cloudflare, we create a user profile for you and an account named `youremail@example.com's account`, and your user profile is the admin for the newly create account. Your user profile is where you manage preferences like your password or language, while your account is where you'll manage Cloudflare product configurations. Note Your user profile can be invited to other Cloudflare accounts, so you may have access to more than one account. When you delete your profile, the account associated with your profile and any accounts where you are the last active member will also be deleted. Deleting your account is permanent. Any accounts where you are the primary owner will also be deleted and any other users on those accounts will be removed. After you delete your profile, you can use the email address with your profile to create a new account. In most cases, your email should be freed up to be used in a new signup right away. However, this may not be the same for users who have a lock on their account (for legal purposes). All domains, subscriptions, and billing information on your account will be removed from Cloudflare. 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Select **My Profile**. 3. Select **Delete this user**. 4. Select **Delete user**. 5. Follow the prompts to finish deleting your account. Note Cloudflare will purge your personal information within a year of a deletion request unless required to retain it for legal obligations (such as ongoing abuse investigations or pending litigation). Refer to the [Cloudflare Data Processing Addendum ↗](https://www.cloudflare.com/cloudflare-customer-dpa/) for further information about the deletion of personal information following the cancellation of your account. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/user-profiles/","name":"User profiles"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/user-profiles/delete-account/","name":"Delete your Cloudflare account"}}]} ``` --- --- title: Log in to Cloudflare description: Go to the Cloudflare dashboard and choose your sign-in option. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/user-profiles/login.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Log in to Cloudflare Go to the Cloudflare dashboard and choose your [sign-in option](#sign-in-options). [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) ## Sign-in options Cloudflare offers the following sign-in options: ### Email and password Enter your email address and password. ### Single Sign-On (SSO) If your admin has enabled [enabled SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/), enter your email address. ### Social login Social login allows you to sign in with a trusted 3rd party sign in service such as Apple, Google, or GitHub. Social login is only available for accounts with a verified email address, or accounts that signed up via social login initially. If you have additionally configured two-factor authentication on your account, that will be presented in addition to any login and two-factor authentication provided by the social login provider. Note If you log in to your Cloudflare user account with Single Sign-On (SSO), you will not be able to use social login. Warning If you use social login to sign in, your user profile will not have a password associated with it at first. Some operations, such as enabling 2-Factor Authentication or creating API tokens, require setting a password. To set a password, go to [Forgot Password ↗](https://dash.cloudflare.com/forgot-password) in the Cloudflare dashboard, paste your email address, and click **Send**. You will receive an email with instructions to set your password. Once created, use your email and the new password to log in. #### Sign in with Apple * **Same Cloudflare account email as Apple ID**: You can sign in with either your email and password or sign in with Apple. * **Different Cloudflare account email as Apple ID**: This option creates a new Cloudflare account. If you want to log in to an existing account, [change your email address](https://developers.cloudflare.com/fundamentals/user-profiles/change-password-or-email/) to match the one used for your Apple ID. If you chose to share your email when creating a Cloudflare account with Apple ID and want to set a password and obtain an API key, go to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login) login page and select **Forgot your password?** to trigger a password reset email. If you have chosen to hide your email when creating a Cloudflare account with Apple ID, resetting your password will not work. You can use the suggested workaround below: 1. [Add a new member to your account](https://developers.cloudflare.com/fundamentals/manage-members/manage/#add-account-members) using your secondary email address. 2. [Register a new Cloudflare account](https://developers.cloudflare.com/fundamentals/account/create-account/) with your secondary email address and set a password. 3. Access the Cloudflare dashboard with the new user and password to obtain an API key. Changing your Cloudflare account email address will unlink the login credentials with the Apple ID from your Cloudflare account. If you attempt to log in using the same Apple ID after the email is changed, you will create a new Cloudflare account. If you created your Cloudflare account using Apple Relay and decide to change your Apple ID or email address, you will be unable to retrieve the Cloudflare account and all login options will be permanently lost. #### Sign in with Google * **A Cloudflare account has already been created with your Google account's email**: This option is unavailable at this time, but we are working on the capability to link and unlink social login providers to your Cloudflare account. * If you select **Sign in with Google** with an email that does not already have a Cloudflare account associated with it, Cloudflare will create a new account and allow you to sign in using **Sign in with Google** option moving forward. #### Sign in with GitHub * Sign in with GitHub uses the [Primary email address ↗](https://docs.github.com/en/account-and-profile/how-tos/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/changing-your-primary-email-address) which is set on your GitHub account. If you change your primary email address in GitHub, you will not be able to log into your Cloudflare account using GitHub social login. * If you select **Sign in with GitHub** with an email that does not already have a Cloudflare account associated with it, Cloudflare will create a new account and allow you to sign in using **Sign in with GitHub** option moving forward. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/user-profiles/","name":"User profiles"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/user-profiles/login/","name":"Log in to Cloudflare"}}]} ``` --- --- title: Multi-Factor Email Authentication description: Cloudflare's Multi-Factor Email Authentication prevents unauthorized access by sending one-time codes to your email. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/user-profiles/multi-factor-email-authentication.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Multi-Factor Email Authentication ## Overview Cloudflare uses a Multi-Factor Email Authentication (MFA) method for increased account security. MFA prevents customer account takeovers when attackers gain unauthorized access to an account due to an exposed or easily guessed password. Cloudflare will challenge any login attempt if the user provides the correct credentials from an unrecognized IP address. ![Cloudflare will send an email when your account is logged into from an unknown IP address.](https://developers.cloudflare.com/_astro/hc-import-account_access_email.CGeKtgax_ZmxEnU.webp) Cloudflare challenges the login by sending a one-time code that expires in 30 minutes to the email that we have on file for the account. Once the correct code is provided through the dashboard, your IP will be recorded and further login attempts from that IP address will not be challenged for 90 days. ![When your account is logged into from an unknown IP address, you have to enter an authentication token from an email sent to your email address on file.](https://developers.cloudflare.com/_astro/hc-import-login_authentication.B7wAaxsz_gliIl.webp) Note Email MFA can only be disabled by enabling [two-factor authentication](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/) ## Troubleshoot MFA Cloudflare emails are sometimes flagged as spam by the recipient's email service. If you are expecting an authentication token, you should check the spam folder for any Cloudflare emails and configure a filter to allow Cloudflare emails from _[no-reply@notify.cloudflare.com](mailto:no-reply@notify.cloudflare.com)_\_**.**\_ Other times, emails are rejected by the recipient email service. Cloudflare will try again it will flag your email address after several attempts and no further emails will be sent. If you still do not receive an email after ensuring your email service is not flagging Cloudflare, contact [Cloudflare Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/). --- ## Related resources * [Secure user access with two-factor authentication](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/user-profiles/","name":"User profiles"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/user-profiles/multi-factor-email-authentication/","name":"Multi-Factor Email Authentication"}}]} ``` --- --- title: Verify email address description: For security reasons, Cloudflare attempts to verify the email address associated with your account. You cannot perform certain tasks within the Cloudflare dashboard -- for example, adding a new member, changing your email address or updating your communication preferences -- without verifying your email. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/user-profiles/verify-email-address.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Verify email address For security reasons, Cloudflare attempts to verify the email address associated with your account. You cannot perform certain tasks within the Cloudflare dashboard -- for example, [adding a new member](https://developers.cloudflare.com/fundamentals/manage-members/manage/#add-account-members), [changing your email address](https://developers.cloudflare.com/fundamentals/user-profiles/change-password-or-email/#change-email-address) or [updating your communication preferences](https://developers.cloudflare.com/fundamentals/user-profiles/customize-account/#notifications) \-- without verifying your email. ## When creating your account When you first [create an account](https://developers.cloudflare.com/fundamentals/account/create-account/), Cloudflare automatically sends a message to the email address you provided for your account. To verify your email: 1. Log in to your email provider and find your recent message from Cloudflare. If you cannot find the message, check your Spam folder. 2. Go to the link in the email. 3. Log in to Cloudflare to verify the email address associated with your account. Note If someone else used your email to sign up for a Cloudflare account, you can remove this account by going to our [unintended registration ↗](https://dash.cloudflare.com/unintended-registration) page and entering the information at the end of your confirmation email. ## Resend verification emails If you cannot find your verification email or your email has expired, request another verification email: 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **My Profile**. 3. For **Email Address**, select **Send verification email** (if this option is not available, your email has already been verified). ## Verification issues If you experience issues with your verification link, you might have already verified your email address. To check your verification: 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **My Profile**. 3. For **Email Address**, your email address will have `(verified)` added after it. If your email is still not verified, try clicking the verification link in a different browser or a private window. If this still does not work, try [resending](#resend-verification-emails) the verification email to get a new verification link. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/user-profiles/","name":"User profiles"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/user-profiles/verify-email-address/","name":"Verify email address"}}]} ``` --- --- title: Domains description: A domain or domain name (also known as a zone) is the location of a website or application, or what an end user types into their browser to get to your website (example.com). image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-domains/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Domains A _domain_ or _domain name_ (also known as a _zone_) is the location of a website or application, or what an end user types into their browser to get to your website (`example.com`). ## Get a domain name You can purchase domain names for your website from a variety of places. Cloudflare offers an at-cost registrar service to [purchase new domain names](https://developers.cloudflare.com/registrar/get-started/register-domain/) or [transfer existing domain names](https://developers.cloudflare.com/registrar/get-started/transfer-domain-to-cloudflare/). Refer to [Account and domain management best practices](https://developers.cloudflare.com/fundamentals/reference/best-practices/) for a detailed list of ways to protect your account and domain. ## Host your domain A web host keeps your website online so visitors can reach it via the domain name. Cloudflare does not offer web hosting for most websites, though you can deploy and host JAMstack sites with [Cloudflare Pages](https://developers.cloudflare.com/pages/). ## Add a domain to Cloudflare For help onboarding a domain to Cloudflare's CDN, refer to our [setup guide](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/). You will need to [update your domain's nameservers](https://developers.cloudflare.com/dns/zone-setups/full-setup/) and [proxy](https://developers.cloudflare.com/dns/proxy-status/) your web traffic to benefit from caching, DDoS protection, Argo Smart Routing, and other [application security and performance products](https://developers.cloudflare.com/directory/?product-group=Application+performance%2CApplication+security). ## Get free SSL certificates Cloudflare offers free, unshared, publicy trusted [Universal SSL certificates](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) to all Cloudflare domains. ## Manage subdomains For more details about subdomains (`www.example.com` or `blog.example.com`), refer to [Manage subdomains](https://developers.cloudflare.com/fundamentals/manage-domains/manage-subdomains/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-domains/","name":"Domains"}}]} ``` --- --- title: Add multiple sites via automation description: To add multiple sites to Cloudflare at once and more efficiently, you can do so via the Cloudflare API. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-domains/add-multiple-sites-automation.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add multiple sites via automation **Last reviewed:** 2 months ago To add multiple sites to Cloudflare at once and more efficiently, you can do so via the Cloudflare API. Adding multiple sites can be useful when you: * Have multiple domains mapping back to a single, canonical domain (common for domains in different countries - such as `.com.au`, `.co.uk` \- that you want protected by Cloudflare). * Are a [partner ↗](https://www.cloudflare.com/partners/), agency, or IT consultancy, and manage multiple domains on behalf of your customers. * Are moving an existing set of sites over to Cloudflare. Using the API will allow you to add multiple sites quickly and efficiently, especially if you are already familiar with [how to change your nameservers](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/) or [add a DNS record](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/). This tutorial assumes domains will be added using a [primary DNS setup (full)](https://developers.cloudflare.com/dns/zone-setups/full-setup/). --- ## Prerequisites To add multiple sites to Cloudflare via automation, you need: * An existing [Cloudflare account](https://developers.cloudflare.com/fundamentals/account/create-account/). * Command line with `curl` * A Cloudflare [API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with one of the following permissions: * Zone-level `Administrator` * Zone-level `Zone: Edit` and `DNS: Edit` * Account-level `Domain Administrator` * To have disabled [DNSSEC](https://developers.cloudflare.com/dns/concepts/#dnssec) for each domain at your registrar (where you bought your domain name). Provider-specific DNSSEC instructions This is not an exhaustive list, but the following links may be helpful: * [DNSimple ↗](https://support.dnsimple.com/articles/cloudflare-ds-record/) * [Domaindiscount24 ↗](https://support.domaindiscount24.com/hc/articles/4409759478161) * [DreamHost ↗](https://help.dreamhost.com/hc/en-us/articles/219539467) * [Dynadot ↗](https://www.dynadot.com/help/question/set-DNSSEC) * [Enom ↗](https://support.enom.com/support/solutions/articles/201000065386) * [Gandi ↗](https://docs.gandi.net/en/domain%5Fnames/advanced%5Fusers/dnssec.html) * [GoDaddy ↗](https://www.godaddy.com/help/add-a-ds-record-23865) * [Hostinger ↗](https://www.hostinger.com/support/3667267-how-to-use-dnssec-records-at-hostinger/) * [Hover ↗](https://support.hover.com/support/solutions/articles/201000064716) * [Infomaniak ↗](https://faq.infomaniak.com/2187) * [InMotion Hosting ↗](https://www.inmotionhosting.com/support/edu/cpanel/enable-dnssec-cloudflare/) * [INWX ↗](https://kb.inwx.com/en-us/3-nameserver/131) * [Joker.com ↗](https://joker.com/faq/books/jokercom-faq-en/page/dnssec) * [Name.com ↗](https://www.name.com/support/articles/205439058-managing-dnssec) * [Namecheap ↗](https://www.namecheap.com/support/knowledgebase/article.aspx/9722/2232/managing-dnssec-for-domains-pointed-to-custom-dns/) * [NameISP ↗](https://support.nameisp.com/knowledgebase/dns) * [Namesilo ↗](https://www.namesilo.com/support/v2/articles/domain-manager/ds-records) * [OVH ↗](https://help.ovhcloud.com/csm/en-dns-secure-domain-dnssec?id=kb%5Farticle%5Fview&sysparm%5Farticle=KB0051637) * [Squarespace ↗](https://support.squarespace.com/hc/articles/4404183898125-Nameservers-and-DNSSEC-for-Squarespace-managed-domains#toc-dnssec) * [Registro.br ↗](https://registro.br/tecnologia/dnssec/?secao=tutoriais-dns) * [Porkbun ↗](https://kb.porkbun.com/article/93-how-to-install-dnssec) (do not fill out **keyData**) * [TransIP ↗](https://www.transip.eu/knowledgebase/150-secure-domains-custom-nameservers-dnssec/) Note If your previous provider allows you to add DNSKEY records on the zone apex and use these records in responses to DNS queries, refer to this [migration tutorial](https://developers.cloudflare.com/dns/dnssec/dnssec-active-migration/) to learn how to migrate a zone with DNSSEC enabled. --- ## 1\. Add domains 1. Create a list of domains you want to add, each on a separate line (newline separated), stored in a file such as `domains.txt`. 2. Create a bash script `add-multiple-zones.sh` and add the following. Add `domains.txt` to the same directory or update its path accordingly. Terminal window ``` for domain in $(cat domains.txt); do printf "Adding ${domain}:\n" curl https://api.cloudflare.com/client/v4/zones \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "account": { "id":"" }, "name": "'"$domain"'", "type": "full" }' printf "\n\n" done ``` 1. Open the command line and run: Terminal window ``` bash add-multiple-zones.sh ``` Warning There are limitations on the number of domains you can add at a time. Refer to [limitations](#limitations) for details. After adding a domain, it will be in a [Pending Nameserver Update](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) state. ### Additional options #### jq [jq ↗](https://jqlang.github.io/jq/) is a command-line tool that parses and beautifies JSON outputs. This tool is a requirement to complete any additional option steps in this tutorial. Terminal window ``` echo '{"foo":{"bar":"foo","testing":"hello"}}' | jq . ``` Refer to `jq` [documentation ↗](https://jqlang.github.io/jq/manual/#basic-filters) for more information. #### Quick scan Cloudflare offers a [quick scan](https://developers.cloudflare.com/dns/zone-setups/reference/dns-quick-scan/) that helps populate a zone's DNS records. This scan is a best effort attempt based on a predefined list of commonly used record names and types. This API call requires the domain ID. This can be found in the following locations: * [Create Zone](https://developers.cloudflare.com/api/resources/zones/methods/create/#Request) * [List Zones](https://developers.cloudflare.com/api/resources/zones/methods/list/) Using `jq` with the first option above, modify your script `add-multiple-zones.sh` to extract the domain ID and run a subsequent API call to quick scan DNS records. JavaScript ``` for domain in $(cat domains.txt); do printf "Adding ${domain}:\n" add_output=`curl https://api.cloudflare.com/client/v4/zones \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "account": { "id":"" }, "name": "'"$domain"'", "type": "full" }'` echo $add_output | jq . domain_id=`echo $add_output | jq -r .result.id` printf "\n\n" printf "DNS quick scanning ${domain}:\n" scan_output=`curl --request POST https://api.cloudflare.com/client/v4/zones/$domain_id/dns_records/scan \ --header "X-Auth-Email: " \ --header "X-Auth-Key: "` echo $scan_output | jq . done ``` ## 2\. Update nameservers For each domain to become active on Cloudflare, it must be activated in either [Full setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/) or [Partial setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/setup/). The following script will output a list containing the nameservers associated with each domain. You can find your zones nameservers in the following locations: * [Create Zone](https://developers.cloudflare.com/api/resources/zones/methods/create/#Request) * [Zone Details](https://developers.cloudflare.com/api/resources/zones/methods/get/) 1. Modify your script `add-multiple-zones.sh` to print a CSV with data from the `Create Zone` JSON response. JavaScript ``` for domain in $(cat domains.txt); do printf "Adding ${domain}:\n" add_output=`curl https://api.cloudflare.com/client/v4/zones \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "account": { "id": "" }, "name": "'"$domain"'", "type": "full" }'` # Create csv of nameservers echo $add_output | jq -r '[.result.name,.result.id,.result.name_servers[]] | @csv' >> /tmp/domain_nameservers.csv domain_id=`echo $add_output | jq -r .result.id` printf "\n\n" printf "DNS quick scanning ${domain}:\n" scan_output=`curl --request POST https://api.cloudflare.com/client/v4/zones/$domain_id/dns_records/scan \ --header "X-Auth-Email: " \ --header "X-Auth-Key: "` echo $scan_output | jq . done printf "name_servers are saved in /tmp/domain_nameservers" cat /tmp/domain_nameservers.csv ``` | ID | ZONE | NAME SERVERS | | ---------- | ----------- | --------------------------------------------- | | | example.com | arya.ns.cloudflare.com, tim.ns.cloudflare.com | 1. Use the values in the **NAME SERVERS** column to [update the nameservers](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/#update-your-registrar) at the registrar of each domain. --- ## Limitations There are limitations on the number of domains you can add at a time - specifically, you can only sign up a maximum of 25 domains every 10 minutes. In addition, if you have over 50 domains and, of those domains, more are pending than active, you will be blocked from adding more. We recommend waiting until your pending sites have been activated before adding more. ## Common issues If any errors were returned in this process, the domain may not be registered (or only just registered), be a subdomain, or be otherwise invalid. For more details, refer to [Cannot add domain](https://developers.cloudflare.com/dns/zone-setups/troubleshooting/cannot-add-domain/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-domains/","name":"Domains"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-domains/add-multiple-sites-automation/","name":"Add multiple sites via automation"}}]} ``` --- --- title: Onboard a domain description: Learn how to onboard your domain to Cloudflare, to speed up and protect your website or application. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-domains/add-site.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Onboard a domain After you onboard your domain, Cloudflare will act as the [reverse proxy](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/#cloudflare-as-a-reverse-proxy) and [DNS provider](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/#cloudflare-as-a-dns-provider) for your site. This guide applies to existing domains that were purchased from another provider, and will use a [full DNS setup](https://developers.cloudflare.com/dns/zone-setups/full-setup), which is the most common configuration. To set this up, you will have to complete a few steps at Cloudflare, but also update some settings at your domain registrar[1](#user-content-fn-1), and at your previous DNS provider (if you were using one). Cloudflare Registrar If you need a new domain, you can [buy one from Cloudflare](https://developers.cloudflare.com/registrar/get-started/register-domain/) without markup fees. We will complete the rest of this setup for you. ## Before you begin * Log in to your registrar and find its DNS settings. If you do not know who your registrar is, you can use a Whois search, such as [ICANN Lookup ↗](https://lookup.icann.org/). * Make sure you [turn off DNSSEC](https://developers.cloudflare.com/dns/dnssec/#disable-dnssec) before proceeding. You can [activate DNSSEC through Cloudflare](https://developers.cloudflare.com/dns/dnssec/#enable-dnssec) at the end of the onboarding process, to continue protecting your domain from spoofing. Provider-specific DNSSEC instructions This is not an exhaustive list, but the following links may be helpful: * [DNSimple ↗](https://support.dnsimple.com/articles/cloudflare-ds-record/) * [Domaindiscount24 ↗](https://support.domaindiscount24.com/hc/articles/4409759478161) * [DreamHost ↗](https://help.dreamhost.com/hc/en-us/articles/219539467) * [Dynadot ↗](https://www.dynadot.com/help/question/set-DNSSEC) * [Enom ↗](https://support.enom.com/support/solutions/articles/201000065386) * [Gandi ↗](https://docs.gandi.net/en/domain%5Fnames/advanced%5Fusers/dnssec.html) * [GoDaddy ↗](https://www.godaddy.com/help/add-a-ds-record-23865) * [Hostinger ↗](https://www.hostinger.com/support/3667267-how-to-use-dnssec-records-at-hostinger/) * [Hover ↗](https://support.hover.com/support/solutions/articles/201000064716) * [Infomaniak ↗](https://faq.infomaniak.com/2187) * [InMotion Hosting ↗](https://www.inmotionhosting.com/support/edu/cpanel/enable-dnssec-cloudflare/) * [INWX ↗](https://kb.inwx.com/en-us/3-nameserver/131) * [Joker.com ↗](https://joker.com/faq/books/jokercom-faq-en/page/dnssec) * [Name.com ↗](https://www.name.com/support/articles/205439058-managing-dnssec) * [Namecheap ↗](https://www.namecheap.com/support/knowledgebase/article.aspx/9722/2232/managing-dnssec-for-domains-pointed-to-custom-dns/) * [NameISP ↗](https://support.nameisp.com/knowledgebase/dns) * [Namesilo ↗](https://www.namesilo.com/support/v2/articles/domain-manager/ds-records) * [OVH ↗](https://help.ovhcloud.com/csm/en-dns-secure-domain-dnssec?id=kb%5Farticle%5Fview&sysparm%5Farticle=KB0051637) * [Squarespace ↗](https://support.squarespace.com/hc/articles/4404183898125-Nameservers-and-DNSSEC-for-Squarespace-managed-domains#toc-dnssec) * [Registro.br ↗](https://registro.br/tecnologia/dnssec/?secao=tutoriais-dns) * [Porkbun ↗](https://kb.porkbun.com/article/93-how-to-install-dnssec) (do not fill out **keyData**) * [TransIP ↗](https://www.transip.eu/knowledgebase/150-secure-domains-custom-nameservers-dnssec/) Note If you purchased your domain through Cloudflare Registrar, [ICANN ↗](https://www.icann.org/) requires you to verify your registrant email address. If your email is unverified or if the verification has expired, ICANN places a hold on the domain and replaces your nameservers with parking server nameservers (NS). Once you complete verification, your nameservers are automatically restored. ## 1\. Onboard a domain in Cloudflare 1. Log in to the Cloudflare dashboard. [ Go to **Domains** ](https://dash.cloudflare.com/?to=/:account/domains/overview) 2. Select **Onboard a domain**. 3. Enter your website's apex domain (for example, `example.com`), choose how you would like to add your [DNS records](https://developers.cloudflare.com/dns/manage-dns-records/), and select **Continue**. Note If Cloudflare is unable to identify your domain as a registered domain, make sure you are using an existing [top-level domain ↗](https://www.cloudflare.com/learning/dns/top-level-domain/) (`.com`, `.net`, `.biz`, or others). Cloudflare requires your apex domain to be one level below a valid TLD defined in the [Public Suffix List (PSL) ↗](https://github.com/publicsuffix/list/blob/master/public%5Fsuffix%5Flist.dat). For instance, `example.com` is valid but `level2.example.com`[2](#user-content-fn-2) or `example.home` are not. 4. Select a [plan ↗](https://www.cloudflare.com/plans/#compare-features). 5. Review your DNS records to ensure none are missing. Your DNS records must be accurate for your domain to work properly. You can do this by comparing the list of records in Cloudflare to the list of records at your previous provider. Cloudflare can [automatically scan for your records](https://developers.cloudflare.com/dns/zone-setups/reference/dns-quick-scan/) and add them to the [DNS zone](https://developers.cloudflare.com/dns/concepts/#zone) for you, or you can add records manually. These records show up under your domain on the [**DNS Records** ↗](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) page of the dashboard. 1. Since the quick scan is not guaranteed to find all existing DNS records, you need to review your records, paying special attention to the following: * [Zone apex records (example.com)](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-zone-apex/) More about zone apex records Zone apex refers to the domain or subdomain that you are [adding to Cloudflare](https://developers.cloudflare.com/dns/concepts/#zone). Usually, the zone apex record makes your domain accessible by visitors. In this case, the necessary record type ([A, AAAA, or CNAME](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#ip-address-resolution)) and its content will depend on the provider that [hosts](https://developers.cloudflare.com/fundamentals/manage-domains/#host-your-domain) your website or application. If you are using Cloudflare Pages, refer to [Custom domains](https://developers.cloudflare.com/pages/configuration/custom-domains/). If you are using other providers, look for their guidance on how to connect domains managed on external DNS services. Then, make sure you have the records required by your hosting provider on your [DNS records table](https://developers.cloudflare.com/dns/manage-dns-records/#dns-records-table) at Cloudflare. * [Subdomain records (www.example.com or blog.example.com)](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-subdomain/) More about subdomain records Most subdomains serve a specific purpose within the overall context of your website. For example, `blog.example.com` might be your blog, `support.example.com` could be your customer help portal, and `store.example.com` would be your e-commerce site. Even if you do not require specific subdomains, you might want to set up at least a subdomain record on `www`. It will usually point to the same content as what you have on the apex domain (`example.com`) or use a [redirect](https://developers.cloudflare.com/fundamentals/manage-domains/manage-subdomains/#redirect-a-subdomain-to-the-apex-domain). Having a subdomain DNS record on `www` helps guarantee that a visitor who types `www.` in front of your domain address can still find your website or application. * [Email records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/email-records/) More about email records Depending on your business needs, you can configure DNS records so that you can use your domain to receive emails, receive and send emails from your domain, or prevent others from sending emails on your behalf (spoofing). Below are some examples of what those DNS records might look like. The exact values for your DNS mail records depend on your email provider. If you have issues, review the [Troubleshooting](https://developers.cloudflare.com/dns/troubleshooting/email-issues/) and contact your email service provider to confirm your DNS records are correct. | Type | Name | Content | Proxy status | TTL | | ---- | -------------- | ----------------------------- | ------------ | ---- | | A | mail | 192.0.2.1 | DNS Only | Auto | | MX | example.com | 5 john.mx.example-server.test | DNS Only | Auto | | TXT | \_dmarc | "v=DMARC1; p=reject; sp=... | DNS Only | Auto | | TXT | \*.\_domainkey | "v=DKIM1; k=rsa; p=..." | DNS Only | Auto | | TXT | example.com | "v=spf1 ip4:..." | DNS Only | Auto | Note If you activate your domain on Cloudflare _without_ setting up the correct DNS records for your domain and subdomain, your visitors may experience [DNS\_PROBE\_FINISHED\_NXDOMAIN](https://developers.cloudflare.com/dns/troubleshooting/dns-probe-finished-nxdomain/) errors. 2. If you find any missing records, [manually add](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) those records. 3. Depending on your site setup, you may want to adjust the [proxy status](https://developers.cloudflare.com/dns/proxy-status/) for certain `A`, `AAAA`, or `CNAME` records. Review CNAME records In general, CNAME records being used to verify your domain for third-party services should not be proxied. For details, refer to [Proxied CNAME records](https://developers.cloudflare.com/dns/proxy-status/#cname-records). 4. Select **Continue**. ## 2\. Update nameservers Warning If your domain is particularly sensitive to downtime, review our suggestions to [minimize downtime](https://developers.cloudflare.com/fundamentals/performance/minimize-downtime/). Your domain will be assigned two authoritative Cloudflare nameservers. Nameservers are specialized servers that store your domain's DNS records and "answer" requests from browsers by providing the specific IP address needed to connect to your website. Before your domain can begin using Cloudflare for DNS resolution, you need to [add these nameservers](https://developers.cloudflare.com/dns/nameservers/update-nameservers/) at your registrar. DNSSEC should still be **disabled** at this point. Provider-specific instructions This is not an exhaustive list of provider-specific instructions, but the following links may be helpful: * [Ionos ↗](https://www.ionos.com/help/domains/using-your-own-name-servers/using-your-own-name-servers-for-a-domain/) * [101Domain ↗](https://help.101domain.com/kb/managing-name-server-records) * [Amazon ↗](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-name-servers-glue-records.html#domain-name-servers-glue-records-adding-changing) * [Blacknight ↗](https://help.blacknight.com/hc/articles/4413036322321-How-do-I-change-the-nameservers-for-my-domain) * [BlueHost ↗](https://www.bluehost.com/help/article/custom-nameservers) * [DirectNIC ↗](https://directnic.com/knowledge/article/33:how%2Bdo%2Bi%2Bmodify%2Bname%2Bservers%2Bfor%2Bmy%2Bdomain%2Bname%253F) * [DNSMadeEasy ↗](http://www.dnsmadeeasy.com/support/faq/) * [Domain.com ↗](https://www.domain.com/help/article/domain-management-how-to-update-nameservers) * [Dotster ↗](https://www.dotster.com/help/article/domain-management-how-to-update-nameservers) * [DreamHost ↗](https://help.dreamhost.com/hc/en-us/articles/360038897151) * [EasyDNS ↗](https://kb.easydns.com/knowledge/settingchanging-nameservers/) * [Enom ↗](https://help.enom.com/hc/en-us/articles/115000486451-Nameservers-NS) * [Fast Domain ↗](https://www.fastdomain.com/hosting/help/transfer%5Fclient%5Fstart) * [FlokiNET ↗](https://billing.flokinet.is/index.php?rp=/knowledgebase/57/Nameserver-and-DNS-records.html) * [Gandi ↗](https://docs.gandi.net/en/domain%5Fnames/common%5Foperations/changing%5Fnameservers.html) * [GoDaddy ↗](https://www.godaddy.com/help/change-nameservers-for-your-domain-names-664) * [HostGator ↗](https://www.hostgator.com/help/article/changing-name-servers) * [Hostico ↗](https://hostico.ro/docs/setarea-nameserverelor-din-contul-de-client-hostico/) * [HostMonster ↗](https://my.hostmonster.com/cgi/help/222) * [Hover ↗](https://support.hover.com/support/solutions/articles/201000064742-changing-your-domain-nameservers) * [Internetdbs ↗](https://faq.internetbs.net/hc/en-gb/articles/4516921367837-How-to-update-Nameservers-for-a-domain) * [iPage ↗](https://www.ipage.com/help/article/domain-management-how-to-update-nameservers) * [MelbourneIT ↗](https://support.melbourneit.au/docs/how-do-i-manage-my-dns-on-cpanel) * [Moniker ↗](https://support.moniker.com/hc/en-gb/articles/10101271418653-How-to-update-Nameservers-for-a-domain) * [Name.com ↗](https://www.name.com/support/articles/205934457-registering-custom-nameservers) * [Namecheap ↗](https://www.namecheap.com/support/knowledgebase/article.aspx/767/10/how-can-i-change-the-nameservers-for-my-domain) * [Network Solutions ↗](https://www.networksolutions.com/manage-it/edit-nameservers.jsp) * [OVH ↗](https://docs.ovh.com/gb/en/domains/web%5Fhosting%5Fgeneral%5Finformation%5Fabout%5Fdns%5Fservers/#step-2-edit-your-domains-dns-servers) * [Porkbun ↗](https://kb.porkbun.com/article/22-how-to-change-your-nameservers) * [Rackspace ↗](https://support.rackspace.com/how-to/rackspace-name-servers/) * [Register ↗](https://www.register.com/knowledge) * [Squarespace ↗](https://support.squarespace.com/hc/articles/4404183898125-Nameservers-and-DNSSEC-for-Squarespace-managed-domains#toc-open-the-domain-s-advanced-settings) * [Site5 ↗](https://kb.site5.com/dns-2/custom-nameservers/) * [Softlayer ↗](https://cloud.ibm.com/docs/dns?topic=dns-add-edit-or-delete-custom-name-servers-for-a-domain) * [Yola ↗](https://helpcenter.yola.com/hc/articles/360012492660-Changing-your-name-servers) If you cannot change your domain nameservers, you can still use Cloudflare on your website by activating Cloudflare through a [certified hosting partner ↗](https://www.cloudflare.com/en-gb/partners/technology-partners/). ## 3\. Complete SSL/TLS setup To prevent insecure connections and visitor browser errors, review your [SSL/TLS certificates](https://developers.cloudflare.com/ssl/get-started/). Many Cloudflare services will automatically protect and speed up your web traffic after your nameservers are updated and your DNS records are proxied. For further guidance, refer to [Proxy status](https://developers.cloudflare.com/dns/proxy-status/). If you encounter unexpected results when changing your nameservers, refer to the [DNS Full Setup troubleshooting](https://developers.cloudflare.com/dns/zone-setups/full-setup/troubleshooting/). ## Other setup options * To use Cloudflare as a reverse proxy but maintain your DNS provider, refer to [partial setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/). * To use one or more DNS providers, refer to [DNS Zone transfers](https://developers.cloudflare.com/dns/zone-setups/zone-transfers/). * Enterprise customers can onboard lower-level subdomains using [Subdomain setup](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/). ## Footnotes 1. The provider you purchased your domain from. [↩](#user-content-fnref-1) 2. Enterprise customers can onboard these using [Subdomain setup](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/). [↩](#user-content-fnref-2) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-domains/","name":"Domains"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-domains/add-site/","name":"Onboard a domain"}}]} ``` --- --- title: Change your domain version description: Version Management allows you to safely test, deploy, and roll back changes to your zone configurations. By default, Version Management is not enabled on a zone. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-domains/domain-version.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Change your domain version [Version Management](https://developers.cloudflare.com/version-management/) is available for Enterprise customers and allows you to safely test, deploy, and roll back changes to your zone configurations. ## Enable versioning By default, Version Management is not enabled on a zone. To enable [Version Management ↗](https://dash.cloudflare.com/?to=/:account/:zone/versioning): 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Select your account and zone. 3. Go to **Version Management**. 4. Select **Enable versioning**. Note If you cannot enable Version Management, make sure your zone, account, and user meet the [requirements](https://developers.cloudflare.com/version-management/#requirements). ## (Optional) Create additional environments Once you [enable](https://developers.cloudflare.com/version-management/how-to/enable/) Version Management, Cloudflare will automatically create: * **Version Zero**, think about this as the configuration of your current zone. Once default environments are created, Version Zero is automatically deployed to them, guaranteeing no disruption in your live traffic. This Version is also permanently editable. In case you decide to disable Zone Versioning, Version Zero will become your zone again. * **Global Configuration**, you can find all the configurations here that are not supported by Version Management. Important Any changes made to the **Global Configuration** will immediately apply to your zone and all versions of your zone, affecting live traffic. On the Environments page, you can create default environments for **Production**, **Staging**, and **Development**. These environments each serve a specific purpose and are accessed differently: * **Development**: Meant to validate that changes work correctly. The default [traffic filters](https://developers.cloudflare.com/version-management/reference/traffic-filters/) are that the `cf.zone.name` matches your zone name, the `Edge Server IP` is a specific value, and the request contains a cookie with `development=true`. * **Staging**: Meant to test changes before sending them to **Production**. The default [traffic filters](https://developers.cloudflare.com/version-management/reference/traffic-filters/) are that the `cf.zone.name` matches your zone name and the `Edge Server IP` is a specific value. * **Production**: Meant to hold all configurations applied to your zone. You cannot edit the [traffic filters](https://developers.cloudflare.com/version-management/reference/traffic-filters/) \- which are just that the `cf.zone.name` is equal to your zone's name - and cannot delete this environment. This environment has a read-only check enabled, so versions promoted to this environment will become read-only as well. Based on your organization's needs, you may need to create additional environments to test and roll out changes. For more details, refer to [Create environment](https://developers.cloudflare.com/version-management/how-to/environments/#create-environment). ## Update configurations Before making changes, make sure you are inside the correct version of your zone. To change between different versions of your zone: 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Select your account and a domain that has version management. The Global Configuration of your domain will load. 3. Go to the product or feature you wish to modify. * **If the product or feature is available for versioning**: The last version you were working on will load. * **If the product or feature is NOT available for versioning**: Your Global Configuration will load, and any changes you make will impact live traffic. 4. Ensure that the configuration or version displayed in the domain summary bar is the one you would like to work on. If not, select the version in the domain summary bar to open the version switcher. Note If you are on a product that is not available for versioning, you will not be able to switch to another version, and can only make changes under your Global Configuration. The Domain Summary is accessible from all pages and allows you to quickly switch between versions and domains. ![Switch between versions of your configuration](https://developers.cloudflare.com/_astro/configurable-versions.BsHb-j9S_Z1DdDYI.webp) From within a version, you can update configurations just as you would with your normal zone configurations. Any changes are saved automatically. ## Test version Once you have made changes to a version, apply that version to your lowest-ranked environment. 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Select your account and zone. 3. Go to **Version Management**. 4. Go to **Environments**. 5. On your lowest-ranked environment, use the **Version** dropdown to select your desired version. To test your version, send requests to that environment that match the pattern specified in its [traffic filters](https://developers.cloudflare.com/version-management/reference/traffic-filters/). For more details about what happens to these requests, refer to the version's [metrics](https://developers.cloudflare.com/version-management/how-to/versions/#view-metrics). ## Promote version Next, [promote](https://developers.cloudflare.com/version-management/how-to/environments/#change-environment-version) your version through your different environments. To promote a version: 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Select your account and zone. 3. Go to **Version Management**. 4. Select **Environments**. 5. On the environment in which you tested the version, select **Promote**. This option will only be available if the lower-ranked environment has a different version than the higher-ranked environment. Promoting a version to a read-only environment will make the version permanently read-only. After promoting to each environment, test the new version in your new environment. ## Repeat For new changes to your zone, [create a new version](https://developers.cloudflare.com/version-management/how-to/versions/#create-version) and repeat this process. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-domains/","name":"Domains"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-domains/domain-version/","name":"Change your domain version"}}]} ``` --- --- title: Manage subdomains description: Once you have added your domain to Cloudflare and updated your nameservers, you also might want to set up a subdomain. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-domains/manage-subdomains.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage subdomains Once you have [added your domain to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) and [updated your nameservers](https://developers.cloudflare.com/dns/zone-setups/full-setup/), you also might want to set up a subdomain. Most subdomains serve a specific purpose within the overall context of your website. For example, `blog.example.com` might be your blog, `support.example.com` could be your customer help portal, and `store.example.com` would be your e-commerce site. ## Create a subdomain If you have already added a subdomain at your host, create a corresponding [DNS A or CNAME record](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) for that subdomain (`blog`, `store`). ## Set up redirects ### Redirect a subdomain to the apex domain Sometimes, you might want all traffic to a subdomain (`www.example.com`) to actually go to your apex domain (`example.com`). 1. Create a [proxied DNS A record](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) for your subdomain. This record can point to any IP address since all traffic will be redirected prior to reaching the address. | **Type** | **Name** | **IPv4 address** | **Proxy status** | | -------- | -------- | ---------------- | ---------------- | | A | www | 192.0.2.1 | Proxied | 2. Create a [Single Redirect](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/create-dashboard/) to forward traffic from your subdomain to your apex domain. **When incoming requests match** Using the Expression Editor: `(http.request.full_uri contains "www.example.com")` **Then** * **Type:** _Dynamic_ * **Expression:** `concat("https://","example.com",http.request.uri.path)` * **Status code:** _301_ ### Redirect the apex domain to a subdomain Sometimes, you might want all traffic to your apex domain (`example.com`) to actually go to a subdomain (`www.example.com`). 1. If you have already added that subdomain at your host, create a corresponding [DNS A or CNAME record](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) for that subdomain. 2. Create a proxied DNS A record for your apex domain. This record can point to any IP address since all traffic will be redirected prior to reaching the address. | **Type** | **Name** | **IPv4 address** | **Proxy status** | | -------- | -------- | ---------------- | ---------------- | | A | @ | 192.0.2.1 | Proxied | 3. Create a [Single Redirect](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/create-dashboard/) to forward traffic from your apex domain to your subdomain. **When incoming requests match** Using the Expression Editor: `(lower(http.host) eq "example.com")` **Then** * **Type:** _Dynamic_ * **Expression:** `concat("https://","www.example.com",http.request.uri.path)` * **Status code:** _301_ ## SSL/TLS for subdomains If your main domain is using Cloudflare's [Universal SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/), that certificate also covers all first-level subdomains (`blog.example.com`). For deeper subdomains (`dev.blog.example.com`), use a [different type of certificate](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/limitations/#full-setup). Proxy status Cloudflare can only serve an SSL/TLS certificate for a DNS record when you set the record's [proxy status](https://developers.cloudflare.com/dns/proxy-status/) to **Proxied**. If you do not do this, the origin server your record points to will be responsible for supporting SSL/TLS connections. ## Customize subdomain behavior If you want to customize Cloudflare settings for individual subdomains, your approach will vary depending on your plan. Enterprise customers can set up custom settings and access for a specific subdomain within Cloudflare with [Subdomain support](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/). All other customers can set up subdomain-specific [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/) or [Page Rules](https://developers.cloudflare.com/rules/page-rules/) to alter Cloudflare settings. If you want a subdomain's DNS settings managed totally outside of Cloudflare — meaning this subdomain can be managed by individuals without access to your Cloudflare account — refer to [Delegating subdomains outside of Cloudflare](https://developers.cloudflare.com/dns/manage-dns-records/how-to/subdomains-outside-cloudflare/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-domains/","name":"Domains"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-domains/manage-subdomains/","name":"Manage subdomains"}}]} ``` --- --- title: Move a domain between Cloudflare accounts description: Learn how to transfer a domain between Cloudflare accounts, including requirements, DNS settings, and SSL/TLS certificate management for seamless migration. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-domains/move-domain.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Move a domain between Cloudflare accounts You will have to move or transfer domains from one Cloudflare account to another if you: * Manage a multi-user organization and need to segment domain access by user. * Receive a `Cloudflare is already hosting under a different account` error. * Lose access to your email address or Cloudflare account (though you can also use the [backup codes](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/#use-a-backup-code) if you have two-factor authentication enabled). * Registered a Cloudflare account with a typo in your email. Warning If your domain is registered with Cloudflare Registrar, you need to submit a manual request to transfer the domain and its registration to a new account. Refer to [Transfer a Cloudflare Registrar domain registration between accounts](https://developers.cloudflare.com/registrar/account-options/inter-account-transfer/) to complete this process. ## Requirements To transfer a domain from one Cloudflare account to another, you will need: * Access to your domain registrar. If your domain is using Cloudflare Registrar, refer to [Transfer a Cloudflare Registrar domain registration between accounts](https://developers.cloudflare.com/registrar/account-options/inter-account-transfer/). * At least one Cloudflare account associated with the domain. ## Transfer your domain Warning Before transferring an active Cloudflare domain to another Cloudflare account, you must remove any [DNSSEC configurations](https://developers.cloudflare.com/dns/dnssec/) and [add-ons or subscriptions](https://developers.cloudflare.com/billing/cancel-subscription/). We also recommend [exporting](https://developers.cloudflare.com/dns/manage-dns-records/how-to/import-and-export/#export-records) the DNS records of your zone while it is in the previous account. Then, you can [import](https://developers.cloudflare.com/dns/manage-dns-records/how-to/import-and-export/#import-records) the correct DNS records into the new account. If you miss this step, Cloudflare will import your proxied DNS records, which might cause your domain to experience a [1000 error](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/). If you still have access to your previous Cloudflare account, you can copy over the Cloudflare account settings manually. You must reissue [SSL/TLS certificates](#issue-new-certificates) and [recreate and validate DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) when transferring domains between Cloudflare accounts. If you lose access to the email address associated with your Cloudflare account and do not have backup codes, you will need to manually transfer your domain to a new Cloudflare account associated with a different email address. The domain transfer process depends on your DNS settings. If Cloudflare is your authoritative DNS provider (that is, your domain nameservers point to Cloudflare), you must: 1. [Create a new Cloudflare account](https://developers.cloudflare.com/fundamentals/account/create-account/) or log in to an existing Cloudflare account. 2. [Add the domain](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) to the account (as if you were adding it for the first time). 3. Log in to your domain registrar account and [update the nameservers](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/) to the provided Cloudflare nameservers. 4. Finalize the nameserver update by selecting your domain in the dashboard > **Overview** \> **Re-check now**. Once the Cloudflare network recognizes the nameserver change, the domain in the new account will be marked as **Active**. While the domain in the new account is **Pending**, it cannot proxy traffic through Cloudflare and the origin IP addresses will be returned until the domain is marked as **Active**. In the old account, the domain will be marked as **Moved Away**. After seven days in **Moved Away** status, the domain will be marked as **Deleted**. After seven days in the **Deleted** status, the domain will be permanently removed. For more information, refer to [Zone status](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/). ## Issue new certificates SSL/TLS certificates associated with your previous Cloudflare account will not be transferred to your new account. If your site requires an SSL/TLS certificate prior to domain transfer, refer to [Minimize downtime](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#minimize-downtime). If you were using [custom certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/), you will need to delete them from the previous zone and upload them to the new zone. You can upload the certificates while the new zone is in **Pending** status - if you do so, once you upload the certificates, they will have a [**Holding Deployment**](https://developers.cloudflare.com/ssl/reference/certificate-statuses/#custom-certificates) status and will become active once the zone is active. You can order an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) prior to transferring your domain. ACM certificates will automatically deploy to active domains. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-domains/","name":"Domains"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-domains/move-domain/","name":"Move a domain between Cloudflare accounts"}}]} ``` --- --- title: Pause Cloudflare description: To troubleshoot your site, you can pause Cloudflare globally. This will send traffic directly to your origin web server instead of Cloudflare's reverse proxy. Paused domains also cannot use Cloudflare services like Rules, WAF, and SSL/TLS certificates. Consider turning on Development Mode to bypass caching while preserving protection. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-domains/pause-cloudflare.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Pause Cloudflare To troubleshoot your site, you can pause Cloudflare globally. This will send traffic directly to your origin web server instead of Cloudflare's reverse proxy. Paused domains also cannot use Cloudflare services like [Rules](https://developers.cloudflare.com/rules/), [WAF](https://developers.cloudflare.com/waf/), and [SSL/TLS certificates](https://developers.cloudflare.com/ssl/edge-certificates/). Consider turning on [Development Mode](https://developers.cloudflare.com/fundamentals/manage-domains/pause-cloudflare/#enable-development-mode) to bypass caching while preserving protection. 1. In the Cloudflare dashboard, go to the **Account home** page and select your account and domain. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Within **Overview**, choose **Advanced Actions** \> **Pause Cloudflare on Site**. The process of pausing Cloudflare takes five minutes or less. This approach is preferable to [changing nameservers](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/), which can cause propagation delays of several hours. Note Disabling a zone does not impact Spectrum applications. --- ## Alternatives to global pause ### Disable proxy on DNS records Instead of pausing Cloudflare globally, you can disable the proxy on individual records: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and select your account and domain. 2. Go to **DNS** \> **Records**. Choose the record and select **Edit**. 3. Toggle **Proxy Status** to **Off**. Adjusting the proxy status will prevent that record from using Cloudflare services like [Rules](https://developers.cloudflare.com/rules/), [WAF](https://developers.cloudflare.com/waf/), and [SSL/TLS certificates](https://developers.cloudflare.com/ssl/edge-certificates/). ### Enable Development Mode To troubleshoot caching issues, you could [enable Development Mode](https://developers.cloudflare.com/cache/reference/development-mode/). This will bypass Cloudflare's cache while still preserving Cloudflare services like [Rules](https://developers.cloudflare.com/rules/), [WAF](https://developers.cloudflare.com/waf/), and [SSL/TLS certificates](https://developers.cloudflare.com/ssl/edge-certificates/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-domains/","name":"Domains"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-domains/pause-cloudflare/","name":"Pause Cloudflare"}}]} ``` --- --- title: Redirect one domain to another description: If you have an alias domain that only forwards traffic to another domain (that is, the domain does not have an associated origin server of its own), you can set up redirects directly within Cloudflare. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-domains/redirect-domain.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Redirect one domain to another If you have an alias domain that only forwards traffic to another domain (that is, the domain does not have an associated origin server of its own), you can set up redirects directly within Cloudflare. 1. [Add](https://developers.cloudflare.com/fundamentals/manage-domains/#add-a-domain-to-cloudflare) your alias domain (for example, `previous.com`) to Cloudflare. 2. Make sure that your alias domain has a proxied [DNS A or CNAME record](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) that properly resolves DNS queries. You may also want to include a subdomain DNS record for `www`. Use the IP address `192.0.2.1` for the `A` record. This address does not route traffic to an origin server but allows Cloudflare to apply rules, redirects, and Workers to incoming traffic. The equivalent IP address for an `AAAA` record is `100::`. | **Type** | **Name** | **IPv4 address** | **Proxy status** | | -------- | -------- | ---------------- | ---------------- | | A | @ | 192.0.2.1 | Proxied | | A | www | 192.0.2.1 | Proxied | 3. Use [Redirect rules](https://developers.cloudflare.com/rules/url-forwarding/) to forward traffic from your alias domain to your other domain. This example will redirect all requests for `smallshop.example.com` to a different hostname using HTTPS, keeping the original path and query string. **When incoming requests match** * **Field:** _Hostname_ * **Operator:** _equals_ * **Value:** `smallshop.example.com` If you are using the Expression Editor, enter the following expression: `(http.host eq "smallshop.example.com")` **Then** * **Type:** _Dynamic_ * **Expression:** `concat("https://globalstore.example.net", http.request.uri.path)` * **Status code:** _301_ * **Preserve query string:** Enabled For example, the redirect rule would perform the following redirects: | Request URL | Target URL | Status code | | ---------------------------------------------------- | ------------------------------------------------------- | ----------- | | http://smallshop.example.com/ | https://globalstore.example.net/ | 301 | | http://smallshop.example.com/admin/?logged\_out=true | https://globalstore.example.net/admin/?logged\_out=true | 301 | | https://smallshop.example.com/?all\_items=1 | https://globalstore.example.net/?all\_items=1 | 301 | | http://example.com/about/ | (unchanged) | n/a | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-domains/","name":"Domains"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-domains/redirect-domain/","name":"Redirect one domain to another"}}]} ``` --- --- title: Remove a domain description: Consider the following sections on how you can remove domains from Cloudflare. Removing your domain cancels all active subscriptions on that domain, which will not be refunded per our billing policy. If you add this domain back to Cloudflare later, you will need to re-purchase all subscriptions. Removing your domain from Cloudflare does not change your domain registration. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-domains/remove-domain.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Remove a domain Consider the following sections on how you can remove domains from Cloudflare. Removing your domain cancels all active subscriptions on that domain, which will not be refunded per our [billing policy](https://developers.cloudflare.com/billing/billing-policy/). If you add this domain back to Cloudflare later, you will need to re-purchase all subscriptions. Removing your domain from Cloudflare does not change your domain registration. ## Before removing your domain If you experience website issues, we recommend [temporarily pausing Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/pause-cloudflare/) to evaluate your website's performance. If you have an Enterprise plan, you need to [change the zone plan](https://developers.cloudflare.com/billing/change-plan/#change-plan-type) to **Free**. If you need to re-add the domain in a different account, make sure the current settings have been saved. For example, you may [Import and export DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/import-and-export/). Note If you have just added a domain and have not configured its plan yet, the domain is in the `Initializing (Setup)` status and cannot be deleted. At this step you'll need to select a plan for this domain: the status will then change to `Pending` and you can then delete the domain. Please also note that domains in the `Initializing (Setup)` or `Pending` statuses will [automatically be deleted after 28 days](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/#initializing-setup) if they do not activate. ### Actions outside of Cloudflare * When you remove a domain from Cloudflare, it also prevents your domain from using Cloudflare for DNS resolution. To avoid DNS errors, update your nameservers at your domain registrar to use nameservers not owned by Cloudflare. * Refer to [Check if your nameservers are pointing to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/#verify-changes) to confirm that your nameservers no longer point to Cloudflare. * At your registrar, make sure you do not have a **DS** DNS record. This record enables [DNSSEC](https://developers.cloudflare.com/dns/dnssec/) and could prevent your DNS records from being changed. ### Actions within Cloudflare * [Cancel active add-on subscriptions](https://developers.cloudflare.com/billing/cancel-subscription/). * [Delete all the Logpush jobs for that domain](https://developers.cloudflare.com/logs/logpush/examples/example-logpush-curl/#optional---delete-a-job) * If you use Cloudflare Registrar: * [Disable domain auto-renewal](https://developers.cloudflare.com/registrar/account-options/renew-domains/) or [transfer your domain out of Cloudflare](https://developers.cloudflare.com/registrar/account-options/transfer-out-from-cloudflare/). * If the domain has already expired, it will be automatically removed from your account. Refer to [What happens when a domain expires?](https://developers.cloudflare.com/registrar/faq/#what-happens-when-a-domain-expires) * If the domain has not yet expired you can likely request deletion. Refer to [Delete a domain registration](https://developers.cloudflare.com/registrar/account-options/domain-management/#delete-a-domain-registration) * If enabled, disable DNSSEC. In your domain dashboard, go to **DNS** \> **Settings**. Within **DNSSEC**, select **Disable DNSSEC**. Select **Confirm**. ## Remove a domain activated in Cloudflare 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. On the **Overview** page, find **Advanced Actions** and then select **Remove Site from Cloudflare**. ![Remove site from Cloudflare is an option under Advanced Actions](https://developers.cloudflare.com/_astro/remove-domain.DlSLb0OG_kxVfQ.webp) Note If you are using an Enterprise domain, [change your domain plan](https://developers.cloudflare.com/billing/change-plan/#change-plan-type) to **Free**, which will give you access to **Remove Site from Cloudflare**. If this does not work, contact your Customer Success Manager. 3. Select **Confirm**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-domains/","name":"Domains"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-domains/remove-domain/","name":"Remove a domain"}}]} ``` --- --- title: Star domains description: For quick access to commonly configured domains (also known as "zones"), star up to ten domains per account in the Cloudflare dashboard. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/manage-domains/star-zones.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Star domains For quick access to commonly configured domains (also known as "zones"), star up to ten domains per account in the Cloudflare dashboard. ## Star a domain To star a domain: 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com). 2. Select your account and domain. 3. On the website **Overview**, select **Star**. ![Star domain on the Overview page of the website](https://developers.cloudflare.com/_astro/star-domain.CroUMQQh_Z1Lbr2q.webp) ## Filter to starred domains To view only starred domains in your account: 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com). 2. Select your account. 3. On the account **Home**, select **Starred**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/manage-domains/","name":"Domains"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/manage-domains/star-zones/","name":"Star domains"}}]} ``` --- --- title: Add abuse contact description: Enter an abuse contact email address to ensure you are receiving communications regarding potential abuse on your websites. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/abuse-contact.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add abuse contact Enter an abuse contact email address to ensure you are receiving communications regarding potential abuse on your websites. To update your abuse contact email address: 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and select your account. 2. Go to **Manage Account** \> **Configurations**. 3. For **Abuse report contact email address**, select **Change email address**. 4. Enter and confirm your new email and select **Save**. If you choose not to provide an abuse contact email address, communication about abuse will be directed to one of the Super Administrators on your account. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/abuse-contact/","name":"Add abuse contact"}}]} ``` --- --- title: Audit Logs - version 2 description: Cloudflare Audit Logs are account-based. All user-initiated actions are recorded automatically across both the Cloudflare API and dashboard. System-initiated logs are also captured to reflect actions taken automatically by Cloudflare systems, such as configuration updates, background processes, or internal policy enforcement. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/audit-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Audit Logs - version 2 Cloudflare Audit Logs are account-based. All user-initiated actions are recorded automatically across both the Cloudflare API and dashboard. System-initiated logs are also captured to reflect actions taken automatically by Cloudflare systems, such as configuration updates, background processes, or internal policy enforcement. When a user-initiated action triggers additional automated behavior, corresponding system-initiated logs will be generated. In some cases, user-initiated logs include additional enrichments that provide more context about what was changed, offering deeper visibility into the full lifecycle of the action. When an action occurs, it is streamed through Cloudflare's audit logging pipeline and stored. This ensures consistent visibility into activity across all products. For more detailed information about how the user-initiated actions are logged automatically, refer to the [Cloudflare Blog ↗](https://blog.cloudflare.com/introducing-automatic-audit-logs/). Note A transition plan from Audit Logs v1 to Audit Logs v2 will be communicated in due course. ## Key features Audit Logs (version 2) provide a unified and standardized system for tracking and recording actions across Cloudflare products. This system enhances transparency and accountability by offering comprehensive insights into user-initiated and system-initiated activities within your Cloudflare environment. * **Standardized logging**: Audit logs are automatically generated in a consistent format across all Cloudflare services, ensuring uniformity and eliminating inconsistencies. * **Expanded product coverage**: Audit Logs covers \~95% of Cloudflare products, capturing actions from key endpoints, such as `/accounts`, `/zones`, `/user`, and `/memberships` APIs. * **Granular filtering**: Uniformly formatted logs allow for precise filtering by actions, actors, methods, and resources, facilitating efficient investigations. * **Enhanced context and transparency**: Each log entry includes detailed context, such as the authentication method used, the interface (API or dashboard) through which the action was performed, and mappings to Cloudflare Ray IDs for improved traceability. * **Comprehensive activity capture**: Audit Logs records create, update, and delete actions across all supported products. Selective logging of `GET` requests for sensitive read operations is planned for a future release. ## Retention * Audit logs are retained for 18 months before being deleted. No additional setup is required. * In the Audit Logs v2 UI, queries are limited to the most recent 90 days for performance reasons. To access the full 18 months of data, use the API or [Logpush](https://developers.cloudflare.com/logs/logpush/). * Enterprise customers can use [Logpush](https://developers.cloudflare.com/logs/logpush/) to store audit logs beyond 18 months. Note Approximately 30 days of logs from the Beta period (back to \~February 8, 2026) are available at GA. These Beta logs will expire on \~April 9, 2026\. Logs generated after GA will be retained for the full 18 months. Older logs remain available in Audit Logs v1. ## Access Audit Logs You can retrieve audit logs using either the API or the Cloudflare dashboard. ### API Audit Logs are available through the Cloudflare API. To retrieve audit logs, use the following endpoint: Terminal window ``` https://api.cloudflare.com/client/v4/accounts/{account_id}/logs/audit ``` Below is an example request to retrieve audit logs for a certain period of time along with its corresponding response. Replace the example values in the URL with your actual values: * `account_id`: Your Cloudflare account identifier. * `Since` (required): Start date for the audit log retrieval in the format yyyy-mm-dd.​ * `Before` (required) : End date for the audit log retrieval in the format yyyy-mm-dd. Terminal window ``` GET https://api.cloudflare.com/client/v4/accounts/1234567890abcdef/logs/audit?since=2025-03-01T00:00:00Z&before=2025-03-26T23:59:59Z ``` Example response ``` { "result": [ { "action": "zone.settings.change", "actor": { "email": "user@example.com", "id": "0987654321abcdef" }, "ip": "192.0.2.1", "method": "PUT", "interface": "dashboard", "resources": [ { "resource_id": "zone123", "resource_type": "zone" } ], "timestamp": "2025-03-15T14:25:37Z" } // Additional log entries ], "success": true, "errors": [], "messages": [] } ``` For more information refer to the [API documentation ↗](https://developers.cloudflare.com/api/resources/accounts/subresources/logs/subresources/audit/methods/list/#%28params%29%20default%20%3E%20%28param%29%20since%20%3E%20%28schema%29). ### Dashboard To access audit logs in the Cloudflare dashboard: In the Cloudflare dashboard, go to the **Audit Logs** page. [ Go to **Audit logs** ](https://dash.cloudflare.com/?to=/:account/audit-log) Note The Audit Logs v2 is shown by default. You can switch between Audit Logs v2 and v1 as needed. ## Logpush job Note For customers who already have a Logpush job set up for Audit Logs v1, note that a separate Logpush job must be configured for [Audit Logs v2](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/audit%5Flogs%5Fv2/) (dataset). We will communicate the timeline for when Logpush Audit Logs v1 will be deprecated and turned off. To create a Logpush job: 1. In the Cloudflare dashboard, go to the **Logpush** page. [ Go to **Logpush** ](https://dash.cloudflare.com/?to=/:account/logs) 2. Select **Create a Logpush job**. 3. In **Select a destination**, select the destination of your choice and add the destination details. 4. In the datasets section, select the [Audit Logs v2 dataset](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/audit%5Flogs%5Fv2/). Audit Logs v2 is an account-based dataset. 5. Once you are done configuring your logpush job, select **Submit**. ## Audit Log structure Cloudflare's audit logs offer a detailed view of activity across your environment by capturing both the source of actions and the context in which they occur. These logs are categorized by who initiated the action (user or system) and whether the activity occurred within a specific account or spanned multiple accounts under the same user profile. This structure enables flexible filtering, investigation, and compliance monitoring. ### Initiation type Audit logs can be initiated either by users or the system. Understanding the type of actor involved helps in identifying the source and intent of actions. #### User initiated Audit Logs Track actions performed directly by users through Cloudflare interfaces (dashboard or API). These logs capture who performed the action, when it occurred, and what resource was affected. User initiated actions can be performed by three actors: * `actor_type="user"`: Action was performed by an individual user. * `actor_type="Cloudflare_admin"`: Action was performed by Cloudflare. * `actor_type="account"`: Action was performed using an account API token. Refer to the [Account API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/) documentation for more information. #### System initiated Audit Logs Record changes made automatically by Cloudflare systems, without direct user input. These logs provide visibility into internal processes, automated tasks, and security events. Some entries may include associated user context for traceability (`actor_type="system"`). ### Activity Scope #### Account Activity Logs Contain events scoped to a single Cloudflare account. These logs are filterable by `account ID` and reflect actions within that account only. You can optionally filter events further using the `resource_scope` field, which specifies whether the resource is associated with a user, an account, or a zone (`resource_scope ="user"`, `resource_scope ="accounts"`, or `resource_scope ="zones"`). #### User Profile Activity Logs Reflect actions associated with a user's login (email) across multiple accounts. These logs enable cross-account tracking and can be filtered by `user ID` or `email`. They are visible on any account the user had access to at the time of the activity. User Profile Activity Logs can be filtered using `resource_scope ="user"`. The `GET /memberships` endpoint supports cross-account access. To query memberships, use the parameter `resource_scope=memberships`. ## Example how to query Audit Logs Use the following example to get a list of audit logs for a user account. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Account Settings Write` * `Account Settings Read` Get account audit logs (Version 2) ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/logs/audit" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` Example response ``` { "errors": [ { "message": "message" } ], "result": [ { "account": { "id": "4bb334f7c94c4a29a045f03944f072e5", "name": "Example Account" }, "action": { "description": "Add Member", "result": "success", "time": "2024-04-26T17:31:07Z", "type": "create" }, "actor": { "id": "f6b5de0326bb5182b8a4840ee01ec774", "context": "dash", "email": "alice@example.com", "ip_address": "198.41.129.166", "token_id": "token_id", "token_name": "token_name", "type": "user" }, "raw": { "cf_ray_id": "8e9b1c60ef9e1c9a", "method": "POST", "status_code": 200, "uri": "/accounts/4bb334f7c94c4a29a045f03944f072e5/members", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Safari/605.1.15" }, "resource": { "id": "id", "product": "members", "request": {}, "response": {}, "scope": {}, "type": "type" }, "zone": { "id": "id", "name": "example.com" } } ], "result_info": { "count": "1", "cursor": "ASqdKd7dKgxh-aZ8bm0mZos1BtW4BdEqifCzNkEeGRzi_5SN_-362Y8sF-C1TRn60_6rd3z2dIajf9EAPyQ_NmIeAMkacmaJPXipqvP7PLU4t72wyqBeJfjmjdE=" }, "success": true } ``` ## Common terms and definitions ### Actor The actor represents who performed the action. It includes identity attributes like user ID, email address, IP address, and the type of actor (`user`, `account`, `Cloudflare_admin`, or `system`). It also includes the context used to initiate the action, such as API or dashboard (`dash`). ### Action The action field captures the nature of the event and whether it was successful. It includes a high-level type (e.g., `view`, `create`, `update`, `delete`), a specific description (such as `SSO_LOGIN`), the timestamp of when the action occurred, and the result (`success` or `failure`). All `GET` requests are captured as `view` actions in Audit Logs. ### Account This field refers to the Cloudflare account under which the action was executed. It includes a unique account ID and a human-readable account name to help associate activity with a customer environment. ### Resource The resource identifies the object impacted by the action. It includes the resource type, the unique resource ID, the scope (`user`, `account`, or `zone`), and optionally the product associated with the change. ### Audit Log ID This is a unique identifier for the log record itself. It can be used for deduplication, correlation, or referencing specific actions during investigations. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/audit-logs/","name":"Audit Logs - version 2"}}]} ``` --- --- title: Allow Cloudflare access description: Occasionally, you may want to allow edit access to your Account Team. A typical use case might be migrating a complex or sensitive domain over to Cloudflare. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/cloudflare-access.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Allow Cloudflare access Occasionally, you may want to allow edit access to your Account Team. A typical use case might be migrating a complex or sensitive domain over to Cloudflare. By default, Cloudflare does not have edit access to your account. To enable editing access by your Account Team: 1. In the Cloudflare dashboard, go to the **Configurations** page. (You must be logged in as a **Super Administrator**). [ Go to **Configurations** ](https://dash.cloudflare.com/?to=/:account/configurations) 2. For **Editing Permission**, switch the toggle to **On**. 3. Select a duration. 4. Click **Approve**. Note In an emergency, Cloudflare Support can override your **Editing Permissions** and make updates to your account, but your Super Administrator will receive an email and the action will be recorded in your [Audit Logs](https://developers.cloudflare.com/fundamentals/account/account-security/review-audit-logs/) with an **Action** of **Break glass**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/cloudflare-access/","name":"Allow Cloudflare access"}}]} ``` --- --- title: Set up SSO image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/dashboard-sso.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Set up SSO ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/dashboard-sso/","name":"Set up SSO"}}]} ``` --- --- title: Leaked Password Notifications description: Cloudflare automatically checks if your password has been compromised when you log in to the Cloudflare dashboard. Every time you log in to your account, we will securely verify through threat intelligence sources to confirm if your password has been leaked in a past data breach. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/leaked-password-notifications.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Leaked Password Notifications Cloudflare automatically checks if your password has been compromised when you log in to the Cloudflare dashboard. Every time you log in to your account, we will securely verify through threat intelligence sources to confirm if your password has been leaked in a past data breach. Refer to the [blog post ↗](https://blog.cloudflare.com/helping-keep-customers-safe-with-leaked-password-notification/) for more information on how Cloudflare checks for leaked credentials. Note Cloudflare does not have additional information about the specific breach or Internet service that potentially lost your password. Popular online tools such as [Have I Been Pwned ↗](https://haveibeenpwned.com/) can help you better understand where your external accounts were attacked. If you reused this password in other systems, it is recommended that you reset it in those as well. If your password is found in a data breach, we will email you information on how to reset your password and prompt you to do so in the Cloudflare dashboard. Your first three login attempts will warn you of the need to reset your password. After three attempts, you will be required to reset your password to log in to Cloudflare. Users leveraging [Single Sign-On (SSO)](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) or [two-factor authentication (2FA)](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/) will not be subject to these requirements given the higher level of security provided by those features. We encourage you to enable two-factor authentication to secure your account. Cloudflare account Super Administrators can also require that [all members enable 2FA](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/). This functionality can be enabled by going to **Manage Account** \> **Members** in the Cloudflare dashboard. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/leaked-password-notifications/","name":"Leaked Password Notifications"}}]} ``` --- --- title: Manage active sessions description: In the Cloudflare dashboard, you can view a list of active sessions associated with your email address. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/manage-active-sessions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage active sessions In the Cloudflare dashboard, you can view a list of active sessions associated with your email address. Each time your email is used to log in to your Cloudflare account, a session begins. The Cloudflare dashboard provides session information including if the device is currently viewing the dashboard, the IP address, location, device type, browser type, and last active login. If you notice any suspicious activity, you can also revoke any active sessions. Note By default, the session timeout for the Cloudflare dashboard is 72 hours without any activity. Some customers can also enforce single-sign on (SSO) by [adding a Dashboard SSO application](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/). ## View active sessions To view the active sessions associated with your email address: 1. In the Cloudflare dashboard, go to the **Account home** page. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **My Profile** \> **Sessions**. ## Revoke active sessions When there is more than one active session associated with your email account, you can revoke any session that is not the current session. To revoke a session: 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **My Profile** \> **Sessions**. 3. On a specific section, click **Revoke**. 4. You will be prompted to enter your password before revoking the session. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/manage-active-sessions/","name":"Manage active sessions"}}]} ``` --- --- title: Review audit logs - v1 description: Audit logs summarize the history of changes made within your Cloudflare account. Audit logs include account level actions like login, as well as zone configuration changes. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/review-audit-logs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Review audit logs - v1 Note Audit Logs version 2 is available in beta. Refer to the [Audit Logs v2 documentation](https://developers.cloudflare.com/fundamentals/account/account-security/audit-logs/) for more details. Audit logs summarize the history of changes made within your Cloudflare account. Audit logs include account level actions like login, as well as zone configuration changes. Audit Logs are available on all plan types and are captured for both individual users and for multi-user organizations. Note Most beta features will not appear in audit logs until they are out of beta. ## Access audit logs ### Using the dashboard To access audit logs in the Cloudflare dashboard: In the Cloudflare dashboard, go to the **Audit Logs** page. [ Go to **Audit logs** ](https://dash.cloudflare.com/?to=/:account/audit-log) You can search these audit logs by user email or domain and filter by date range. To download audit logs, click **Download CSV**. Note Depending on the volume of data, the export of large amounts of events from Audit Logs might fail with errors. We always recommend using Cloudflare [Logpush](https://developers.cloudflare.com/logs/logpush/) to make sure Audit Logs are always available and stored externally. ### Using the API To get audit logs from the Cloudflare API, send a [GET request](https://developers.cloudflare.com/api/resources/audit%5Flogs/methods/list/). We recommending using the API for downloading historical audit log data. To maintain Audit Logs query performance, the Audit Logs API was modified on 2019-06-30 to return records with a maximum age of 18 months. ## Retention Audit Logs are retained for 18 months before being deleted. Enterprise customers can use [Logpush](https://developers.cloudflare.com/logs/logpush/) to store Audit Logs for longer periods of time. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/review-audit-logs/","name":"Review audit logs - v1"}}]} ``` --- --- title: SCIM provisioning description: Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect an external identity provider (IdP) to Cloudflare, quickly onboard and manage user permissions. Currently, SCIM provisioning has been integrated with Okta, Microsoft Entra, and Authentik. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SCIM provisioning Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect an external identity provider (IdP) to Cloudflare, quickly onboard and manage user permissions. Currently, SCIM provisioning has been integrated with Okta, Microsoft Entra, and Authentik. Note This section covers SCIM provisioning for the Cloudflare dashboard. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/). ## Objectives Once the SCIM provisioning is enabled: * A Cloudflare account can receive user group provisioning from the identity provider. * Members of each user group can be assigned one or more [policies](https://developers.cloudflare.com/fundamentals/manage-members/policies/). Each policy defines one or more [roles ↗](https://developers.cloudflare.com/fundamentals/manage-members/roles/) applied to all group members thereof. * Members can belong to multiple user groups, and each group can also be configured with different policies. * Policies provisioned via SCIM can coexist with policies configured via the [traditional setup](https://developers.cloudflare.com/fundamentals/manage-members/manage/#edit-member-permissions). ## Expected behaviors Expectations for user lifecycle management with SCIM: | Expected Cloudflare dash behavior | Identity provider action | | ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | User is added to account as member | Assign the user to a SCIM application. They will be assigned the Minimal Account Access role so that their dash experience is not broken. | | User is removed from account as member | Unassign the user from the SCIM application. | | Add role to user | Add the user to a group in the IdP which is pushed via SCIM. They must also be assigned to the SCIM application and exist as an account member. | | Remove role from user | Remove the user from the corresponding group in the IdP. | | Retain user in account but with no permissions | Remove the user from all role groups but leave them assigned to the SCIM application. They will be an account member with only the role Minimal Account Access. | ## Limitations * If a user is the only Super Administrator on an Enterprise account, they will not be deprovisioned. * It is possible to unintentionally remove all account Super Administrators by misconfiguring SCIM groups. Refer to [SCIM troubleshooting](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/troubleshooting/) for more information. * SCIM group names cannot begin with the reserved prefix `CF`. ## Prerequisites * Cloudflare dashboard SCIM provisioning is only available to Enterprise customers using Okta, Microsoft Entra, or Authentik. * You must be a Super Administrator for the initial setup. * In the identity provider, you must have the ability to create applications and groups. --- ## Gather the required data To start, you will need to collect a couple of pieces of data from Cloudflare and set these aside for later use. ### Get the Account ID The account ID can be found via dashboard or API. For more information, refer to [Find account and zone IDs](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/). ### Create an API token 1. [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the following permissions: | Type | Item | Permission | | ------- | ----------------- | ---------- | | Account | SCIM Provisioning | Edit | Note Account API tokens are recommended for SCIM Provisioning. User owned API tokens, while supported, may result in a broken SCIM connection in the event when the user's policies are revoked from the SCIM integration, or the [API access](https://developers.cloudflare.com/fundamentals/api/how-to/control-api-access/) is unexpectedly disabled. Learn more about [Account API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/). 2. Under **Account Resources**, select the specific account to include or exclude from the dropdown menu, if applicable. 3. Select **Continue to summary**. 4. Validate the permissions and select **Create Token**. 5. Copy the token value. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/scim-setup/","name":"SCIM provisioning"}}]} ``` --- --- title: Provision with Authentik description: Once you have gathered the required data, the following steps will be required to finish the provisioning with Authentik. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/scim-setup/authentik.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Provision with Authentik Note **Important Update:** Cloudflare now supports native User Groups for enhanced access control. This new feature replaces the previous method of directly assigning Cloudflare roles based on IdP group mappings (identified by the pattern `CF- - `), which is deprecated as of June 2nd, 2025\. SCIM Virtual Groups will reach end-of-life on December 2, 2025\. Update your SCIM configurations using the instructions below to utilize User Groups for seamless provisioning. Once you have [gathered the required data](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/#gather-the-required-data), the following steps will be required to finish the provisioning with Authentik. ## Set up your Authentik SCIM provider 1. In the Authentik Admin interface, go to **Applications** \> **Providers**. 2. Select **Create** and choose **SCIM Provider**. 3. Name your provider (for example, `Cloudflare SCIM`). 4. In **URL**, enter: `https://api.cloudflare.com/client/v4/accounts//scim/v2`, substituting `` for your [Cloudflare Account ID](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/#get-the-account-id). 5. In **Token**, Paste the SCIM provisioning API token. 6. (Optional) Adjust the **User filtering** and **Group filtering** settings to control which users and groups are synchronized. 7. Select **Finish** to create the provider. ## Create an Authentik application 1. In the Authentik Admin interface, go to **Applications** \> **Applications**. 2. Select **Create**. 3. Name your application (for example, `Cloudflare Dashboard`). 4. In **Provider**, select the SCIM provider you created in the previous step. 5. Select **Create** to save the application. ## Configure user and group sync in Authentik Note The **Update User Attributes** option is not supported. 1. In the Authentik Admin interface, go to **Directory** \> **Groups**. 2. Create or select the groups you want to synchronize with Cloudflare. Ensure the users you want to provision are members of these groups. 3. Return to **Applications** \> **Providers** and select your SCIM provider. 4. Under **Backchannel Providers**, verify that your SCIM provider is correctly linked to the application. 5. To trigger a manual sync, select **Sync** from the provider page. Authentik will also perform automatic periodic syncs based on your configured schedule. ## Verify the integration To verify the integration: 1. In Authentik, go to **Applications** \> **Providers**, select your SCIM provider, and review the **Sync status** section for any errors. 2. In the Cloudflare dashboard, go to **Manage Account** \> **Members** \> **User Groups** to view the synchronized groups. 3. Check the Audit Logs in the Cloudflare dashboard by going to **Manage Account** \> **Audit Log**. ## Assign policies to user groups After users and groups are synchronized, you can assign [policies](https://developers.cloudflare.com/fundamentals/manage-members/policies/) to user groups: 1. In the Cloudflare dashboard, go to **Manage Account** \> **Members** \> **User Groups**. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 1. Select the group you want to configure. 2. Assign the appropriate policies to define the [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) for group members. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/scim-setup/","name":"SCIM provisioning"}},{"@type":"ListItem","position":6,"item":{"@id":"/fundamentals/account/account-security/scim-setup/authentik/","name":"Provision with Authentik"}}]} ``` --- --- title: Provision with Microsoft Entra description: Once you have gathered the required data, the following steps will be required to finish the provisioning with Entra. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/scim-setup/entra.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Provision with Microsoft Entra Note **Important Update:** Cloudflare now supports native User Groups for enhanced access control. This new feature replaces the previous method of directly assigning Cloudflare roles based on IdP group mappings (identified by the pattern `CF- - `), which is deprecated as of June 2nd, 2025\. SCIM Virtual Groups will reach end-of-life on December 2, 2025\. Update your SCIM configurations using the instructions below to utilize User Groups for seamless provisioning. Once you have [gathered the required data](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/#gather-the-required-data), the following steps will be required to finish the provisioning with Entra. ## Set up the Enterprise application 1. Go to the Entra admin center and select **Applications** \> **Enterprise Applications**. 2. In the Microsoft Entra Gallery, select **New application** \> **Create your own application**, then choose a name. 3. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. 4. **Create** an application. ## Provision the Enterprise application 1. Inside the newly created application under **Manage** from the sidebar menu, select **Provisioning**. 2. Select **New configuration** and enter the **Tenant URL**: `https://api.cloudflare.com/client/v4/accounts//scim/v2`. Replace `` with your own account ID. 3. Paste the SCIM provisioning API token value as **Secret token**. 4. Select **Test Connection** then **Save** the configuration. ## Configure user and group synchronization 1. Navigate to the newly created application under **Manage** from the sidebar menu, select **Users and groups**. 2. [Assign users and groups to the application ↗](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal). 3. After the users are assigned, navigate to **Provisioning** on the sidebar menu and select **Start Provisioning**. Note To successfully synchronize the group details into Cloudflare the `User Principal Name` (of `Identity`) and `Email` (of `Contact Information`) fields of each user must be identical. Values are case-sensitive, and the User Principal Name can only contain alphanumeric characters. Learn more about [how to create, invite, and delete users ↗](https://learn.microsoft.com/entra/fundamentals/how-to-create-delete-users). 1. To validate which users and groups have been synchronized, navigate to **Provisioning logs** on the sidebar menu. You can also [review the Cloudflare Audit Logs](https://developers.cloudflare.com/fundamentals/account/account-security/review-audit-logs/). Read-only group If the Entra group shares the same name of an existing Cloudflare user group, the Cloudflare user group will become read-only after the provisioning. 1. To grant permissions to users and groups at Cloudflare, refer to [Roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) and [Policies](https://developers.cloudflare.com/fundamentals/manage-members/policies/). ## (Optional) Automate Cloudflare's SCIM integration Cloudflare's SCIM integration requires one external application per account. Customers with multiple accounts may want to automate part of the setup to save time and reduce the amount of time spent in the Entra administrative UI. The initial setup of creating the non-gallery applications and adding the provisioning URL and API key are scriptable via API, but the rest of the setup is dependent on your specific need and IDP configuration. **1\. Get an access token** Get an Entra access token. Note that the example below is using the Azure CLI. ``` # Using azure-cli az login az account get-access-token --resource https://graph.microsoft.com (payload with accessToken returned) ``` **2\. Create a new application via template.** The template ID 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 is the suggested template to create non-gallery apps in the Entra docs. Replace `` and `displayName` with your values. Example request ``` curl -X POST 'https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer ' \ --data-raw '{ "displayName": "Entra API create application test" }' ``` Example response ``` { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.applicationServicePrincipal", "application": { "id": "343a8552-f9d9-471c-b677-d37062117cc8", // "appId": "03d8207b-e837-4be9-b4e6-180492eb3b61", "applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621", "createdDateTime": "2025-01-30T00:37:44Z", "deletedDateTime": null, "displayName": "Entra API create application test", "description": null, // ... snipped rest of large application payload }, "servicePrincipal": { "id": "a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417", // Note this ID for the subsequent request "deletedDateTime": null, "accountEnabled": true, "appId": "03d8207b-e837-4be9-b4e6-180492eb3b61", "applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621", "appDisplayName": "Entra API create application test", // ...snipped rest of JSON payload } } ``` **3\. Create a provisioning job** To enable provisioning, you will also need to create a job. Note the SERVICE\_PRINCIPAL\_ID in the previous request will be used in the request below. The SCIM templateId is an Entra provided template. Example request ``` curl -X POST 'https://graph.microsoft.com/v1.0/servicePrincipals//synchronization/jobs' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer ' \ --data-raw '{ "templateId": "scim" }' ``` Example response ``` { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('a8cb133d-f841-4eb9-8bc9-c8e9e8c0d417')/synchronization/jobs/$entity", "id": "scim.5b223a2cc249463bbd9a791550f11c76.03d8207b-e837-4be9-b4e6-180492eb3b61", "templateId": "scim", "schedule": { "expiration": null, "interval": "PT40M", "state": "Disabled" }, } // ... snipped rest of JSON payload ``` **4\. Configure the SCIM provisioning URL and API token** Next, configure the Tenant URL (Cloudflare SCIM endpoint) and API token (SCIM Provisioning API Token). Replace ``, ``, `` with your values. Example request ``` --header 'Content-Type: application/json' \ --header 'Authorization: Bearer ' \ --data-raw '{ "value": [ { "key": "BaseAddress", "value": "https://api.cloudflare.com/client/v4/accounts//scim/v2" }, { "key": "SecretToken", "value": "" } ] }' ``` After completing the tasks above, the next steps in Entra include: * Additional group/provisioning configuration * Test and save after updating the config. * Provisioning after configuration is complete ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/scim-setup/","name":"SCIM provisioning"}},{"@type":"ListItem","position":6,"item":{"@id":"/fundamentals/account/account-security/scim-setup/entra/","name":"Provision with Microsoft Entra"}}]} ``` --- --- title: Provision with Okta description: Once you have gathered the required data, the following steps will be required to finish the provisioning with Okta. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/scim-setup/okta.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Provision with Okta Note **Important Update:** Cloudflare now supports native User Groups for enhanced access control. This new feature replaces the previous method of directly assigning Cloudflare roles based on IdP group mappings (identified by the pattern `CF- - `), which is deprecated as of June 2nd, 2025\. SCIM Virtual Groups will reach end-of-life on December 2, 2025\. Update your SCIM configurations using the instructions below to utilize User Groups for seamless provisioning. Once you have [gathered the required data](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/#gather-the-required-data), the following steps will be required to finish the provisioning with Okta. ## Set up your Okta SCIM application 1. In the Okta dashboard, go to **Applications** \> **Applications**. 2. Select **Browse App Catalog**. 3. Locate and select **SCIM 2.0 Test App (OAuth Bearer Token)**. 4. Select **Add Integration** and name your integration. 5. Enable the following options: * **Do not display application icon to users** * **Do not display application icon in the Okta Mobile App** 6. Disable **Automatically log in when user lands on login page**. 7. Select **Next**, then select **Done**. ## Integrate the Cloudflare API Note The **Update User Attributes** option is not supported. 1. In your integration page, go to **Provisioning** \> **Configure API Integration**. 2. Enable **Enable API Integration**. 3. In SCIM 2.0 Base URL, enter: `https://api.cloudflare.com/client/v4/accounts//scim/v2`, substituting `accountID` for your [Cloudflare Account ID](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/#get-the-account-id). 4. In the **OAuth Bearer Token** field, enter your API token value. 5. Deselect **Import Groups**. ## Configure user & group sync in Okta 1. In **Provisioning to App**, select **Edit**. 2. Enable **Create Users** and **Deactivate Users**. Select **Save**. 3. Select **Done**. 4. In the Assignments tab, add the users you want to synchronize with Cloudflare dashboard. You can add users in batches by assigning a group. If a user is removed from the application assignment via either direct user assignment or removed from the group that was assigned to the app, this will trigger a deprovisioning event from Okta to Cloudflare. 5. In the Push Groups tab, add the Okta groups you want to synchronize with Cloudflare dashboard. View these Okta groups in the dashboard under Manage Account > Manage members > Members > User Groups. To verify the integration, select **View Logs** in the Okta SCIM application, and check the Audit Logs in the Cloudflare dashboard by navigating to **Manage Account** \> **Audit Log**. This will provision all of the users in the group(s) affected to your Cloudflare account with "minimal account access." ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/scim-setup/","name":"SCIM provisioning"}},{"@type":"ListItem","position":6,"item":{"@id":"/fundamentals/account/account-security/scim-setup/okta/","name":"Provision with Okta"}}]} ``` --- --- title: SCIM troubleshooting description: If you have removed all Super Administrators mistakenly, you can restore the role to account member(s) using the Account API Token you created for SCIM provisioning. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/scim-setup/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SCIM troubleshooting ## Restore Super Administrator after group misconfiguration If you have removed all Super Administrators mistakenly, you can restore the role to account member(s) using the Account API Token you created for SCIM provisioning. First, fetch a list of account members and find the member ID for the user you want to restore Super Admin to via [list members](https://developers.cloudflare.com/api/resources/accounts/subresources/members/methods/list/). ``` curl -X GET "https://api.cloudflare.com/client/v4/accounts/{account_id}/members" \ -H "Authorization: Bearer YOUR_SCIM_AOT" \ -H "Content-Type: application/json" ``` Then restore the Super Admin role to that member via [update member](https://developers.cloudflare.com/api/resources/accounts/subresources/members/methods/update/) ``` curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/members/{member_id}" \ -H "Authorization: Bearer YOUR_SCIM_AOT" \ -H "Content-Type: application/json" \ -d '{ "roles": [ { "id": "33666b9c79b9a5273fc7344ff42f953d" } ] }' ``` The value `33666b9c79b9a5273fc7344ff42f953d` is the role ID of Super Administrator. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/scim-setup/","name":"SCIM provisioning"}},{"@type":"ListItem","position":6,"item":{"@id":"/fundamentals/account/account-security/scim-setup/troubleshooting/","name":"SCIM troubleshooting"}}]} ``` --- --- title: Secure compromised account description: If you observe suspicious activity within your Cloudflare account, secure your account with these steps. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/secure-a-compromised-account.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Secure compromised account If you observe suspicious activity within your Cloudflare account, secure your account with these steps. ## Step 1 - Change your password For more guidance on changing your password, refer to [Change email address or password](https://developers.cloudflare.com/fundamentals/user-profiles/change-password-or-email/). ## Step 2 - Revoke active account sessions When there is more than one active session associated with your email account, you can revoke any session that is not the current session. To revoke a session: 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **My Profile** \> **Sessions**. 3. On a specific section, click **Revoke**. 4. You will be prompted to enter your password before revoking the session. ## Step 3 - Enable Two-Factor Authentication (2FA) To prevent future compromises, make sure that you have [Two-Factor Authentication (2FA)](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/) enabled on your account. ## Step 4 - Change API keys and tokens ### API keys If your API key might be compromised, change your API key: 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **My Profile** \> **API Tokens**. 3. In the **API Keys** section, find your key. 4. Select **Change**. ### API tokens If your token is lost or compromised, you can either create a new token or roll your token to generate a new secret. Rolling your API token into a new one will invalidate the previous token, but the access and permissions will be the same as the previous API token. To roll your API token: 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **My Profile** \> **API Tokens**. 3. Next to the API token you want to roll, select the **three dot icon** \> **Roll**. 4. Select **Confirm** to generate a new API token. ## Step 5 - Review the audit log To access audit logs in the Cloudflare dashboard: In the Cloudflare dashboard, go to the **Audit Logs** page. [ Go to **Audit logs** ](https://dash.cloudflare.com/?to=/:account/audit-log) You can search these audit logs by user email or domain and filter by date range. To download audit logs, click **Download CSV**. Note Depending on the volume of data, the export of large amounts of events from Audit Logs might fail with errors. We always recommend using Cloudflare [Logpush](https://developers.cloudflare.com/logs/logpush/) to make sure Audit Logs are always available and stored externally. If you notice any settings were changed, you should undo those changes. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/secure-a-compromised-account/","name":"Secure compromised account"}}]} ``` --- --- title: Zone holds description: Zone holds prevent other teams in your organization from adding zones that are already active in another account. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/account-security/zone-holds.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Zone holds Zone holds prevent other teams in your organization from adding zones that are already active in another account. For example, you might already have an active Cloudflare zone for `example.com`. If another team does not realize this, they could add and activate `example.com` in another Cloudflare account, which may cause downtimes or security issues until the original zone could be re-activated. ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | No | No | No | Yes | ## Enable zone holds When you enable a zone hold, no one else can [add your zone](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) to their Cloudflare account. If they attempt to, they will receive the following message: _The zone name provided is subject to a hold which disallows the creation of this zone. Please contact the domain owner to have this hold removed._ To enable a zone hold: 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com). 2. Select your account and zone. 3. On the zone homepage, go to **Quick Actions**. 4. For **Zone Hold**, switch the toggle to **On**. You also have the option to **Also prevent subdomains**, which prevents anyone in your organization from creating subdomains or custom hostnames related to your zone. ## Release zone holds You may want to temporarily release a zone hold to allow another team to [register a subdomain](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/) in a separate Cloudflare account, such as `docs.example.com`. To release a zone hold: 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com). 2. Select your account and zone. 3. On the zone homepage, go to **Quick Actions**. 4. For **Zone Hold**, switch the toggle to **Off**. 5. Choose the length of your release. 6. Select **Release hold**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/account-security/","name":"Account security"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/account/account-security/zone-holds/","name":"Zone holds"}}]} ``` --- --- title: Change Super Administrator description: If you or someone in your organization leaves or loses access to email, you can add another Super Administrator using any other Super Administrator on your Account with a verified email address. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/change-super-admin.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Change Super Administrator If you or someone in your organization leaves or loses access to email, you can add another Super Administrator using any other Super Administrator on your Account with a [verified email ↗](https://developers.cloudflare.com/fundamentals/account/verify-email-address/) address. First, [add a member](https://developers.cloudflare.com/fundamentals/manage-members/manage/) to your account and assign the **Super Administrator** role. Then, if needed, remove the previous Super Administrator. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/change-super-admin/","name":"Change Super Administrator"}}]} ``` --- --- title: Create account description: Learn how to create a new Cloudflare account. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/create-account.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create account To create a Cloudflare account: 1. Go to the [Sign up page ↗](https://dash.cloudflare.com/sign-up). 2. Enter your **Email** and **Password**. 3. Select **Create Account**. Once you create your account, Cloudflare will automatically send an email to your address to [verify that email address](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/). ## Account name Your account name defaults to `<>'s Account`. You may want to customize the name of this account, either to help specify its purpose or to help associate it with multiple accounts. To change your account name: 1. In the Cloudflare dashboard, go to the **Configurations** page. [ Go to **Configurations** ](https://dash.cloudflare.com/?to=/:account/configurations) 2. For **Account Name**, select **Change Name**. 3. Enter a new account name. 4. Select **Save**. ## Best practices If you are creating an account for your team or a business, we recommend choosing an email alias or distribution list for your **Email**, such as `cloudflare@example.com`. This email address is the main point of contact for your Cloudflare billing, usage notifications, and account recovery. Refer to [Account and domain management best practices](https://developers.cloudflare.com/fundamentals/reference/best-practices/) for a detailed list of ways to protect your account and domain. Once you [set up an account](https://developers.cloudflare.com/fundamentals/account/), you have several ways to interact with Cloudflare. ## Interact with Cloudflare If you prefer working without code, you can manage your account and domain settings through the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login). Note If your domain was added to Cloudflare by a hosting partner, manage your DNS records via the hosting partner. For those who prefer to interact with Cloudflare programmatically, you can use several methods: | Resource | Docs | Description | | ---------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | ------------------------------------------------------------------------------ | | [Cloudflare API](https://developers.cloudflare.com/fundamentals/api/) | [API docs](https://developers.cloudflare.com/api/) | RESTful API based on HTTPS requests and JSON responses. | | [Terraform ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) | [Terraform docs](https://developers.cloudflare.com/terraform/) | Configure Cloudflare using HashiCorp's Infrastructure as Code tool, Terraform. | | [cloudflare-go ↗](https://github.com/cloudflare/cloudflare-go) | [README ↗](https://github.com/cloudflare/cloudflare-go#readme) | The official Go library for the Cloudflare API. | | [cloudflare-typescript ↗](https://github.com/cloudflare/cloudflare-typescript) | [README ↗](https://github.com/cloudflare/cloudflare-typescript#readme) | The official TypeScript library for the Cloudflare API. | | [cloudflare-python ↗](https://github.com/cloudflare/cloudflare-python) | [README ↗](https://github.com/cloudflare/cloudflare-python#readme) | The official Python library for the Cloudflare API. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/create-account/","name":"Create account"}}]} ``` --- --- title: Find account and zone IDs description: Once you set up a new account and add your domain to Cloudflare, you may need access to your zone and account IDs for API operations. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/account/find-account-and-zone-ids.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Find account and zone IDs Once you [set up a new account](https://developers.cloudflare.com/fundamentals/account/) and [add your domain](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) to Cloudflare, you may need access to your zone and account IDs for API operations. ## Copy your Account ID 1. In the Cloudflare dashboard, go to the **Account home** page. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Select the menu button at the end of the account row.![Screenshot of the Overview page with the API section highlighted](https://developers.cloudflare.com/_astro/overview-account-id.0vaDbwHf_Z21Ejkq.webp) 3. Select **Copy account ID**. ### Users with a single account To copy the account ID when you only have one account: 1. In the Cloudflare dashboard, go to the **Account home** page and locate your account. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Select the menu button next to your account name. 3. From the list that appears, select **Copy account ID**.![Screenshot of the Overview page with the API section highlighted](https://developers.cloudflare.com/_astro/single-account-id.D7jBJK09_Z29PioK.webp) ## Copy your Zone ID 1. In the Cloudflare dashboard, go to the **Account** home and locate your account. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. From the **Overview** page for your account, locate the **API** section towards the bottom of the page. ![Screenshot of the Overview page with the API section highlighted](https://developers.cloudflare.com/_astro/dash-overview-api-highlighted.BUg6qi1p_IpAUW.webp) 1. Under **Zone ID** select **Click to copy**. You can also find your **Account ID** under the **API** section. ## Find account ID (Workers and Pages) You can also find your account ID from the **Workers & Pages** section of your account. 1. In the Cloudflare dashboard, go to the **Workers & Pages** page. [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages) 2. The **Account details** section contains your **Account ID**. 3. To copy the Account ID, select **Click to copy**. ![Screenshot of the Workers & Pages Overview page with the account ID section highlighted](https://developers.cloudflare.com/_astro/workers-account-id.BrhDn1KP_1SxaIU.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/account/","name":"Accounts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/account/find-account-and-zone-ids/","name":"Find account and zone IDs"}}]} ``` --- --- title: Account API tokens description: Learn what account API tokens are, when to use them, and what they currently work with image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/get-started/account-owned-tokens.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Account API tokens While user tokens act on behalf of a particular user and inherit a subset of that user's permissions, account API tokens allow you to set up durable integrations that can act as service principals with their own specific set of permissions. This approach is ideal for scenarios like CI/CD, or building integrations with external services like SIEMs where it is important that the integration continues working, even long after the user who configured the integration may have left your organization altogether. User tokens are better for ad hoc tasks like scripting, where acting as the user is ideal and durability is less of a concern. ## Create an account owned token Note Creating an account owned token requires Super Administrator permission on the account 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com). 2. Go to **Manage Account** \> **Account API Tokens**. 3. Select **Create Token** and fill in the token name, permissions, and the optional expiration date for the token. 4. Select **Continue to summary** and review the details. 5. Select **Create Token**. Alternatively, you can create a token using the [account API token creation API](https://developers.cloudflare.com/api/resources/accounts/subresources/tokens/methods/create/). Refer to the [blog post ↗](https://blog.cloudflare.com/account-owned-tokens-automated-actions-zaraz/) for more information. ## Compatibility matrix Account API tokens are generally available for all accounts. Some services may not support account API tokens yet. Refer to the compatibility matrix below for the latest status. | Product | Compatibility | | ------------------------------------------- | ------------- | | Access | ✅ | | Account Analytics | ✅ | | Account Management | ✅ | | AI Gateway | ✅ | | API Shield | ✅ | | Argo | ✅ | | Billing | ✅ | | Bulk Redirects | ✅ | | Cache | ✅ | | Tiered Cache | ✅ | | Client-side security (formerly Page Shield) | ✅ | | Cloud Connector | ✅ | | Configuration Rules | ✅ | | Custom Lists | ✅ | | Custom Pages | ✅ | | D1 | ✅ | | Data Loss Prevention | ✅ | | Digital Experience Monitoring | ✅ | | Distributed Web | ✅ | | DNS | ✅ | | Durable Objects | ✅ | | Email Relay | ✅ | | Secure Web Gateway | ✅ | | Healthchecks | ✅ | | Hyperdrive | ✅ | | Images | ✅ | | Intel Data Platform | ❌ | | Load Balancing | ✅ | | Log Explorer | ✅ | | Network Flow | ✅ | | Magic Transit | ✅ | | Cloudflare WAN | ✅ | | Managed Rules | ✅ | | Network Error Logging | ✅ | | Page Rules | ❌ | | Pages | ✅ | | R2 | ✅ | | Radar | ✅ | | Registrar | ❌ | | Rulesets | ✅ | | Spectrum | ✅ | | Speed | ✅ | | SSL/TLS | ✅ | | Stream | ✅ | | Super Bot Fight Mode | ❌ | | Trace | ✅ | | Tunnels | ✅ | | Turnstile | ❌ | | Vectorize | ✅ | | Waiting Room | ✅ | | Workers | ✅ | | Workers AI | ✅ | | Workers KV | ✅ | | Workers Observability | ✅ | | Workers Queues | ✅ | | Workflows | ✅ | | Zaraz | ✅ | | Zero Trust Client Platform | ❌ | | Zero Trust Devices and Services | ✅ | | Zone/Domain Management | ✅ | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/get-started/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/get-started/account-owned-tokens/","name":"Account API tokens"}}]} ``` --- --- title: Get Origin CA keys description: Origin CA keys are often used as the value of header X-AUTH-USER-SERVICE-KEY when interacting with Origin CA certificates API. It is also used by Keyless SSL key server. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/get-started/ca-keys.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Get Origin CA keys Deprecated Origin CA keys (Service Keys) are deprecated and will be removed on September 30, 2026\. Use an [API Token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with `Zone`\-`SSL and Certificates`\-`Edit` permissions instead. For more information, refer to [API deprecations](https://developers.cloudflare.com/fundamentals/api/reference/deprecations/). Origin CA keys are often used as the value of header `X-AUTH-USER-SERVICE-KEY` when interacting with [Origin CA certificates](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/) API. It is also used by [Keyless SSL](https://developers.cloudflare.com/ssl/keyless-ssl/) key server. The key value always starts with `v1.0-`. ## Limitations * Changing the Origin CA key is not recorded by [Audit Logs](https://developers.cloudflare.com/fundamentals/account/account-security/review-audit-logs/). * Each time you view the Origin CA key, it will be presented as a different value. All these different values are **simultaneously valid** until you click the `Change` button, which immediately invalidates all previously generated values. * Origin CA keys have access to every account the user has access to. ## View/Change your Origin CA keys To retrieve your Origin CA keys: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com). [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **User Profile** \> **API Tokens**. 3. In the **API Keys** section, select `Origin CA Key`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/get-started/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/get-started/ca-keys/","name":"Get Origin CA keys"}}]} ``` --- --- title: Create API token description: Learn how to create a token to perform actions using the Cloudflare API. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/get-started/create-token.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create API token Prerequisite Before you begin, [find your zone and account IDs](https://developers.cloudflare.com/fundamentals/account/find-account-and-zone-ids/). 1. Determine if you want a user token or an [Account API token](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/). Use Account API tokens if you prefer service tokens that are not associated with users and your [desired API endpoints are compatible](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/#compatibility-matrix). 2. From the [Cloudflare dashboard ↗](https://dash.cloudflare.com/profile/api-tokens/), go to **My Profile** \> **API Tokens** for user tokens. For Account Tokens, go to **Manage Account** \> **API Tokens**. 3. Select **Create Token**. 4. Select a template from the available [API token templates](https://developers.cloudflare.com/fundamentals/api/reference/template/) or create a custom token. The following example uses the **Edit zone DNS** template. 5. Add or edit the token name to describe why or how the token is used. Templates are prefilled with a token name and permissions. ![Token template overview screen](https://developers.cloudflare.com/_astro/template-customize.DcB2c3lZ_oLcBA.webp) 6. Modify the token's permissions. After selecting a permissions group (_Account_, _User_, or _Zone_), choose what level of access to grant the token. Most groups offer `Edit` or `Read` options. `Edit` is full CRUDL (create, read, update, delete, list) access, while `Read` is the read permission and list where appropriate. Refer to the [available token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) for more information. 7. Select which resources the token is authorized to access. For example, granting `Zone DNS Read` access to a zone `example.com` will allow the token to read DNS records only for that specific zone. Any other zone will return an error for DNS record reads operations. Any other operation on that zone will also return an error. 8. (Optional) Restrict how a token is used in the **Client IP Address Filtering** and **TTL (time to live)** fields. 9. Select **Continue to summary**. 10. Review the token summary. Select **Edit token** to make adjustments. You can also edit a token after creation. ![Token summary screen displaying the resources and permissions selected](https://developers.cloudflare.com/_astro/token-summary.C1HKh5XB_Z2cBnBq.webp) 1. Select **Create Token** to generate the token's secret. 2. Copy the secret to a secure place. Warning The token secret is **only shown once**. Do not store the secret in plaintext where others can access it. Anyone with this token can perform the authorized actions against the resources that the token has access to. ![Token creation completion screen displaying your API token and the curl command to test your token](https://developers.cloudflare.com/_astro/token-complete.T8mB8qZ5_2mc4EV.webp) The token secret page also includes an example command to test the token. Use the `/user/tokens/verify` endpoint to fetch the current status of the given token. Terminal window ``` curl "https://api.cloudflare.com/client/v4/user/tokens/verify" \ --header "Authorization: Bearer " ``` The result: ``` { "result": { "id": "100bf38cc8393103870917dd535e0628", "status": "active" }, "success": true, "errors": [], "messages": [ { "code": 10000, "message": "This API Token is valid and active", "type": null } ] } ``` With this you have successfully created an API token and can start working with the Cloudflare API. After creating your first API token, you can create additional API tokens [via the API](https://developers.cloudflare.com/fundamentals/api/how-to/create-via-api/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/get-started/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/get-started/create-token/","name":"Create API token"}}]} ``` --- --- title: Get Global API key (legacy) description: Global API key is the previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API key. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/get-started/keys.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Get Global API key (legacy) Global API key is the previous authorization scheme for interacting with the Cloudflare API. When possible, use [API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) instead of Global API key. Note Global API key is only available after the [account email address is verified](https://developers.cloudflare.com/fundamentals/user-profiles/verify-email-address/). ## Limitations Global API key has multiple limitations when compared to API tokens: * **Access to all Cloudflare resources** \- Global API key has access to all of a user's resources. This makes it impossible to safely use Global API key to access non-production resources when a user also has access to production resources. * **Full permissions** \- Similarly, Global API key has the exact same permissions as the user, which means if the user can delete zones or change DNS records, so can the Global API key. * **Limited to one per user** \- Only one Global API key can be provisioned per user. This complicates using Cloudflare's API in production systems where maintaining two secrets for accessing the API is important in the case one needs to be rolled. * **Lack of advanced limits on usage** \- API tokens can be limited to specific time windows and expire or be limited to use from specific IP ranges. For these reasons, Global API key is not recommended for new customers. Current customers using Global API key are encouraged to migrate and use API tokens instead. ## View your Global API key To retrieve your Global API key: 1. In the Cloudflare dashboard and select **User Profile** \> **API Tokens**. [ Go to **Account API tokens** ](https://dash.cloudflare.com/?to=/:account/api-tokens) 2. In the **API Keys** section, click `View` button of **Global API Key**. ## Change your Global API key If your API key might be compromised, change your API key: 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **My Profile** \> **API Tokens**. 3. In the **API Keys** section, find your key. 4. Select **Change**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/get-started/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/get-started/keys/","name":"Get Global API key (legacy)"}}]} ``` --- --- title: API token template URLs description: Generate Cloudflare API tokens with pre-configured permissions using template URLs. Learn how to create and customize template URLs for any use case. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/how-to/account-owned-token-template.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # API token template URLs Use template URLs to generate Cloudflare API tokens with pre-configured permissions. Template URLs allow you to share token requirements with users without manually selecting permissions in the dashboard. Template URLs use query parameters to pre-fill the API token creation page in the Cloudflare dashboard. When a user opens a template URL, the dashboard automatically configures the specified permissions and settings. Cloudflare supports template URLs for both [user API tokens](#user-token-url-format) and [account API tokens](#account-token-url-format). For more information on the difference between these token types, refer to [Account API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/). Note Template URLs only pre-fill the token creation form. Users must still complete the token creation process in the dashboard. ## User token URL format User token template URLs open the token creation form at the user profile level (`/profile/api-tokens`). Tokens created this way are owned by the user. The basic template URL structure is: ``` https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=[ENCODED_PERMISSIONS]&accountId=*&zoneId=all&name=[TOKEN_NAME] ``` ### URL components | Parameter | Required | Description | | ------------------- | -------- | -------------------------------------------- | | permissionGroupKeys | Yes | URL-encoded JSON array of permission objects | | accountId | Yes | Account scope (use \* for all accounts) | | zoneId | Yes | Zone scope (use all for all zones) | | name | No | Pre-filled token name | ## Account token URL format Account token template URLs open the token creation form at the account level. Tokens created this way are owned by the account (service principal tokens) and are not tied to any individual user. Creating account tokens requires Super Administrator or Administrator permissions. The basic template URL structure is: ``` https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=[ENCODED_PERMISSIONS]&name=[TOKEN_NAME] ``` The `:account` segment is a placeholder. When a user opens the URL, the dashboard prompts them to select an account if they have access to more than one. ### URL components | Parameter | Required | Description | | ------------------- | -------- | -------------------------------------------- | | permissionGroupKeys | Yes | URL-encoded JSON array of permission objects | | name | No | Pre-filled token name | Note Account token template URLs do not use `accountId` or `zoneId` parameters. Resource scoping for account tokens is configured during token creation in the dashboard. ## Permission format Both user token and account token template URLs use the same permission encoding. Permissions are encoded as a JSON array with the following structure: ``` [{ "key": "permission_name", "type": "read|edit|revoke|run|purge" }] ``` ### Permission types | Type | Description | | ------ | ------------------------------------------ | | read | Read-only access | | edit | Full access (create, read, update, delete) | | revoke | Revoke permissions | | run | Execute permissions | | purge | Purge permissions | ## Create custom templates ### 1\. Identify required permissions List the permissions your use case needs. Refer to the [permission reference](#permission-reference) table. ### 2\. Create the permission JSON Format your permissions as a JSON array: ``` [ { "key": "zone_dns", "type": "edit" }, { "key": "analytics", "type": "read" } ] ``` ### 3\. URL-encode the JSON Use a URL encoder to convert the JSON string: ``` %5B%7B%22key%22%3A%22zone_dns%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22analytics%22%2C%22type%22%3A%22read%22%7D%5D ``` ### 4\. Build the complete URL For a **user token**, combine all components into the final template URL: ``` https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=[ENCODED_JSON]&accountId=*&zoneId=all&name=Custom%20Token ``` For an **account token**, use the account-level path instead: ``` https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=[ENCODED_JSON]&name=Custom%20Token ``` ## Permission reference Use this table to find permission keys for your custom templates. ### Account permissions | Permission key | Description | Common use cases | | -------------------- | --------------------- | ------------------------ | | account\_analytics | Account analytics | Reporting, monitoring | | account\_api\_tokens | API token management | Token automation | | account\_settings | Account configuration | Account management | | billing | Billing information | Cost tracking, invoicing | | workers\_scripts | Workers scripts | Serverless functions | | workers\_kv | Workers KV storage | Data storage | | workers\_routes | Workers routes | Traffic routing | ### Zone permissions | Permission key | Description | Common use cases | | ------------------ | --------------- | ---------------------- | | zone\_dns | DNS records | Domain management | | zone | Zone management | Domain configuration | | analytics | Zone analytics | Performance monitoring | | firewall\_services | Firewall rules | Security management | | page\_rules | Page rules | Traffic control | | cache\_purge | Cache purging | Content updates | ### Access permissions | Permission key | Description | Common use cases | | -------------------- | -------------------- | ------------------------- | | access | Access applications | Zero Trust apps | | access\_acct | Access organizations | Identity management | | access\_audit\_log | Access audit logs | Compliance, security | | access\_custom\_page | Custom pages | Branding, user experience | ## Common permission templates Use these ready-to-use template URLs for common scenarios. Each example provides both a user token URL and an account token URL. ### DNS management Create tokens for DNS record management. #### User token | Use case | Template URL | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DNS read-only | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22zone\_dns%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=DNS%20Read%20Token | | DNS read/write | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22zone\_dns%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=DNS%20Management%20Token | #### Account token | Use case | Template URL | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | DNS read-only | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22zone\_dns%22%2C%22type%22%3A%22read%22%7D%5D&name=DNS%20Read%20Token | | DNS read/write | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22zone\_dns%22%2C%22type%22%3A%22edit%22%7D%5D&name=DNS%20Management%20Token | ### Workers development Create tokens for Workers, KV storage, and related services. #### User token | Use case | Template URL | | -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Workers scripts only | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22workers\_scripts%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=Workers%20Scripts%20Token | | Workers full access | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22workers\_scripts%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers\_kv%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers\_routes%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=Workers%20Full%20Access%20Token | #### Account token | Use case | Template URL | | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Workers scripts only | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22workers\_scripts%22%2C%22type%22%3A%22edit%22%7D%5D&name=Workers%20Scripts%20Token | | Workers full access | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22workers\_scripts%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers\_kv%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers\_routes%22%2C%22type%22%3A%22edit%22%7D%5D&name=Workers%20Full%20Access%20Token | ### Analytics and monitoring Create tokens for accessing analytics and logs. #### User token | Use case | Template URL | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Account analytics | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account\_analytics%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Account%20Analytics%20Token | | Zone analytics | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22analytics%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Zone%20Analytics%20Token | #### Account token | Use case | Template URL | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Account analytics | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22account\_analytics%22%2C%22type%22%3A%22read%22%7D%5D&name=Account%20Analytics%20Token | | Zone analytics | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22analytics%22%2C%22type%22%3A%22read%22%7D%5D&name=Zone%20Analytics%20Token | ### Zero Trust administration Create tokens for Cloudflare Zero Trust management. #### User token | Use case | Template URL | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Access applications read | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22access%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Access%20Read%20Token | | Access full management | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22access%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22access\_acct%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=Access%20Management%20Token | #### Account token | Use case | Template URL | | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Access applications read | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22access%22%2C%22type%22%3A%22read%22%7D%5D&name=Access%20Read%20Token | | Access full management | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22access%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22access\_acct%22%2C%22type%22%3A%22edit%22%7D%5D&name=Access%20Management%20Token | ## Best practices Follow these guidelines when creating and sharing template URLs. * Principle of least privilege: Only request the minimum permissions necessary for your use case. This reduces security risks if a token is compromised. * Use descriptive token names: Include clear, descriptive names in your template URLs to help users understand the token's purpose. * Document token usage: Provide clear documentation about what each token is used for and how to revoke it when no longer needed. * Regular token rotation: Encourage users to regularly rotate tokens and review permissions. * Test before sharing: Always test template URLs in a staging environment before sharing them with users. ## Troubleshooting Review the list of common issues and solutions. | Issue | Solution | | --------------------------------- | --------------------------------------------------------- | | URL does not pre-fill permissions | Verify the JSON is properly URL-encoded | | Permissions are missing | Check permission keys in the reference table | | Token name does not appear | Ensure the name parameter is URL-encoded | | Access denied error | Verify the user has required permissions in their account | Additionally, review the checklist before sharing a template URL. * All permission keys are correct * JSON syntax is valid * URL encoding is proper * Token name is descriptive * Permissions follow least privilege principle ## Related resources * [API token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) * [Create API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) * [Account API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/) * [API authentication](https://developers.cloudflare.com/fundamentals/api/how-to/make-api-calls/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/how-to/","name":"How to"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/how-to/account-owned-token-template/","name":"API token template URLs"}}]} ``` --- --- title: Control API Access description: Super administrators of an Enterprise account are capable of selectively scoping the API access. API access can be restricted for the entire account or only for specified account members. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/how-to/control-api-access.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Control API Access Super administrators of an Enterprise account are capable of selectively scoping the API access. API access can be restricted for the entire account or only for specified account members. Note that the feature does not disable API calls not related to the Enterprise account. ## Account-level access control To restrict the API access for the entire account: 1. In the Cloudflare dashboard, go to the **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 2. Locate the **Enable API Access** section and then update the setting. ## Member-level access control Note Member-level settings will override the account-level setting. If a specific member has API access enabled whereas the account has the access disabled, that member can still call APIs related to the Enterprise account. To restrict the API access for a specific member: 1. In the Cloudflare dashboard, go to the **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) 2. Click on the member to expand and choose the intended **API Access**. If `Account Default`, then it follows the account level setting. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/how-to/","name":"How to"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/how-to/control-api-access/","name":"Control API Access"}}]} ``` --- --- title: Create tokens via API description: Learn how to create API tokens via Cloudflare's API. Follow steps to define access policies, set restrictions, and generate tokens securely. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/how-to/create-via-api.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create tokens via API Generate new API tokens on the fly via the API. Before you can do this, you must create an API token in the Cloudflare dashboard that can create subsequent tokens. Note The API Token Template [**Create additional tokens**](https://developers.cloudflare.com/fundamentals/api/reference/template/) must be used to generate the token. The option for **API Tokens::Edit** is not available in any other template or in the Custom Token builder. ## Generating the initial token Before you can create tokens via the API, you need to [generate the initial token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) via the Cloudflare dashboard. Warning The token secret is **only shown once**. Do not store the secret in plaintext where others can access it. Anyone with this token can perform the authorized actions against the resources that the token has access to. ### Recommendations Cloudflare highly recommends that you do not grant other permissions to the token when using this template. Make sure you safeguard the new token because it can create tokens with access to any of a user's resources. Cloudflare also recommends limiting the use of the token via client IP address filtering or TTL to reduce the potential for abuse in the event that the token is compromised. Refer to [Restrict token use](https://developers.cloudflare.com/fundamentals/api/how-to/restrict-tokens/) for more information. ## Creating API tokens with the API You can create a user owned token or account owned token to use with the API. Refer to the [user owned token](https://developers.cloudflare.com/api/resources/user/subresources/tokens/methods/create/) or the [account owned token](https://developers.cloudflare.com/api/resources/accounts/subresources/tokens/methods/create/) API schema docs for more information. To create a token: 1. Define the policy. 2. Define the restrictions. 3. Create the token. ### 1\. Define the Access Policy An Access Policy defines what resources the token can act on and what permissions the token has to those resources. This process is similar to how you [create tokens in the Cloudflare dashboard](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/). Each token can contain multiple policies. ``` [ { "id": "f267e341f3dd4697bd3b9f71dd96247f", "effect": "allow", "resources": { "com.cloudflare.api.account.zone.eb78d65290b24279ba6f44721b3ea3c4": "*", "com.cloudflare.api.account.zone.22b1de5f1c0e4b3ea97bb1e963b06a43": "*" }, "permission_groups": [ { "id": "c8fed203ed3043cba015a93ad1616f1f", "name": "Zone Read" }, { "id": "82e64a83756745bbbb1c9c2701bf816b", "name": "DNS Read" } ] } ] ``` | Field | Description | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | id | Unique read-only identifier for the policy generated after creation. | | effect | Defines whether this policy is allowing or denying access. If only creating one policy, use allow. The evaluation order for policies is as follows: 1\. Explicit DENY Policies; 2\. Explicit ALLOW Policies; 3\. Implicit DENY ALL. | | resources | Defines what resources are allowed to be configured. | | permission\_groups | Defines what permissions the policy grants to the included resources. | #### Resources API token policies support three resource types: `User`, `Account`, and `Zone`. Note Fetch each object's ID by calling the appropriate `GET ` API. Refer to [User](https://developers.cloudflare.com/api/resources/user/methods/get/), [Account](https://developers.cloudflare.com/api/resources/accounts/methods/list/), and [Zone](https://developers.cloudflare.com/api/resources/zones/methods/list/) documentation for more details. ##### Account Include a single account or all accounts in a token policy. * A **single account** is denoted as:`"com.cloudflare.api.account.": "*"`. * **All accounts** is denoted as:`"com.cloudflare.api.account.*": "*"` ##### Zone Include a **single zone**, **all zones in an account**, or **all zones in all accounts** in a token policy. * A **single zone** is denoted as:`"com.cloudflare.api.account.zone.": "*"` * **All Zones in an account** are denoted as:`"com.cloudflare.api.account.": {"com.cloudflare.api.account.zone.*": "*"}` * **All zones in all accounts** is denoted as:`"com.cloudflare.api.account.zone.*": "*"` ##### User For user resources, you can only reference yourself, which is denoted as:`"com.cloudflare.api.user.": "*"` #### Permission groups Add permission groups to the API token by specifying their `id` values. We recommend using `id` as the key for interacting with Cloudflare APIs; the permission `name` is cosmetic and subject to change. Permission groups are scoped to specific resources (user, account, or zone), so a permission group in a policy will only apply to the resource type it is scoped for. To fetch all available permission groups and their IDs, use the [List permission groups](https://developers.cloudflare.com/api/resources/user/subresources/tokens/subresources/permission%5Fgroups/methods/list/) endpoint: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `API Tokens Write` * `API Tokens Read` List Token Permission Groups ``` curl "https://api.cloudflare.com/client/v4/user/tokens/permission_groups" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ``` { "result": [ { "id": "19637fbb73d242c0a92845d8db0b95b1", "name": "AI Crawl Control Read", "description": "Grants access to reading AI Crawl Control", "scopes": [ "com.cloudflare.api.account.zone" ] }, { "id": "1ba6ab4cacdb454b913bbb93e1b8cb8c", "name": "AI Crawl Control Write", "description": "Grants access to reading and editing AI Crawl Control", "scopes": [ "com.cloudflare.api.account.zone" ] }, // (...) ] } ``` ### 2\. Define the restrictions Set up any limitations on how the token can be used. API tokens allow restrictions for client IP address filtering and TTLs. Refer to [Restrict token use](https://developers.cloudflare.com/fundamentals/api/how-to/restrict-tokens/) for more information. When defining TTLs, you can set the time at which a token becomes active with `not_before` and the time when it expires with `expires_on`. Both of these fields take UTC timestamps in the following format: `"2018-07-01T05:20:00Z"`. Limit usage of a token by client IP address filters with the following object: ``` { "request.ip": { "in": ["199.27.128.0/21", "2400:cb00::/32"], "not_in": ["199.27.128.0/21", "2400:cb00::/32"] } } ``` Each parameter in the `in` and `not_in` objects must be in CIDR notation. For example, use `192.168.0.1/32` to specify a single IP address. ### 3\. Create the token Combine the previous information to create a token as in the following example: * [ Account token ](#tab-panel-4591) * [ User token ](#tab-panel-4592) Terminal window ``` curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/tokens" \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "readonly token", "policies": [ { "effect": "allow", "resources": { "com.cloudflare.api.account.zone.eb78d65290b24279ba6f44721b3ea3c4": "*", "com.cloudflare.api.account.zone.22b1de5f1c0e4b3ea97bb1e963b06a43": "*" }, "permission_groups": [ { "id": "c8fed203ed3043cba015a93ad1616f1f", "name": "Zone Read" }, { "id": "82e64a83756745bbbb1c9c2701bf816b", "name": "DNS Read" } ] } ], "not_before": "2020-04-01T05:20:00Z", "expires_on": "2020-04-10T00:00:00Z", "condition": { "request.ip": { "in": [ "199.27.128.0/21", "2400:cb00::/32" ], "not_in": [ "199.27.128.1/32" ] } } }' ``` Terminal window ``` curl "https://api.cloudflare.com/client/v4/user/tokens" \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "readonly token", "policies": [ { "effect": "allow", "resources": { "com.cloudflare.api.account.zone.eb78d65290b24279ba6f44721b3ea3c4": "*", "com.cloudflare.api.account.zone.22b1de5f1c0e4b3ea97bb1e963b06a43": "*" }, "permission_groups": [ { "id": "c8fed203ed3043cba015a93ad1616f1f", "name": "Zone Read" }, { "id": "82e64a83756745bbbb1c9c2701bf816b", "name": "DNS Read" } ] } ], "not_before": "2020-04-01T05:20:00Z", "expires_on": "2020-04-10T00:00:00Z", "condition": { "request.ip": { "in": [ "199.27.128.0/21", "2400:cb00::/32" ], "not_in": [ "199.27.128.1/32" ] } } }' ``` Terminal window ``` curl "https://api.cloudflare.com/client/v4/user/tokens" \ --header "Authorization: Bearer " \ --header "Content-Type: application/json" \ --data '{ "name": "readonly token", "policies": [ { "effect": "allow", "resources": { "com.cloudflare.api.account.zone.eb78d65290b24279ba6f44721b3ea3c4": "*", "com.cloudflare.api.account.zone.22b1de5f1c0e4b3ea97bb1e963b06a43": "*" }, "permission_groups": [ { "id": "c8fed203ed3043cba015a93ad1616f1f", "name": "Zone Read" }, { "id": "82e64a83756745bbbb1c9c2701bf816b", "name": "DNS Read" } ] } ], "not_before": "2020-04-01T05:20:00Z", "expires_on": "2020-04-10T00:00:00Z", "condition": { "request.ip": { "in": [ "199.27.128.0/21", "2400:cb00::/32" ], "not_in": [ "199.27.128.1/32" ] } } }' ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/how-to/","name":"How to"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/how-to/create-via-api/","name":"Create tokens via API"}}]} ``` --- --- title: Make API calls description: Learn how to make API calls using Cloudflare's API with step-by-step instructions for Windows, including using curl and PowerShell, and handling JSON. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/how-to/make-api-calls.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Make API calls Once you [create your API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/), all API requests are authorized in the same way. Cloudflare uses the [RFC standard ↗](https://tools.ietf.org/html/rfc6750#section-2.1) `Authorization: Bearer ` interface. An example request is shown below. Terminal window ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID" \ --header "Authorization: Bearer YQSn-xWAQiiEh9qM58wZNnyQS7FUdoqGIUAbrh7T" ``` Never send or store your API token secret in plaintext. Also be sure not to check it into code repositories, especially public ones. Consider defining [environment variables](#environment-variables) for the zone or account ID, as well as for authentication credentials (for example, the API token). To format JSON output for readability in the command line, you can use a tool like `jq`, a command-line JSON processor. For more information on obtaining and installing `jq`, refer to [Download jq ↗](https://stedolan.github.io/jq/download/). The following example will format the curl JSON output using `jq`: Terminal window ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq . ``` ## Using Cloudflare's APIs Every Cloudflare API element is fixed to a version number. The latest version is Version 4\. The stable base URL for all Version 4 HTTPS endpoints is: `https://api.cloudflare.com/client/v4/` For specific guidance on making API calls, refer to the following resources: * The product's [Developer Docs section](https://developers.cloudflare.com/directory/) for how-to guides. * [API schema docs](https://developers.cloudflare.com/api/) for request and response payloads for each endpoint. * The first-party libraries for [Go ↗](https://github.com/cloudflare/cloudflare-go), [TypeScript ↗](https://github.com/cloudflare/cloudflare-typescript), [Python ↗](https://github.com/cloudflare/cloudflare-python), or [HashiCorp's Terraform ↗](https://github.com/cloudflare/terraform-provider-cloudflare). ## Query parameters Several Cloudflare endpoints have optional query parameters to filter incoming results, such as [List Zones](https://developers.cloudflare.com/api/resources/zones/methods/list/). When adding those query parameters, make sure you enclose the URL in double quotes `""` (just like the header values), or the API call might error. Terminal window ``` curl "https://api.cloudflare.com/client/v4/zones?account.id=$ACCOUNT_ID" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` You can enclose strings using either single quotes (`''`) or double quotes (`""`). However, using single quotes prevents variable substitution in shells like `bash`. In the previous example, this would mean that the `$ACCOUNT_ID` and `$CLOUDFLARE_API_TOKEN` [environment variables](#environment-variables) would not be replaced with their values. ### Pagination Sometimes there will be too many results to display via the default page size, for example you might receive the following: ``` "count": 1, "page": 1, "per_page": 20, "total_count": 200, ``` Two query parameter options exist, which can be combined to paginate across the results. * `page=x` enables you to select a specific page. * `per_page=xx` enables you to adjust the number of results displayed on a page. If you select too many, you may get a timeout. An example might be `https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records?per_page=100&page=2`. Other options are: * `order`: Select the attribute to order by. * `direction`: Either `ASC` (ascending order) or `DESC` (descending order). The available options will be listed at the end of the `result_info` of all endpoints in the [API documentation](https://developers.cloudflare.com/api/). ## Making API calls on Windows Recent versions of Windows 10 and 11 [already include the curl tool ↗](https://curl.se/windows/microsoft.html) used in the developer documentation's API examples. If you are using a different Windows version, refer to [Windows downloads ↗](https://curl.se/windows/) in the curl website for more information on obtaining and installing this tool. ### Using a Command Prompt window To use the Cloudflare API with curl on a Command Prompt window, you must use double quotes (`"`) as string delimiters. A typical `PATCH` request will be similar to the following: ``` C:\>curl --request PATCH "https://api.cloudflare.com/client/v4/user/invites/{id}" --header "X-Auth-Email: " --header "X-Auth-Key: " --data "{""status"": ""accepted""}" ``` To escape a double quote character in a request body (for example, a body specified with `-d` or `--data` in a `POST`/`PATCH` request), prepend it with another double quote (`"`) or a backslash (`\`) character. To break a single command in two or more lines, use `^` as the line continuation character at the end of a line: ``` C:\>curl --request PATCH ^ "https://api.cloudflare.com/client/v4/user/invites/{id}" ^ --header "X-Auth-Email: " ^ --header "X-Auth-Key: " ^ --data "{""status"": ""accepted""}" ``` ### Using PowerShell Note Cloudflare recommends that you use the most recent stable or preview version of PowerShell. For more information, refer to [Installing PowerShell on Windows ↗](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows). PowerShell has specific cmdlets (`Invoke-RestMethod` and `ConvertFrom-Json`) for making REST API calls and handling JSON responses. The syntax for these cmdlets is different from the curl examples provided in the developer documentation. The following example uses the `Invoke-RestMethod` cmdlet: PowerShell ``` Invoke-RestMethod -URI "https://api.cloudflare.com/client/v4/zones/$Env:ZONE_ID/ssl/certificate_packs?ssl_status=all" -Method 'GET' -Headers @{'X-Auth-Email'=$Env:CLOUDFLARE_EMAIL;'X-Auth-Key'=$Env:CLOUDFLARE_API_KEY} ``` ``` result : {@{id=78411cfa-5727-4dc1-8d4a-773d01f17c7c; type=universal; hosts=System.Object[]; primary_certificate=c173c8a1-9724-4e96-a748-2c4494186098; status=active; certificates=System.Object[]; created_on=2022-12-09T23:11:06.010263Z; validity_days=90; validation_method=txt; certificate_authority=lets_encrypt}} result_info : @{page=1; per_page=20; total_pages=1; count=1; total_count=1} success : True errors : {} messages : {} ``` The command assumes that the environment variables `ZONE_ID`, `CLOUDFLARE_EMAIL`, and `CLOUDFLARE_API_KEY` have been previously defined. For more information, refer to [Environment variables](#environment-variables). By default, the output will only contain the first level of the JSON object hierarchy (in the above example, the content of objects such as `hosts` and `certificates` is not shown). To show additional levels and format the output like the `jq` tool, you can use the `ConvertFrom-Json` cmdlet specifying the desired maximum depth (by default, `2`): PowerShell ``` Invoke-RestMethod -URI "https://api.cloudflare.com/client/v4/zones/$Env:ZONE_ID/ssl/certificate_packs?ssl_status=all" -Method 'GET' -Headers @{'X-Auth-Email'=$Env:CLOUDFLARE_EMAIL;'X-Auth-Key'=$Env:CLOUDFLARE_API_KEY} | ConvertTo-Json -Depth 5 ``` ``` { "result": [ { "id": "78411cfa-5727-4dc1-8d4a-773d01f17c7c", "type": "universal", "hosts": ["*.example.com", "example.com"], "primary_certificate": "c173c8a1-9724-4e96-a748-2c4494186098", "status": "active", "certificates": [ { "id": "c173c8a1-9724-4e96-a748-2c4494186098", "hosts": ["*.example.com", "example.com"], "issuer": "LetsEncrypt", "signature": "ECDSAWithSHA384", "status": "active", "bundle_method": "ubiquitous", "zone_id": "", "uploaded_on": "2023-02-02T11:20:25.403338Z", "modified_on": "2022-12-08T00:26:15.577555Z", "expires_on": "2023-03-07T23:26:12.000000Z", "priority": null } ], "created_on": "2022-12-09T23:11:06.010263Z", "validity_days": 90, "validation_method": "txt", "certificate_authority": "lets_encrypt" } ] // (...) } ``` ConvertFrom-Json handling of DateTime values The `ConvertTo-Json` cmdlet tries to convert strings formatted as timestamps to DateTime values, according to the exact format in the string. For details on this behavior, refer to the notes in the [ConvertFrom-Json ↗](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertfrom-json#notes) documentation. You can also use the curl tool in PowerShell. However, in PowerShell `curl` is an alias to the `Invoke-WebRequest` cmdlet, which supports a different syntax from the usual curl tool. To use curl, enter `curl.exe` instead. A typical `PATCH` request with curl will be similar to the following: PowerShell ``` curl.exe --request PATCH "https://api.cloudflare.com/client/v4/user/invites/{id}" --header "Authorization: Bearer $Env:CLOUDFLARE_API_TOKEN" --data '{\"status\": \"accepted\"}' ``` To escape a double quote (`"`) character in a request body (specified with `-d` or `--data`), prepend it with another double quote (`"`) or a backslash (`\`). You must escape double quotes even when using single quotes (`'`) as string delimiters. To break a single command in two or more lines, use a backtick (`` ` ``) character as the line continuation character at the end of a line: PowerShell ``` curl.exe --request PATCH ` "https://api.cloudflare.com/client/v4/user/invites/{id}" ` --header "X-Auth-Email: $Env:CLOUDFLARE_EMAIL" ` --header "X-Auth-Key: $Env:CLOUDFLARE_API_KEY" ` --data '{\"status\": \"accepted\"}' ``` ## Environment variables You can define environment variables for values that repeat between commands, such as the zone or account ID. The lifetime of an environment variable can be the current shell session, all future sessions of the current user, or even all future sessions of all users on the machine you are defining them. You can also use environment variables for keeping authentication credentials (API token, API key, and email) and reusing them in different commands. However, make sure you define these values in the smallest possible scope (either the current shell session only or all new sessions for the current user). The procedure for setting and referencing environment variables depends on your platform and shell. ### Define an environment variable * [ Linux and macOS ](#tab-panel-4593) * [ PowerShell ](#tab-panel-4594) * [ Windows Command Prompt ](#tab-panel-4595) To define a `ZONE_ID` environment variable for the current shell session, run the following command: Terminal window ``` export ZONE_ID='f2ea6707005a4da1af1b431202e96ac5' ``` To define the variable for all new shell sessions for the current user, add the command above at the end of your shell configuration file (for example, `~/.bashrc` for the `bash` shell and `~/.zshrc` for the `zsh` shell). To define a `ZONE_ID` environment variable for the current PowerShell session, run the following command: PowerShell ``` $Env:ZONE_ID='f2ea6707005a4da1af1b431202e96ac5' ``` To define the environment variable for all new PowerShell sessions of the current user, set the variable in your PowerShell profile. You can get the path to your PowerShell profile by running `echo $PROFILE`. Alternatively, set the variable for all new PowerShell sessions of the current user using the `SetEnvironmentVariable()` method of the `System.Environment` class. For example: PowerShell ``` [Environment]::SetEnvironmentVariable("ZONE_ID", "f2ea6707005a4da1af1b431202e96ac5", "User") ``` Running this command will not affect the current session. You will need to close and start a new PowerShell session. To define a `ZONE_ID` environment variable for the current Command Prompt session, run the following command: Terminal window ``` set ZONE_ID=f2ea6707005a4da1af1b431202e96ac5 ``` To define an environment variable for all future Command Prompt sessions of the current user, run the following command: Terminal window ``` setx ZONE_ID f2ea6707005a4da1af1b431202e96ac5 ``` Running this command will not affect the current window. You will need to either run the `set` command or close and start a new Command Prompt window. ### Reference an environment variable * [ Linux and macOS ](#tab-panel-4596) * [ PowerShell ](#tab-panel-4597) * [ Windows Command Prompt ](#tab-panel-4598) When referencing an environment variable in a command, add a `$` prefix to the variable name (for example, `$ZONE_ID`). Make sure that the full string referencing the variable is either unquoted (if it does not contain spaces) or enclosed in double quotes (`""`). For example: Terminal window ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID" \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` When referencing an environment variable in a command, add an `$Env:` prefix to the variable name (for example, `$Env:ZONE_ID`). Make sure that the full string referencing the variable is either unquoted or enclosed in double quotes (`""`). For example: PowerShell ``` Invoke-RestMethod -URI "https://api.cloudflare.com/client/v4/zones/$Env:ZONE_ID" -Method 'GET' -Headers @{'Authorization'="Bearer $Env:CLOUDFLARE_API_TOKEN"} ``` When referencing an environment variable in a command, enclose the variable name in `%` characters (for example, `%ZONE_ID%`). For example: Terminal window ``` curl "https://api.cloudflare.com/client/v4/zones/%ZONE_ID%" --header "Authorization: Bearer %CLOUDFLARE_API_TOKEN%" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/how-to/","name":"How to"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/how-to/make-api-calls/","name":"Make API calls"}}]} ``` --- --- title: Restrict tokens description: API tokens can be restricted at runtime in two ways: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/how-to/restrict-tokens.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Restrict tokens API tokens can be restricted at runtime in two ways: * [Client IP address range filtering](#client-ip-address-range-filtering) * [Time To Live (TTL) constraints](#time-to-live-ttl-constraints) ## Client IP address range filtering Client IP address restrictions control which IP addresses can make API requests with this token. By default, if no filtering is applied, all IP addresses can use the token. Once an `Is in` rule is applied, the token can only be used from the defined IP addresses. Define ranges with [CIDR notation ↗](https://en.wikipedia.org/wiki/Classless%5FInter-Domain%5FRouting#CIDR%5Fnotation). To allow an IP range with exceptions, define `Is not in` to exempt specific IPs or smaller ranges. ![IP Address filtering options](https://developers.cloudflare.com/_astro/ip-filter.DbEuurVj_Z2cXw3S.webp) Note Client IP address range filtering is not applied to the [Verify Token ↗](https://developers.cloudflare.com/api/resources/user/subresources/tokens/methods/verify/) endpoint. ## Time to live (TTL) constraints By default, tokens do not expire and are long lived. Defining a TTL sets when a token starts being valid and when a token is no longer valid. This is often referred to as `notBefore` and `notAfter`. Setting these timestamps limits the lifetime of the token to the defined period. Not setting the start date or `notBefore` means the token is active as soon as it is created. Not setting the end date or `notAfter` means the token does not expire. Note Dates selected are defined as 00:00 UTC of that day. For finer grained time selection, use the [API](https://developers.cloudflare.com/fundamentals/api/). ![Time to Live selection calendar](https://developers.cloudflare.com/_astro/ttl.6XWjuAt__XSIyS.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/how-to/","name":"How to"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/how-to/restrict-tokens/","name":"Restrict tokens"}}]} ``` --- --- title: Roll tokens description: If your token is lost or compromised, you can either create a new token or roll your token to generate a new secret. Rolling your API token into a new one will invalidate the previous token, but the access and permissions will be the same as the previous API token. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/how-to/roll-token.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Roll tokens If your token is lost or compromised, you can either create a new token or roll your token to generate a new secret. Rolling your API token into a new one will invalidate the previous token, but the access and permissions will be the same as the previous API token. To roll your API token: 1. Log in to the Cloudflare dashboard. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. Go to **My Profile** \> **API Tokens**. 3. Next to the API token you want to roll, select the **three dot icon** \> **Roll**. 4. Select **Confirm** to generate a new API token. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/how-to/","name":"How to"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/how-to/roll-token/","name":"Roll tokens"}}]} ``` --- --- title: API deprecations description: Cloudflare occasionally makes updates to our APIs that result in behavior changes or deprecations. When this happens, we will communicate when the API will no longer be available and whether there will be a replacement. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/reference/deprecations.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # API deprecations Cloudflare occasionally makes updates to our APIs that result in behavior changes or deprecations. When this happens, we will communicate when the API will no longer be available and whether there will be a replacement. Note Subscribe to all API deprecation posts via [RSS](https://developers.cloudflare.com/fundamentals/api/reference/deprecations/index.xml). [ Subscribe to RSS ](https://developers.cloudflare.com/fundamentals/api/reference/deprecations/index.xml) ## 2026-03-19 **Service Key Authentication** Deprecation date: March 19, 2026 End of life date: September 30, 2026 Service Key authentication for the Cloudflare API is deprecated and will be removed on September 30, 2026\. [API Tokens](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) are capable of providing all functionality of Service Keys, with additional support for fine-grained permission scoping, expiration, and IP address restrictions. Deprecated behavior: * Authenticating API requests using the `X-Auth-User-Service-Key` header. * Generating new Service Keys via the Cloudflare dashboard or API. The ability to generate new Service Keys from the Dashboard will be removed soon. Replacement: * [Create an API Token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with the appropriate permissions for your use case. API Tokens support fine-grained scoping, expiration, and revocation. Users of `cloudflared` should ensure they are running a version from November 2022 or later, which uses API Tokens instead of Service Keys. Users of [origin-ca-issuer](https://github.com/cloudflare/origin-ca-issuer) should update to a version that supports API Token authentication. ## 2026-01-23 **DNS Record Type Updates via API** Deprecation date: January 23, 2026 End of life date: June 30, 2026 Changing the type of an existing DNS record via the API is deprecated and will no longer be supported after June 30, 2026. Changing a DNS record's type is not a natural update operation and typically also requires changing the record's content. Updates to attributes such as name, TTL, or content are common and safe, but changing the record type introduces additional validation complexity and consistency risks. To align with correct DNS semantics and reduce operational risk, Cloudflare is deprecating support for in-place DNS record type changes. This behavior already exists in the Terraform v5 provider, where record type changes result in a delete and recreate operation rather than an update. Deprecated behavior: * Using the [DNS Records API](https://developers.cloudflare.com/api/resources/dns/subresources/records/) to change the type of an existing record. Replacement behavior: * [Delete the existing DNS record](https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/delete/) and [Create a new DNS record](https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/create/) with the desired type and content. `DELETE /zones/{zone_id}/dns_records/{dns_record_id}` `POST /zones/{zone_id}/dns_records` * Use the [Batch DNS records](https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/batch/) API to perform both operations in a single request. `POST /zones/{zone_id}/dns_records/batch` Customers and integrations that rely on in-place record type updates must migrate to a delete-and-recreate workflow before June 30, 2026 to ensure uninterrupted service. After this date, attempts to change a record's type via update operations will no longer be supported. ## 2025-12-09 **Authoritative DNS and DNS Firewall Legacy Analytics** Deprecation date: December 9, 2025 End of life date: December 1, 2026 The following REST APIs are deprecated and will reach their end of life on December 1, 2026. * [DNS Analytics API](https://developers.cloudflare.com/api/resources/dns/subresources/analytics/) * [DNS Firewall Analytics API](https://developers.cloudflare.com/api/resources/dns%5Ffirewall/subresources/analytics/) All existing functionality is fully supported by Cloudflare's GraphQL Analytics API, which provides improved performance, flexibility, and long-term support. Integrations using the REST API need to be migrated to the new GraphQL API before December 1, 2026 in order to ensure uninterrupted service. Deprecated APIs: * `GET/zones/{zone_id}/dns_analytics/` (DNS Analytics API) * `GET/accounts/{account_id}/dns_firewall/{dns_firewall_id}/dns_analytics/report` (DNS Firewall Analytics API) Replacements: * [GraphQL API for DNS Analytics](https://developers.cloudflare.com/dns/additional-options/analytics/#explore-with-the-api) * [GraphQL API for DNS Firewall Analytics](https://developers.cloudflare.com/dns/dns-firewall/analytics/#graphql) ## 2025-11-11 **Zero Trust Devices** End of life date: November 11, 2025 We are changing the definition of Devices. Devices are going to represent the real-world machines while the relation between Users and Devices will be represented by a new concept - Registrations. As a result multiple fields are moving from Devices to Registrations and we are deprecating the endpoints listed below. The deprecated endpoints are not supported on accounts with [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/) enabled. Deprecated API: * `GET /accounts/{account_id}/devices` * `GET /accounts/{account_id}/devices/{device_id}` * `GET /accounts/{account_id}/devices/{device_id}/override_codes` * `POST /accounts/{account_id}/devices/revoke` * `POST /accounts/{account_id}/devices/unrevoke` Replacement: * `GET /accounts/{account_id}/devices/physical-devices` * `GET /accounts/{account_id}/devices/physical-devices/{device_id}` * `GET /accounts/{account_id}/devices/registrations` * `GET /accounts/{account_id}/devices/registrations/{registration_id}` * `GET /accounts/{account_id}/devices/registrations/{registration_id}/override_codes` * `POST /accounts/{account_id}/devices/registrations/revoke` * `POST /accounts/{account_id}/devices/registrations/unrevoke` ## 2025-11-03 **Cloudflare Mirage** Deprecation date: November 2025 End of life date: January 2026 Following on from the [deprecation of Cloudflare Mirage](https://developers.cloudflare.com/speed/optimization/images/mirage/), the following API endpoints that manage Mirage settings are now deprecated and will be sunsetted in January 2026. Deprecated APIs: * `GET /zones/{zone_id}/settings/mirage` * `PATCH /zones/{zone_id}/settings/mirage` Affected APIs: * `GET /zones/{zone_id}/pagerules/settings` \- Mirage will be removed from available settings. * `POST /zones/{zone_id}/pagerules` \- Mirage parameter will be removed. * `PATCH /zones/{zone_id}/pagerules/{rule_id}` \- Mirage parameter will be removed. * `PUT /zones/{zone_id}/pagerules/{rule_id}` \- Mirage parameter will be removed. * `GET /zones/{zone_id}/rulesets/{ruleset_id}` \- Mirage parameter in `set_config` action will be removed. * `GET /zones/{zone_id}/rulesets/{ruleset_id}/versions/{version_id}` \- Mirage parameter in `set_config` action will be removed. * `POST /zones/{zone_id}/rulesets` \- Mirage parameter in `set_config` action will be removed. * `PUT /zones/{zone_id}/rulesets/{ruleset_id}` \- Mirage parameter in `set_config` action will be removed. * `POST /zones/{zone_id}/rulesets/{ruleset_id}/rules` \- Mirage parameter in `set_config` action will be removed. * `PATCH /zones/{zone_id}/rulesets/{ruleset_id}/rules/{rule_id}` \- Mirage parameter in `set_config` action will be removed. * `GET /accounts/{account_id}/rulesets/{ruleset_id}` \- Mirage parameter in `set_config` action will be removed. * `GET /accounts/{account_id}/rulesets/{ruleset_id}/versions/{version_id}` \- Mirage parameter in `set_config` action will be removed. * `POST /accounts/{account_id}/rulesets` \- Mirage parameter in `set_config` action will be removed. * `PUT /accounts/{account_id}/rulesets/{ruleset_id}` \- Mirage parameter in `set_config` action will be removed. * `POST /accounts/{account_id}/rulesets/{ruleset_id}/rules` \- Mirage parameter in `set_config` action will be removed. * `PATCH /accounts/{account_id}/rulesets/{ruleset_id}/rules/{rule_id}` \- Mirage parameter in `set_config` action will be removed. ## 2025-10-15 **Cloudflare Radar: Summary and Timeseries Groups Endpoints** Deprecation date: October 15, 2025 End of life date: April 15, 2026 The Radar API currently has multiple summary and timeseries groups endpoints per dataset (for example, `/radar/http/summary/device_type` and `/radar/http/timeseries_groups/device_type`), which share nearly identical parameters and schema. To simplify the API and improve maintainability, these endpoints will be replaced with parameterized endpoints using a `{dimension}` path parameter. Deprecated APIs: * `GET /radar/http/summary/device_type` * `GET /radar/http/summary/bot_class` * `GET /radar/http/timeseries_groups/device_type` * `GET /radar/http/timeseries_groups/bot_class` * Other similar summary and timeseries groups endpoints for the following datasets: AI Bots, AI Inference, AS112, DNS, Email Routing, Email security, HTTP, Layer 3 Attacks, Layer 7 Attacks, Leaked Credential Checks Replacements: * `GET /radar/http/summary/{dimension}` * `GET /radar/http/timeseries_groups/{dimension}` * ... Here, `{dimension}` is a required path parameter listing all available dimensions for the dataset. For users calling the API directly (not via the Cloudflare SDK), no action is required. For users using the SDK, we recommend updating to the new operations to ensure compatibility after the operations are removed. ## 2025-07-01 **Cloudflare Radar: Verified Bots APIs** Deprecation date: July 1, 2025 End of life date: January 1, 2026 The Radar Verified Bots API is now deprecated and will be replaced by the new Bots API. Deprecated APIs: * `GET /radar/verified_bots/top/bots` * `GET /radar/verified_bots/top/categories` Replacements: * `GET /radar/bots/summary/bot` * `GET /radar/bots/summary/category` ## 2025-07-01 **Cloudflare DWeb Resolver** Deprecation date: July 1, 2025 The Cloudflare DWeb Resolver experiment is ending. Deprecated APIs: * DoH resolver on resolver.cloudflare-eth.com ## 2025-06-15 **Firewall Rules API and Filters API** Deprecation date: June 15, 2025 The Firewall Rules API and the Filters API are deprecated, since Firewall Rules was deprecated in favor of [WAF custom rules](https://developers.cloudflare.com/waf/custom-rules/). Refer to [Firewall Rules upgrade](https://developers.cloudflare.com/waf/reference/legacy/firewall-rules-upgrade/) for more information about this change. Deprecated APIs: * `GET /zones/:zone_id/firewall/rules` * `POST /zones/:zone_id/firewall/rules` * `PATCH /zones/:zone_id/firewall/rules` * `PUT /zones/:zone_id/firewall/rules` * `DELETE /zones/:zone_id/firewall/rules` * `GET /zones/:zone_id/firewall/rules/:rule_id` * `PATCH /zones/:zone_id/firewall/rules/:rule_id` * `PUT /zones/:zone_id/firewall/rules/:rule_id` * `DELETE /zones/:zone_id/firewall/rules/:rule_id` * `GET /zones/:zone_id/filters` * `POST /zones/:zone_id/filters` * `PUT /zones/:zone_id/filters` * `DELETE /zones/:zone_id/filters` * `GET /zones/:zone_id/filters/:filter_id` * `PUT /zones/:zone_id/filters/:filter_id` * `DELETE /zones/:zone_id/filters/:filter_id` Replacement: [WAF custom rules](https://developers.cloudflare.com/waf/custom-rules/) ## 2025-06-15 **WAF managed rules APIs (previous version)** Deprecation date: June 15, 2025 The APIs for managing WAF managed rules (previous version) — namely for managing packages, rule groups, rules, and overrides — are deprecated in favor of using the [Rulesets API](https://developers.cloudflare.com/ruleset-engine/rulesets-api/) for managing the new version of [WAF Managed Rules](https://developers.cloudflare.com/waf/managed-rules/). Refer to [WAF Managed Rules upgrade](https://developers.cloudflare.com/waf/reference/legacy/old-waf-managed-rules/upgrade/) for more information about this change. Deprecated APIs: * `GET /zones/:zone_id/firewall/waf/packages` * `GET /zones/:zone_id/firewall/waf/packages/:package_id` * `PATCH /zones/:zone_id/firewall/waf/packages/:package_id` * `GET /zones/:zone_id/firewall/waf/packages/:package_id/groups` * `GET /zones/:zone_id/firewall/waf/packages/:package_id/groups/:group_id` * `PATCH /zones/:zone_id/firewall/waf/packages/:package_id/groups/:group_id` * `GET /zones/:zone_id/firewall/waf/packages/:package_id/rules` * `GET /zones/:zone_id/firewall/waf/packages/:package_id/rules/:rule_id` * `PATCH /zones/:zone_id/firewall/waf/packages/:package_id/rules/:rule_id` * `GET /zones/:zone_id/firewall/waf/overrides` * `POST /zones/:zone_id/firewall/waf/overrides` * `GET /zones/:zone_id/firewall/waf/overrides/:override_id` * `PUT /zones/:zone_id/firewall/waf/overrides/:override_id` * `DELETE /zones/:zone_id/firewall/waf/overrides/:override_id` Replacement: [WAF Managed Rules](https://developers.cloudflare.com/waf/managed-rules/) (new version) ## 2025-06-15 **Rate Limiting API (previous version)** Deprecation date: June 15, 2025 The Rate Limiting API is deprecated, in favor of using the [Rulesets API](https://developers.cloudflare.com/ruleset-engine/rulesets-api/) for managing the new [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/). Refer to [Rate limiting (previous version) upgrade](https://developers.cloudflare.com/waf/reference/legacy/old-rate-limiting/upgrade/) for more information about this change. Deprecated API: * `GET /zones/:zone_id/rate_limits` * `POST /zones/:zone_id/rate_limits` * `GET /zones/:zone_id/rate_limits/:rate_limit_id` * `PUT /zones/:zone_id/rate_limits/:rate_limit_id` * `DELETE /zones/:zone_id/rate_limits/:rate_limit_id` Replacement: [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) (new version) ## 2025-06-08 **Zone Setting: cname\_flattening** Deprecation date: June 8, 2025 The Zone Settings API endpoints for managing zone-level CNAME flattening are deprecated. Instead, use the [Show DNS Settings](https://developers.cloudflare.com/api/resources/dns/subresources/settings/subresources/zone/methods/get/) and [Update DNS Settings](https://developers.cloudflare.com/api/resources/dns/subresources/settings/subresources/zone/methods/edit/) endpoints to manage this setting. Changes via the old endpoints will be reflected in the new ones, and vice versa, so there is no need to migrate existing zones. However, future API calls must use DNS Settings instead of the Zone Settings endpoints. Note that, with the deprecated zone setting, values `"off"` and `"apex"` have the same behavior. These are represented as `{"flatten_all_cnames": false}` in the new API. The zone setting `"on"` corresponds to `{"flatten_all_cnames": true}` in the new API. Affected APIs: * `GET /zones/:zone_id/settings` * `PATCH /zones/:zone_id/settings` Deprecated APIs: * `GET /zones/:zone_id/settings/cname_flattening` * `PATCH /zones/:zone_id/settings/cname_flattening` ## 2025-03-23 **Eligible Zones For Account Custom Nameservers** Deprecation date: March 23, 2025 Users can now add custom nameservers that are not part of a zone managed within their account. As a result, any zone is eligible for custom nameservers, regardless of whether it is managed by Cloudflare. Given this change, an endpoint to check for eligible zones is no longer relevant and is therefore being deprecated. Deprecated APIs: * `GET /accounts/:account_id/custom_ns/availability` ## 2025-03-20 **Cloudflare Radar: Attack top industry and vertical endpoints** Deprecation date: March 20, 2025 End of life date: September 20, 2025 The `/top/industry` and `/top/vertical` attack endpoints are now deprecated and will be replaced by the corresponding summary endpoints. Affected APIs: * `GET /radar/attacks/layer3/top/industry` * `GET /radar/attacks/layer3/top/vertical` * `GET /radar/attacks/layer7/top/industry` * `GET /radar/attacks/layer7/top/vertical` Replacements: * `GET /radar/attacks/layer3/summary/industry` * `GET /radar/attacks/layer3/summary/vertical` * `GET /radar/attacks/layer7/summary/industry` * `GET /radar/attacks/layer7/summary/vertical` ## 2025-03-17 **Security Center: Security level and Threat Score are now automated** Change date: March 17, 2025 Cloudflare now combines the IP address threat signal with threshold and botnet data, no longer requiring you to set a sensitivity level. Users will no longer be able to set Security level via the Cloudflare dashboard. However, users can still rely on the existing API or Terraform configuration to set a Security level. If you are using threat score in rule expressions, you should review those expressions to make sure the rule still triggers when appropriate. Cloudflare will audit and migrate your configuration in the future to update any references to threat score. If you are using the Rulesets API or Terraform to push your configuration, you should review your scripts and pipelines before the end of Q1 2026 to prevent issues. ## 2025-03-14 **Account Settings: default\_nameservers and use\_account\_custom\_ns\_by\_default** Deprecation date: March 14, 2025 The fields `"default_nameservers"` and `"use_account_custom_ns_by_default"` within the `"settings"` object of accounts are deprecated. Instead, use the [Show DNS Settings](https://developers.cloudflare.com/api/resources/dns/subresources/settings/subresources/account/methods/get/) and [Update DNS Settings](https://developers.cloudflare.com/api/resources/dns/subresources/settings/subresources/account/methods/edit/) endpoints to manage this setting. This setting is available in the new API as `.zone_defaults.nameservers.type`, with allowed values `"cloudflare.standard"`, `"cloudflare.standard.random"`, `"custom.account"` and `"custom.tenant"`. Changes via the old endpoints will be reflected in the new ones, and vice versa, so there is no need to migrate existing zones. However, future API calls must use DNS Settings instead of the Accounts endpoints. Affected APIs: * `GET /accounts` * `POST /accounts` * `GET /accounts/:account_id` * `PUT /accounts/:account_id` ## 2025-03-11 **Cloudflare Radar: Layer 7 attack magnitude parameter** Deprecation date: March 11, 2025 End of life date: June 11, 2025 The layer 7 attack `magnitude` query parameter, which allows you to define attack magnitude by total requests mitigated (`MITIGATED_REQUESTS`) or total zones attacked (`AFFECTED_ZONES`), is deprecated. Moving forward, Cloudflare Radar will only support defining layer 7 attack magnitude based on the total number of mitigated requests. Affected API: `GET /radar/attacks/layer7/top/attacks` Replacement: Users should stop using the `magnitude` parameter, as the default behavior already uses `MITIGATED_REQUESTS`. ## 2025-02-21 **DNS Records API: Changes to Filter Parameters** Deprecation date: February 21, 2025 The following URL parameters for filtering DNS records are deprecated: * `name=contains:value`Instead, use the supported `name.contains=value` syntax. * `name=starts_with:value`Instead, use the supported `name.startswith=value` syntax. * `name=ends_with:value`Instead, use the supported `name.endswith=value` syntax. * `name=one,two,three` (searching for one of multiple possible names, separated by commas) Instead, make multiple requests, one for each possible `name`. Alternatively, if only querying the `name` field, the `?match=any&name=one&name=two&name=three` syntax can be used instead. This syntax has an extended deprecation date of May 23, 2025. * `content=contains:value`Instead, use the supported `content.contains=value` syntax. * `content=starts_with:value`Instead, use the supported `content.startswith=value` syntax. * `content=ends_with:value`Instead, use the supported `content.endswith=value` syntax. * `content=one,two,three` (searching for one of multiple possible contents, separated by commas) Instead, make multiple requests, one for each possible `content`. Alternatively, if only querying the `content` field, the `?match=any&content=one&content=two&content=three` syntax can be used instead. This syntax has an extended deprecation date of May 23, 2025. * `type=contains:value`Searching for substrings of a type name will no longer be supported. Instead, please search for an exact type name, such as `type=CNAME`. If the input value is a free-text search from a human user, consider using the `search` parameter instead. None of the parameters being deprecated were ever officially supported per our API documentation. Affected APIs: * `GET /zones/:zone_id/dns_records` ## 2024-12-09 **Access applications: self\_hosted\_domains** Deprecation date: November 21, 2025 The `self_hosted_domains` field for [Access applications](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/update/) is deprecated in favor of `destinations` to allow for more flexibility in defining different types of domains. Before: ```json { // ... "self_hosted_domains": ["foo.example.com", "bar.example.com"] } ``` After: ```json { // ... "destinations": [ { "type": "public", "uri": "foo.example.com" }, { "type": "public", "uri": "bar.example.com" } ] } ``` The API will accept both fields until the deprecation date. If `self_hosted_domains` are provided, then they will be interpreted as `public` destinations. However, if `destinations` are provided, then `self_hosted_domains` will be ignored even if provided. Additionally, the API will continue to return `self_hosted_domains` until the deprecation date. The field will contain the URIs of the subset of destinations that have type `public`. Affected APIs: * `GET /accounts/:account_id/access/apps` * `POST /accounts/:account_id/access/apps` * `GET /accounts/:account_id/access/apps/:app_id` * `PUT /accounts/:account_id/access/apps/:app_id` * `GET /zones/:zone_id/access/apps` * `POST /zones/:zone_id/access/apps` * `GET /zones/:zone_id/access/apps/:app_id` * `PUT /zones/:zone_id/access/apps/:app_id` ## 2024-11-30 **Zone information in individual DNS records** Deprecation date: November 30, 2024 Currently, each individual DNS record returned by the API contains information about the zone it is on, specifically the zone ID and name. ```json { "result": [ { // ... "zone_id": "ab922473c42f4e50819d7c1c9b81b16b", "zone_name": "example.com" } ], // ... } ``` This information is redundant because both affected API routes are already within the zone scope. In particular, the zone ID will already be known to any user of these routes because it appears in the URL. The zone name can be retrieved by making a `GET` request to `/zones/:zone_id` if it is necessary. After November 30th, 2024, Cloudflare will stop including the `zone_id` and `zone_name` fields on individual DNS records in API responses. These fields are currently ignored when sent to the API as part of a request body, so no changes to request bodies are required. Modified API: * `GET /zones/:zone_id/dns_records` * `POST /zones/:zone_id/dns_records` * `GET /zones/:zone_id/dns_records/:dns_record_id` * `PATCH /zones/:zone_id/dns_records/:dns_record_id` * `PUT /zones/:zone_id/dns_records/:dns_record_id` ## 2024-10-01 **DNS Records: Error chains for DNS validation errors** Deprecation date: October 1, 2024 Cloudflare is making a minor change to the representation of certain errors when creating DNS records. Currently, when the DNS record to be created is invalid, an error similar to the following may be returned: ```txt { "result": null, "success": false, "errors": [ { "code": 1004, "message": "DNS Validation Error", "error_chain": [ { "code": 9999, "message": "This is an example." } ] } ], "messages": [] } ``` After October 1st, 2024, the `error_chain` will be omitted, returning the root cause directly without wrapping it in another "DNS Validation Error" error: ```txt { "result": null, "success": false, "errors": [ { "code": 9999, "message": "This is an example." } ], "messages": [] } ``` ## 2024-09-13 **Legacy DNS Settings Endpoints** Deprecation date: September 13, 2024 The dedicated endpoints for DNS settings `use_apex_ns` and `secondary_overrides` are being deprecated. Instead, use the [Show DNS Settings](https://developers.cloudflare.com/api/resources/dns/subresources/settings/subresources/zone/methods/get/) and [Update DNS Settings](https://developers.cloudflare.com/api/resources/dns/subresources/settings/subresources/zone/methods/edit/) endpoints to manage these settings. * Instead of the `.../use_apex_ns` endpoint, use the `multi_provider` field. * Instead of the `.../secondary_overrides` endpoint, use the `secondary_overrides` field. Deprecated APIs: * `GET /zones/:zone_id/dns_settings/use_apex_ns` * `PATCH /zones/:zone_id/dns_settings/use_apex_ns` * `GET /zones/:zone_id/dns_settings/secondary_overrides` * `PATCH /zones/:zone_id/dns_settings/secondary_overrides` ## 2024-08-15 **Brotli** Deprecation date: August 15, 2024 The Brotli setting and its API endpoints are deprecated. Brotli compression is available for all non-Enterprise zones, and it will be extended to Enterprise zones in the coming year. Deprecated APIs: * `GET /zones/:zone_id/settings/brotli` * `PATCH /zones/:zone_id/settings/brotli` Enterprise customers can override Cloudflare's default compression behavior using [Compression Rules](https://developers.cloudflare.com/rules/compression-rules/). ## 2024-08-05 **Auto Minify** Deprecation date: August 5, 2024 The Auto Minify API endpoints are deprecated since the Auto Minify feature was deprecated. Deprecated APIs: * `GET /zones/:zone_id/settings/minify` * `PATCH /zones/:zone_id/settings/minify` ## 2024-07-14 **DNS Records: 'locked' Field** Deprecation date: July 14, 2024 The `"locked"` field of DNS records in API responses is unused and has been guaranteed to always be `false` for more than a year. This deprecation means that the field will be omitted from API responses entirely. If received from a client, the field will continue to be ignored, just as it is today. Modified API: * `GET /zones/:zone_id/dns_records` * `POST /zones/:zone_id/dns_records` * `GET /zones/:zone_id/dns_records/:dns_record_id` * `PATCH /zones/:zone_id/dns_records/:dns_record_id` * `PUT /zones/:zone_id/dns_records/:dns_record_id` ## 2024-06-30 **Mobile redirect** Deprecation date: June 30, 2024 This endpoint and its related APIs are deprecated in favor of [Single Redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/). Refer to [Perform mobile redirects](https://developers.cloudflare.com/rules/url-forwarding/examples/perform-mobile-redirects/) to migrate Mobile Redirect to Redirect Rules. Deprecated API: * `GET /zones/:zone_identifier/settings/mobile_redirect` * `PATCH /zones/:zone_identifier/settings/mobile_redirect` Replacement: [Single Redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/) ## 2024-06-14 **Server-side Excludes** Deprecation date: June 14, 2024 The Server-side Excludes feature and its API endpoints are deprecated. Deprecated APIs: * `GET /zones/:zone_id/settings/server_side_exclude` * `PATCH /zones/:zone_id/settings/server_side_exclude` ## 2024-05-31 **Name-Related Data Fields on SRV (DNS) Records** Deprecation date: May 31, 2024 The name of an SRV record normally consists of three parts: the service (e.g., `_xmpp`), the protocol (e.g., `_tcp`), and the base name (`example.com`). The complete name would then be, e.g., `_xmpp._tcp.example.com`. When interacting with DNS records through the [API](https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/create/), SRV records contain both a full `name` as well as a `data` map containing the individual components of the name: ```txt { "name": "_xmpp._tcp.example.com", "data": { "service": "_xmpp", "proto": "_tcp", "name": "example.com", ... }, ... } ``` We are deprecating the `service`, `proto` and `name` fields _within_ the `data` map in favor of the `name` field _outside_ the data map, which is the same name field that's used by all other record types. Before the end of life date, please ensure that: * when reading SRV records, you use only the `name` outside of the data map and ignore `service`, `proto` and `name` within the data map if they exist; and * when writing SRV records, you set the `name` outside of the data map and **do not set** `service`, `proto` or `name` within the data map. After the end of life date, the API will stop producing the `service`, `proto` and `name` data fields, and if any of them are received from a client, an error will be returned. This deprecation does not affect other SRV data fields not mentioned above (`priority`, `weight`, `port`, `target`) or data fields for any other record type other than SRV. Modified API: * `GET /zones/:zone_id/dns_records` * `POST /zones/:zone_id/dns_records` * `GET /zones/:zone_id/dns_records/:dns_record_id` * `PATCH /zones/:zone_id/dns_records/:dns_record_id` * `PUT /zones/:zone_id/dns_records/:dns_record_id` ## 2024-03-31 **Privacy Pass API Removal** Deprecation date: March 31, 2024 In 2017, Cloudflare [announced support](https://blog.cloudflare.com/cloudflare-supports-privacy-pass/) for Privacy Pass, a recent protocol to let users prove their identity across multiple sites anonymously without enabling tracking. The initial use case was to provide untraceable tokens to sites to vouch for users who might otherwise have been presented with a CAPTCHA challenge. In the time since this release, Privacy Pass has evolved both at the [IETF](https://datatracker.ietf.org/wg/privacypass/documents/) and within Cloudflare. The version announced in 2017 is now considered legacy, and these legacy Privacy Pass tokens are no longer supported as an alternative to Cloudflare challenges. As has been discussed on our blog [The end road for CAPTCHA](https://blog.cloudflare.com/end-cloudflare-captcha/), Cloudflare uses a variety of signals to infer if incoming traffic is likely automated. The (legacy) Privacy Pass zone setting is no longer meaningful to Cloudflare customers as Cloudflare now operates [CAPTCHA free](https://blog.cloudflare.com/turnstile-ga/), and supports the latest [Privacy Pass draft](https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/). In September 2023, support for legacy Privacy Pass tokens as an alternative to Cloudflare Managed Challenge was removed. By the end of March 2024, the current public-facing API will be removed as well. Deprecated API: * `GET zones/:zone_identifier/settings/privacy_pass` * `POST zones/:zone_identifier/settings/privacy_pass` ## 2024-02-04 **Argo Tunnel** Deprecation date: February 4, 2024 This endpoint and its related APIs are deprecated in favor of the Cloudflare Tunnels equivalent APIs. Deprecated API: * `GET accounts/:account_identifier/tunnels` * `POST accounts/:account_identifier/tunnels` * `GET accounts/:account_identifier/tunnels/:tunnel_id` * `DELETE accounts/:account_identifier/tunnels/:tunnel_id` Replacement: Cloudflare Tunnel API ## 2023-07-01 **ChaCha20 TLS Cipher Removal** Deprecation date: July 1, 2023 Back in 2016, Cloudflare [introduced support](https://blog.cloudflare.com/it-takes-two-to-chacha-poly/) for `ChaCha20-Poly1305` cipher suites for TLS 1.2\. At the time, we introduced two variants of these new suites, the "standard" suites as defined by the IETF RFC 7905, and "draft" suites that followed an earlier draft of said specification. The draft suites were added for compatibility with some older Android devices that at the time did not yet support the proper `ChaCha20-Poly1305` standard versions. This was in 2016, and in the meantime the standard `ChaCha20-Poly1305` cipher suites have gained much wider adoption, to the point were traffic using the old suites has dropped significantly. Due to the current low usage and the non-standard nature of these cipher suites, we are now deprecating their support on the Cloudflare network. This should not affect customer zones in any way, as clients that might currently use these cipher suites will be able to fallback to different ones. In addition, unlike the standard variants, these legacy cipher suites are not exposed directly through our API (e.g. through the TLS cipher suites preferences endpoint), and their deprecation will not affect customer configurations in any way. As of July 1st, 2023, the ChaCha20-Poly1305 ciphers have been deprecated and are deemed End of Life by Cloudflare. If you have clients that currently rely on these ciphers, it is strongly recommended to upgrade them to newer, more secure ciphers. Be aware that these deprecated ciphers will be completely removed in the first quarter of 2024, and requests using them will start to fail. Take proactive measures to ensure a smooth transition and maintain the security of your systems. ## 2023-07-01 **Transfer-Encoding and Content-Length headers** Deprecation date: July 1, 2023 Previously, RFC 2616 allowed the use of `Transfer-Encoding` and `Content-Length` HTTP headers in the same request. RFC 7230 supersedes RFC 2616 and prohibits the use of `Transfer-Encoding` and `Content-Length` headers in the same request because they can cause HTTP request smuggling vulnerabilities. Starting on July 1st, 2023, Cloudflare will decline requests with both `Transfer-Encoding` and `Content-Length` HTTP headers. ## 2023-06-06 **Account Billing Profile, User Billing Profile, and User Billing History** Deprecation date: June 6, 2023 There is no API replacement for these endpoints. As an alternative, please log in to your Cloudflare account to view your: * [Invoices & Billing Email](https://dash.cloudflare.com/?to=/:account/billing) * [Billing subscriptions](https://dash.cloudflare.com/?to=/:account/billing/subscriptions) * [Billing profile payment info](https://dash.cloudflare.com/?to=/:account/billing/payment-info) Deprecated API: * `GET accounts/{account_identifier}/billing/profile` * `GET user/billing/profile` * `GET user/billing/history` ## 2023-04-03 **Load Balancing - notification\_email** Deprecation date: April 3, 2023 This field is deprecated and has been moved to [Cloudflare centralized notification service](https://developers.cloudflare.com/notifications/). `notification_email` is the email address to send health status notifications to. This can be an individual mailbox or a mailing list. Multiple emails can be supplied as a comma delimited list. ## 2023-03-19 **Access Bookmark applications** Deprecation date: March 19, 2023 This endpoint is deprecated in favor of using a specialized Access Application App Type API. Deprecated API: * `GET accounts/:identifier/access/bookmarks` * `GET accounts/:identifier/access/bookmarks/:uuid` * `POST accounts/:identifier/access/bookmarks/:uuid` * `PUT accounts/:identifier/access/bookmarks/:uuid` * `DELETE accounts/:identifier/access/bookmarks/:uuid` Replacement: Access applications app type API ## 2022-10-11 **Page Shield** Deprecation date: October 11, 2022 Replace `script_monitor` in Page Shield API routes with `page_shield`. ## 2022-07-01 **Cloudflare Images - Create authenticated direct upload URL v1** Deprecation date: July 1, 2022 This endpoint is deprecated in favor of using v2, which allows you to control metadata, define an access policy, and get the image ID. Deprecated API:`POST accounts/:account_identifier/images/v1/direct_upload` Replacement:`POST accounts/:account_identifier/images/v2/direct_upload` ## 2021-03-01 **Zone Analytics API** Deprecation date: March 1, 2021 This API is deprecated in favor of the [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/), which provides equivalent data and more features, including the ability to select only the metrics that you need. For more information, refer to the [Zone analytics to GraphQL analytics migration guide](https://developers.cloudflare.com/analytics/graphql-api/migration-guides/zone-analytics/). Deprecated API: * `GET zones/:zone_identifier/analytics/dashboard` * `GET zones/:zone_identifier/analytics/colos` Replacement: GraphQL Analytics API ## 2020-04-02 **Organizations** Deprecation date: April 2, 2020 This endpoint and its related APIs are deprecated in favor of the `/accounts` equivalent API, which has a broader range of features and is backwards compatible with the `/organizations` API. Deprecated API: * `GET organizations/:identifier` * `PATCH organizations/:identifier` * `GET organizations/:organization_identifier/invites` * `POST organizations/:organization_identifier/invites` * `GET organizations/:organization_identifier/invites/:identifier` * `PATCH organizations/:organization_identifier/invites/:identifier` * `DELETE organizations/:organization_identifier/invites/:identifier` * `GET organizations/:organization_identifier/members` * `GET organizations/:organization_identifier/members/:identifier` * `PATCH organizations/:organization_identifier/members/:identifier` * `DELETE organizations/:organization_identifier/members/:identifier` * `GET organizations/:organization_identifier/roles` * `GET organizations/:organization_identifier/roles/:identifier` * `GET organizations/:organization_identifier/audit_logs` * `GET organizations/:organization_identifier/railguns` * `POST organizations/:organization_identifier/railguns` * `GET organizations/:organization_identifier/railguns/:identifier` * `PATCH organizations/:organization_identifier/railguns/:identifier` * `DELETE organizations/:organization_identifier/railguns/:identifier` * `GET organizations/:organization_identifier/railguns/:identifier/zones` Replacement: Accounts API ## Related resources * [Available RSS feeds](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) (for the [Cloudflare changelog](https://developers.cloudflare.com/changelog/)) * [Subscribe to Cloudflare Status](https://developers.cloudflare.com/support/cloudflare-status/) * [Planned maintenance windows](https://developers.cloudflare.com/support/disruptive-maintenance/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/reference/deprecations/","name":"API deprecations"}}]} ``` --- --- title: GraphQL API image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/reference/graphql-api.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # GraphQL API ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/reference/graphql-api/","name":"GraphQL API"}}]} ``` --- --- title: Rate limits description: Some specific API calls have their own limits and are documented separately, such as the following: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/reference/limits.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Rate limits ## API token limits | Type | Limit | | --------------------------------- | ----------------------------------- | | Client API per user/account token | 1200/5 minutes | | Client API per IP | 200/second | | GraphQL | Varies by query cost. Max 320/5 min | | User API token quota | 50 | | Account API token quota | 500 | Note The global rate limit for the Cloudflare API is 1,200 requests per five minute period per user, and applies cumulatively regardless of whether the request is made via the dashboard, API key, or API token. If you exceed this limit, all API calls for the next five minutes will be blocked, receiving a `HTTP 429 - Too Many Requests` response. Some specific API calls have their own limits and are documented separately, such as the following: * [Cache Purge APIs](https://developers.cloudflare.com/cache/how-to/purge-cache/#availability-and-limits) * [GraphQL APIs](https://developers.cloudflare.com/analytics/graphql-api/limits/) * [Rulesets APIs](https://developers.cloudflare.com/ruleset-engine/rulesets-api/#limits) * [Lists API](https://developers.cloudflare.com/waf/tools/lists/lists-api/#rate-limiting-for-lists-api-requests) * [Gateway Lists API](https://developers.cloudflare.com/cloudflare-one/reusable-components/lists/#api-rate-limit) Enterprise customers can also [contact Cloudflare Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/) to raise the Client API per user, GraphQL, or API token limits to a higher value. ## Rate limiting headers The following headers are returned when calling REST APIs: * `Ratelimit`: List of service limit items, composed of the limit name, the remaining quota (`r`) and the time next window resets (`t`). For example: `"default";r=50;t=30` * `Ratelimit-Policy`: List of quota policy items, composed of the policy name, the total quota (`q`) and the time window the quota applies to (`w`). For example: `"burst";q=100;w=60` * `retry-after`: The number of seconds, rounded up, until more capacity is available. Note, this header is only returned when the request has exceeded the rate limit. [Cloudflare's SDKs](https://developers.cloudflare.com/fundamentals/api/reference/sdks/) will also automatically work with the headers and back off in response to rate limits. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/reference/limits/","name":"Rate limits"}}]} ``` --- --- title: API token permissions description: Permissions are segmented into three categories based on resource: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/reference/permissions.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # API token permissions Permissions are segmented into three categories based on resource: * Zone permissions * Account permissions * User permissions Each category contains permission groups related to those resources. DNS permissions belong to the Zone category, while Billing permissions belong to the Account category. Below is a list of the available token permissions. To obtain an updated list of token permissions, including the permission ID and the scope of each permission, use the [List permission groups](https://developers.cloudflare.com/api/resources/user/subresources/tokens/subresources/permission%5Fgroups/methods/list/) endpoint. ## User permissions The applicable scope of user permissions is `com.cloudflare.api.user`. * [ Dashboard ](#tab-panel-4599) * [ API ](#tab-panel-4600) | Name | Description | | ----------------- | ----------------------------------------------------------------------------------------------------------------------------- | | API Tokens Read | Grants read access to user's [API tokens](https://developers.cloudflare.com/fundamentals/api/reference/permissions/). | | API Tokens Edit | Grants write access to user's [API tokens](https://developers.cloudflare.com/fundamentals/api/reference/permissions/). | | Memberships Read | Grants read access to a user's [account memberships](https://developers.cloudflare.com/fundamentals/manage-members/manage/). | | Memberships Edit | Grants write access to a user's [account memberships](https://developers.cloudflare.com/fundamentals/manage-members/manage/). | | User Details Read | Grants read access to user details. | | User Details Edit | Grants write access to user details. | | Name | Description | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------- | | API Tokens Read | Grants read access to user's [API tokens](https://developers.cloudflare.com/fundamentals/api/reference/permissions/). | | API Tokens Write | Grants write access to user's [API tokens](https://developers.cloudflare.com/fundamentals/api/reference/permissions/). | | Memberships Read | Grants read access to a user's [account memberships](https://developers.cloudflare.com/fundamentals/manage-members/manage/). | | Memberships Write | Grants write access to a user's [account memberships](https://developers.cloudflare.com/fundamentals/manage-members/manage/). | | User Details Read | Grants read access to user details. | | User Details Write | Grants write access to user details. | ## Account permissions The applicable scope of account permissions is `com.cloudflare.api.account`. * [ Dashboard ](#tab-panel-4601) * [ API ](#tab-panel-4602) | Name | Description | | ------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Access: Apps and Policies Read | Grants read access to Cloudflare Access [applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) and [policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). | | Access: Apps and Policies Revoke | Grants ability to revoke [Cloudflare Access application tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) | | Access: Apps and Policies Edit | Grants write access to Cloudflare Access [applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) and [policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). | | Access: Apps Read | Grants read access to [Cloudflare Access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/). | | Access: Apps Revoke | Grants ability to revoke [Cloudflare Access application tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/). | | Access: Apps Edit | Grants write access to [Cloudflare Access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/). | | Access: Audit Logs Read | Grants read access to [Cloudflare Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/). | | Access: Custom Pages Read | Grants read access to [Cloudflare Access custom block pages](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/). | | Access: Custom Pages Edit | Grants write access to [Cloudflare Access custom block pages](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/). | | Access: Device Posture Read | Grants read access to [Cloudflare Access device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | | Access: Device Posture Edit | Grants write access to [Cloudflare Access device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | | Access: Groups Read | Grants read access to [Cloudflare Access rule groups](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). | | Access: Groups Edit | Grants write access to [Cloudflare Access rule groups](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). | | Access: Identity Providers Read | Grants read access to [Cloudflare One identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). | | Access: Identity Providers Edit | Grants write access to [Cloudflare One identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). | | Access: Keys Read | Grants read access to [Cloudflare Access signing keys](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/). | | Access: Keys Edit | Grants ability to rotate [Cloudflare Access signing keys](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/). | | Access: Mutual TLS Certificates Read | Grants read access to [Cloudflare Access mTLS certificates](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). | | Access: Mutual TLS Certificates Edit | Grants write access to [Cloudflare Access mTLS certificates](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). | | Access: Organizations Read | Grants read access to [Zero Trust Organization settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/organizations/methods/list/). | | Access: Organizations Revoke | Grants ability to [revoke user sessions](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#revoke-user-sessions) in a Zero Trust organization. | | Access: Organizations Edit | Grants write access to [Zero Trust Organization settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/organizations/methods/list/). | | Access: Organizations, Identity Providers, and Groups Read | Grants read access to [Zero Trust Organization settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/organizations/methods/list/), [Cloudflare One identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/), and [Cloudflare Access rule groups](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). | | Access: Organizations, Identity Providers, and Groups Revoke | Grants ability to [revoke users](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/#revoke-a-user) from your Zero Trust organization. | | Access: Organizations, Identity Providers, and Groups Edit | Grants write access to [Zero Trust Organization settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/organizations/methods/list/), [Cloudflare One identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/), and [Cloudflare Access rule groups](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). | | Access: Policies Read | Grants read access to [Cloudflare Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/). | | Access: Policies Edit | Grants write access to [Cloudflare Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/). | | Access: Policy Test Read | Grants read access to Cloudflare Access policy test [results](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/subresources/policy%5Ftests/subresources/users/methods/list/) and [status](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/subresources/policy%5Ftests/methods/get/). | | Access: Policy Test Edit | Grants access to [test Cloudflare Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#test-your-policies). | | Access: Population Read | Grants read access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. | | Access: Population Edit | Grants write access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. | | Access: SCIM Logs Read | Grants read access to [Cloudflare Access SCIM provisioning logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/scim-logs/). | | Access: Service Tokens Read | Grants read access to [Cloudflare Access service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). | | Access: Service Tokens Edit | Grants write access to [Cloudflare Access service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). | | Access: SSH Auditing Read | Grants read access to [Cloudflare Access SSH CAs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). | | Access: SSH Auditing Edit | Grants write access to [Cloudflare Access SSH CAs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). | | Access: Tags Read | Grants read access to [Cloudflare Access tags](https://developers.cloudflare.com/cloudflare-one/reusable-components/tags/). | | Access: Tags Edit | Grants write access to [Cloudflare Access tags](https://developers.cloudflare.com/cloudflare-one/reusable-components/tags/). | | Access: Users Read | Grants read access to [users in a Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/). | | Access: Users Edit | Grants access to update a user's name in a Zero Trust organization. | | Account Analytics Read | Grants read access to [account analytics](https://developers.cloudflare.com/analytics/account-and-zone-analytics/account-analytics/). | | Account Custom Pages Read | Grants read access to account-level [Error Pages](https://developers.cloudflare.com/rules/custom-errors/). | | Account Custom Pages Edit | Grants write access to account-level [Error Pages](https://developers.cloudflare.com/rules/custom-errors/). | | Account Filter Lists Read | Grants read access to Account Filter Lists. | | Account Filter Lists Edit | Grants write access to Account Filter Lists. | | Account Firewall Access Rules Read | Grants read access to account firewall access rules. | | Account Firewall Access Rules Edit | Grants write access to account firewall access rules. | | Account Rulesets Read | Grants read access to [Account Rulesets](https://developers.cloudflare.com/ruleset-engine/about/rulesets/). | | Account Rulesets Edit | Grants write access to [Account Rulesets](https://developers.cloudflare.com/ruleset-engine/about/rulesets/). | | Account Security Center Insights | Grants read access to [Security Center Insights](https://developers.cloudflare.com/security-center/security-insights/). | | Account Security Center Insights Edit | Grants write access to [Security Center Insights](https://developers.cloudflare.com/security-center/security-insights/). | | Account Settings Read | Grants read access to [Account resources, account membership, and account level features](https://developers.cloudflare.com/fundamentals/account/). | | Account Settings Edit | Grants write access to [Account resources, account membership, and account level features](https://developers.cloudflare.com/fundamentals/account/). | | Account: SSL and Certificates Read | Grants read access to [SSL and Certificates](https://developers.cloudflare.com/ssl/). | | Account: SSL and Certificates Edit | Grants write access to [SSL and Certificates](https://developers.cloudflare.com/ssl/). | | Account WAF Read | Grants read access to [Account WAF](https://developers.cloudflare.com/waf/). | | Account WAF Edit | Grants write access to [Account WAF](https://developers.cloudflare.com/waf/). | | Address Maps Edit | Grants write access to [Address Maps](https://developers.cloudflare.com/byoip/address-maps/) | | Address Maps Read | Grants read access to [Address Maps](https://developers.cloudflare.com/byoip/address-maps/) | | Address Maps Read | Grants read access to [Address Maps](https://developers.cloudflare.com/byoip/address-maps/) | | AI Gateway Edit | Grants edit access to [AI Gateway](https://developers.cloudflare.com/ai-gateway/) | | AI Gateway Read | Grants read access to [AI Gateway](https://developers.cloudflare.com/ai-gateway/) | | AI Gateway Run | Grants run access to [Non-realtime WebSockets API](https://developers.cloudflare.com/ai-gateway/usage/websockets-api/non-realtime-api/) | | Allow Request Tracer Read | Grants read access to Request Tracer. | | API Gateway Read | Grants read access to [API Gateway (including API Shield)](https://developers.cloudflare.com/api-shield/) for all domains in an account. | | API Gateway Edit | Grants write access to [API Gateway (including API Shield)](https://developers.cloudflare.com/api-shield/) for all domains in an account. | | Billing Read | Grants read access to [billing profile, subscriptions, and access to fetch invoices](https://developers.cloudflare.com/billing/) and entitlements. | | Billing Edit | Grants write access to [billing profile, subscriptions, and access to fetch invoices and entitlements](https://developers.cloudflare.com/billing/). | | Bulk URL Redirects Read | Grants read access to [Bulk Redirects](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/). | | Bulk URL Redirects Edit | Grants write access to [Bulk Redirects](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/). | | China Network Steering Read | Grants read access to [China Network Steering](https://developers.cloudflare.com/china-network/). | | China Network Steering Edit | Grants write access to [China Network Steering](https://developers.cloudflare.com/china-network/). | | Cloudchamber Read | Grants read access to Cloudchamber deployments. | | Cloudchamber Edit | Grants write access to Cloudchamber deployments. | | Cloudflare Realtime Read | Grants read access to Cloudflare Realtime. | | Cloudflare Realtime Edit | Grants write access to Cloudflare Realtime. | | Cloudflare CASB Read | Grants read access to [Cloud Access Security Broker](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/). | | Cloudflare CASB Edit | Grants write access to [Cloud Access Security Broker](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/). | | Cloudflare DEX Read | Grants read access to [Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/). | | Cloudflare DEX Edit | Grants write access to [Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/). | | Cloudflare Images Read | Grants read access to [Cloudflare Images](https://developers.cloudflare.com/images/). | | Cloudflare Images Edit | Grants write access to [Cloudflare Images](https://developers.cloudflare.com/images/). | | Cloudflare One Connector: cloudflared Read | Grants read access to [cloudflared connectors](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) | | Cloudflare One Connector: cloudflared Edit | Grants write access to [cloudflared connectors](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) | | Cloudflare One Connector: WARP Read | Grants read access to [WARP Connectors](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | | Cloudflare One Connector: WARP Edit | Grants write access to [WARP Connectors](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | | Cloudflare One Connectors Read | Grants read access to Cloudflare One connectors | | Cloudflare One Connectors Edit | Grants write access to Cloudflare One connectors | | Cloudflare One Networks Read | Grants read access to Cloudflare One routes and virtual networks | | Cloudflare One Networks Edit | Grants write access to Cloudflare One routes and virtual networks | | Cloudflare Pages Read | Grants access to view [Cloudflare Pages](https://developers.cloudflare.com/pages/) projects. | | Cloudflare Pages Edit | Grants access to create, edit and delete [Cloudflare Pages](https://developers.cloudflare.com/pages/) projects. | | Cloudflare Tunnel Read | Grants access to view [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). | | Cloudflare Tunnel Edit | Grants access to create and delete [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). | | Cloudforce One Read | Grants read access to Cloudforce One. | | Cloudforce One Edit | Grants write access to Cloudforce One. | | Email Security Read | Grants read access to [Cloud Email Security](https://developers.cloudflare.com/email-security/). | | Email Security Edit | Grants write access to [Email Security](https://developers.cloudflare.com/email-security/). | | Constellation Read | Grants read access to [Constellation](https://developers.cloudflare.com/constellation/). | | Constellation Edit | Grants write access to [Constellation](https://developers.cloudflare.com/constellation/). | | Containers Read | Grants read access to [Containers](https://developers.cloudflare.com/containers/). | | Containers Edit | Grants write access to [Containers](https://developers.cloudflare.com/containers/). | | D1 Read | Grants read access to [D1](https://developers.cloudflare.com/d1/). | | D1 Edit | Grants write access to [D1](https://developers.cloudflare.com/d1/). | | DDoS Botnet Feed Read | Grants read access to Botnet Feed reports. | | DDoS Botnet Feed Edit | Grants write access to Botnet Feed configuration. | | DDoS Protection Read | Grants read access to [DDoS protection](https://developers.cloudflare.com/ddos-protection/). | | DDoS Protection Edit | Grants write access to [DDoS protection](https://developers.cloudflare.com/ddos-protection/). | | DNS Firewall Read | Grants read access to [DNS Firewall](https://developers.cloudflare.com/dns/dns-firewall/). | | DNS Firewall Edit | Grants write access to [DNS Firewall](https://developers.cloudflare.com/dns/dns-firewall/). | | Email Routing Addresses Read | Grants read access to [Email Routing Addresses](https://developers.cloudflare.com/email-routing/setup/email-routing-addresses/). | | Email Routing Addresses Edit | Grants write access to [Email Routing Addresses](https://developers.cloudflare.com/email-routing/setup/email-routing-addresses/). | | Hyperdrive Read | Grants read access to [Hyperdrive](https://developers.cloudflare.com/hyperdrive/). | | Hyperdrive Edit | Grants write access to [Hyperdrive](https://developers.cloudflare.com/hyperdrive/). | | Intel Read | Grants read access to [Intel](https://developers.cloudflare.com/security-center/intel-apis/). | | Intel Edit | Grants write access to [Intel](https://developers.cloudflare.com/security-center/intel-apis/). | | Integration Edit | Grants write access to integrations. | | IOT Read | Grants read access to [IOT ↗](https://blog.cloudflare.com/rethinking-internet-of-things-security/). | | IOT Edit | Grants write access to [IOT ↗](https://blog.cloudflare.com/rethinking-internet-of-things-security/). | | IP Prefixes: Read | Grants access to read IP prefix settings. | | IP Prefixes: Edit | Grants access to read/write IP prefix settings. | | IP Prefixes: BGP On Demand Read | Grants access to read IP prefix BGP configuration. | | IP Prefixes: BGP On Demand Edit | Grants access to read and change IP prefix BGP configuration. | | L3/4 DDoS Managed Ruleset Read | Grants read access to [L3/4 DDoS managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/). | | L3/4 DDoS Managed Ruleset Edit | Grants write access to [L3/4 DDoS managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/). | | Load Balancing: Monitors and Pools Read | Grants read access to account level [load balancer resources](https://developers.cloudflare.com/load-balancing/). | | Load Balancing: Monitors and Pools Edit | Grants write access to account level [load balancer resources](https://developers.cloudflare.com/load-balancing/). | | Logs Read | Grants read access to logs using [Logpull or Instant Logs](https://developers.cloudflare.com/logs/). | | Logs Edit | Grants read and write access to [Logpull, Logpush, and Instant Logs](https://developers.cloudflare.com/logs/). | | Magic Firewall Read | Grants read access to [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/). | | Magic Firewall Edit | Grants write access to [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/). | | Magic Firewall Packet Captures Read | Grants read access to [Packet Captures](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/collect-pcaps/). | | Magic Firewall Packet Captures Edit | Grants write access to [Packet Captures](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/collect-pcaps/). | | Magic Network Monitoring Read | Grants read access to [Network Flow](https://developers.cloudflare.com/network-flow/). | | Magic Network Monitoring Edit | Grants write access to [Network Flow](https://developers.cloudflare.com/network-flow/). | | Magic Transit Read | Grants read access to manage a user's [Magic Transit prefixes](https://developers.cloudflare.com/magic-transit/how-to/advertise-prefixes/). | | Magic Transit Edit | Grants write access to manage a user's [Magic Transit prefixes](https://developers.cloudflare.com/magic-transit/how-to/advertise-prefixes/). | | Notifications Read | Grants read access to [Notifications](https://developers.cloudflare.com/notifications/). | | Notifications Edit | Grants write access to [Notifications](https://developers.cloudflare.com/notifications/). | | Client-side security Read | Grants read access to [client-side security](https://developers.cloudflare.com/client-side-security/) (previously known as Page Shield). | | Client-side security Edit | Grants write access to [client-side security](https://developers.cloudflare.com/client-side-security/) (previously known as Page Shield). | | Workers Pipelines Read | Grants read access to Cloudflare Pipelines. | | Workers Pipelines Edit | Grants write access to Cloudflare Pipelines. | | Queues Read | Grants read access to [Queues](https://developers.cloudflare.com/queues/). | | Queues Edit | Grants write access to [Queues](https://developers.cloudflare.com/queues/). | | Rule Policies Read | Grants read access to Rule Policies. | | Rule Policies Edit | Grants write access to Rule Policies. | | Stream Read | Grants read access to [Cloudflare Stream](https://developers.cloudflare.com/stream/). | | Stream Edit | Grants write access to [Cloudflare Stream](https://developers.cloudflare.com/stream/). | | Transform Rules Read | Grants read access to [Transform Rules](https://developers.cloudflare.com/rules/transform/). | | Transform Rules Edit | Grants write access to [Transform Rules](https://developers.cloudflare.com/rules/transform/). | | Turnstile Read | Grants read access to [Turnstile](https://developers.cloudflare.com/turnstile/). | | Turnstile Edit | Grants write access to [Turnstile](https://developers.cloudflare.com/turnstile/). | | URL Scanner Read | Grants read access to [URL Scanner](https://developers.cloudflare.com/radar/investigate/url-scanner/). | | URL Scanner Edit | Grants write access to [URL Scanner](https://developers.cloudflare.com/radar/investigate/url-scanner/). | | Vectorize Read | Grants read access to [Vectorize](https://developers.cloudflare.com/vectorize/). | | Vectorize Edit | Grants write access to [Vectorize](https://developers.cloudflare.com/vectorize/). | | Workers AI Read | Grants read access to [Workers AI](https://developers.cloudflare.com/workers-ai/). | | Workers AI Edit | Grants write access to [Workers AI](https://developers.cloudflare.com/workers-ai/). | | Workers CI Read | Grants read access to [Workers CI](https://developers.cloudflare.com/workers/). | | Workers CI Edit | Grants write access to [Workers CI](https://developers.cloudflare.com/workers). | | Workers KV Storage Read | Grants read access to [Cloudflare Workers KV Storage](https://developers.cloudflare.com/kv/api/). | | Workers KV Storage Edit | Grants write access to [Cloudflare Workers KV Storage](https://developers.cloudflare.com/kv/api/). | | Workers R2 Storage Read | Grants read access to [Cloudflare R2 Storage](https://developers.cloudflare.com/r2/). | | Workers R2 Storage Edit | Grants write access to [Cloudflare R2 Storage](https://developers.cloudflare.com/r2/). | | Workers Scripts Read | Grants read access to [Cloudflare Workers scripts](https://developers.cloudflare.com/workers/). | | Workers Scripts Edit | Grants write access to [Cloudflare Workers scripts](https://developers.cloudflare.com/workers/). | | Workers Tail Read | Grants [wrangler tail](https://developers.cloudflare.com/workers/wrangler/commands/general/#tail) read permissions. | | Zero Trust Read | Grants read access to [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/) resources. | | Zero Trust Report | Grants reporting access to [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/). | | Zero Trust Edit | Grants write access to [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/) resources. | | Zero Trust: PII Read | Grants read access to [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/) PII. | | Zero Trust: Seats Edit | Grants write access to the number of [Zero Trust seats](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/) your organization can use (and be billed for). | | Name | Description | | ------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Access: Apps and Policies Read | Grants read access to Cloudflare Access [applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) and [policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). | | Access: Apps and Policies Revoke | Grants ability to revoke [Cloudflare Access application tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) | | Access: Apps and Policies Write | Grants write access to Cloudflare Access [applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/) and [policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). | | Access: Apps Read | Grants read access to [Cloudflare Access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/). | | Access: Apps Revoke | Grants ability to revoke [Cloudflare Access application tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/). | | Access: Apps Write | Grants write access to [Cloudflare Access applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/). | | Access: Audit Logs Read | Grants read access to [Cloudflare Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/). | | Access: Custom Pages Read | Grants read access to [Cloudflare Access custom block pages](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/). | | Access: Custom Pages Write | Grants write access to [Cloudflare Access custom block pages](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-block-page/). | | Access: Device Posture Read | Grants read access to [Cloudflare Access device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | | Access: Device Posture Write | Grants write access to [Cloudflare Access device posture](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). | | Access: Groups Read | Grants read access to [Cloudflare Access rule groups](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). | | Access: Groups Write | Grants write access to [Cloudflare Access rule groups](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). | | Access: Identity Providers Read | Grants read access to [Cloudflare One identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). | | Access: Identity Providers Write | Grants write access to [Cloudflare One identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). | | Access: Keys Read | Grants read access to [Cloudflare Access signing keys](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/). | | Access: Keys Write | Grants ability to rotate [Cloudflare Access signing keys](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/). | | Access: Mutual TLS Certificates Read | Grants read access to [Cloudflare Access mTLS certificates](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). | | Access: Mutual TLS Certificates Write | Grants write access to [Cloudflare Access mTLS certificates](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). | | Access: Organizations Read | Grants read access to [Zero Trust Organization settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/organizations/methods/list/). | | Access: Organizations Revoke | Grants ability to [revoke user sessions](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#revoke-user-sessions) in a Zero Trust organization. | | Access: Organizations Write | Grants write access to [Zero Trust Organization settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/organizations/methods/list/). | | Access: Organizations, Identity Providers, and Groups Read | Grants read access to [Zero Trust Organization settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/organizations/methods/list/), [Cloudflare One identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/), and [Cloudflare Access rule groups](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). | | Access: Organizations, Identity Providers, and Groups Revoke | Grants ability to [revoke users](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/#revoke-a-user) from your Zero Trust organization. | | Access: Organizations, Identity Providers, and Groups Write | Grants write access to [Zero Trust Organization settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/organizations/methods/list/), [Cloudflare One identity providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/), and [Cloudflare Access rule groups](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/groups/). | | Access: Policies Read | Grants read access to [Cloudflare Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/). | | Access: Policies Write | Grants write access to [Cloudflare Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/). | | Access: Policy Test Read | Grants read access to Cloudflare Access policy test [results](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/subresources/policy%5Ftests/subresources/users/methods/list/) and [status](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/subresources/policy%5Ftests/methods/get/). | | Access: Policy Test Write | Grants access to [test Cloudflare Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#test-your-policies). | | Access: Population Read | Grants read access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. | | Access: Population Write | Grants write access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. | | Access: SCIM Logs Read | Grants read access to [Cloudflare Access SCIM provisioning logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/scim-logs/). | | Access: Service Tokens Read | Grants read access to [Cloudflare Access service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). | | Access: Service Tokens Write | Grants write access to [Cloudflare Access service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). | | Access: SSH Auditing Read | Grants read access to [Cloudflare Access SSH CAs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). | | Access: SSH Auditing Write | Grants write access to [Cloudflare Access SSH CAs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/). | | Access: Tags Read | Grants read access to [Cloudflare Access tags](https://developers.cloudflare.com/cloudflare-one/reusable-components/tags/). | | Access: Tags Write | Grants write access to [Cloudflare Access tags](https://developers.cloudflare.com/cloudflare-one/reusable-components/tags/). | | Access: Users Read | Grants read access to [users in a Zero Trust organization](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/). | | Access: Users Write | Grants access to update a user's name in a Zero Trust organization. | | Account Analytics Read | Grants read access to [account analytics](https://developers.cloudflare.com/analytics/account-and-zone-analytics/account-analytics/). | | Account Custom Pages Read | Grants read access to account-level [Error Pages](https://developers.cloudflare.com/rules/custom-errors/). | | Account Custom Pages Write | Grants write access to account-level [Error Pages](https://developers.cloudflare.com/rules/custom-errors/). | | Account Rule Lists Read | Grants read access to Account Filter Lists. | | Account Rule Lists Write | Grants write access to Account Filter Lists. | | Account Firewall Access Rules Read | Grants read access to account firewall access rules. | | Account Firewall Access Rules Write | Grants write access to account firewall access rules. | | Account Rulesets Read | Grants read access to [Account Rulesets](https://developers.cloudflare.com/ruleset-engine/about/rulesets/). | | Account Rulesets Write | Grants write access to [Account Rulesets](https://developers.cloudflare.com/ruleset-engine/about/rulesets/). | | Account Security Center Insights | Grants read access to [Security Center Insights](https://developers.cloudflare.com/security-center/security-insights/). | | Account Security Center Insights Write | Grants write access to [Security Center Insights](https://developers.cloudflare.com/security-center/security-insights/). | | Account Settings Read | Grants read access to [Account resources, account membership, and account level features](https://developers.cloudflare.com/fundamentals/account/). | | Account Settings Write | Grants write access to [Account resources, account membership, and account level features](https://developers.cloudflare.com/fundamentals/account/). | | Account: SSL and Certificates Read | Grants read access to [SSL and Certificates](https://developers.cloudflare.com/ssl/). | | Account: SSL and Certificates Write | Grants write access to [SSL and Certificates](https://developers.cloudflare.com/ssl/). | | Account WAF Read | Grants read access to [Account WAF](https://developers.cloudflare.com/waf/). | | Account WAF Write | Grants write access to [Account WAF](https://developers.cloudflare.com/waf/). | | Address Maps Write | Grants write access to [Address Maps](https://developers.cloudflare.com/byoip/address-maps/) | | Address Maps Read | Grants read access to [Address Maps](https://developers.cloudflare.com/byoip/address-maps/) | | Address Maps Read | Grants read access to [Address Maps](https://developers.cloudflare.com/byoip/address-maps/) | | AI Gateway Edit | Grants edit access to [AI Gateway](https://developers.cloudflare.com/ai-gateway/) | | AI Gateway Read | Grants read access to [AI Gateway](https://developers.cloudflare.com/ai-gateway/) | | AI Gateway Run | Grants run access to [Non-realtime WebSockets API](https://developers.cloudflare.com/ai-gateway/usage/websockets-api/non-realtime-api/) | | Allow Request Tracer Read | Grants read access to Request Tracer. | | Account API Gateway Read | Grants read access to [API Gateway (including API Shield)](https://developers.cloudflare.com/api-shield/) for all domains in an account. | | Account API Gateway Write | Grants write access to [API Gateway (including API Shield)](https://developers.cloudflare.com/api-shield/) for all domains in an account. | | Billing Read | Grants read access to [billing profile, subscriptions, and access to fetch invoices](https://developers.cloudflare.com/billing/) and entitlements. | | Billing Write | Grants write access to [billing profile, subscriptions, and access to fetch invoices and entitlements](https://developers.cloudflare.com/billing/). | | Mass URL Redirects Read | Grants read access to [Bulk Redirects](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/). | | Mass URL Redirects Write | Grants write access to [Bulk Redirects](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/). | | China Network Steering Read | Grants read access to [China Network Steering](https://developers.cloudflare.com/china-network/). | | China Network Steering Write | Grants write access to [China Network Steering](https://developers.cloudflare.com/china-network/). | | Cloudchamber Read | Grants read access to Cloudchamber deployments. | | Cloudchamber Write | Grants write access to Cloudchamber deployments. | | Realtime Read | Grants read access to Cloudflare Realtime. | | Realtime Write | Grants write access to Cloudflare Realtime. | | Cloudflare CASB Read | Grants read access to [Cloud Access Security Broker](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/). | | Cloudflare CASB Write | Grants write access to [Cloud Access Security Broker](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/). | | Cloudflare DEX Read | Grants read access to [Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/). | | Cloudflare DEX Write | Grants write access to [Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/). | | Images Read | Grants read access to [Cloudflare Images](https://developers.cloudflare.com/images/). | | Images Write | Grants write access to [Cloudflare Images](https://developers.cloudflare.com/images/). | | Cloudflare One Connector: cloudflared Read | Grants read access to [cloudflared connectors](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) | | Cloudflare One Connector: cloudflared Write | Grants write access to [cloudflared connectors](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) | | Cloudflare One Connector: WARP Read | Grants read access to [WARP Connectors](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | | Cloudflare One Connector: WARP Write | Grants write access to [WARP Connectors](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) | | Cloudflare One Connectors Read | Grants read access to Cloudflare One connectors | | Cloudflare One Connectors Write | Grants write access to Cloudflare One connectors | | Cloudflare One Networks Read | Grants read access to Cloudflare One routes and virtual networks | | Cloudflare One Networks Write | Grants write access to Cloudflare One routes and virtual networks | | Pages Read | Grants access to view [Cloudflare Pages](https://developers.cloudflare.com/pages/) projects. | | Pages Write | Grants access to create, edit and delete [Cloudflare Pages](https://developers.cloudflare.com/pages/) projects. | | Cloudflare Tunnel Read | Grants access to view [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). | | Cloudflare Tunnel Write | Grants access to create and delete [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). | | Cloudforce One Read | Grants read access to Cloudforce One. | | Cloudforce One Write | Grants write access to Cloudforce One. | | Cloud Email Security: Read | Grants read access to [Cloud Email Security](https://developers.cloudflare.com/email-security/). | | Cloud Email Security: Write | Grants write access to [Email Security](https://developers.cloudflare.com/email-security/). | | Constellation Read | Grants read access to [Constellation](https://developers.cloudflare.com/constellation/). | | Constellation Write | Grants write access to [Constellation](https://developers.cloudflare.com/constellation/). | | Containers Read | Grants read access to [Containers](https://developers.cloudflare.com/containers/). | | Containers Write | Grants write access to [Containers](https://developers.cloudflare.com/containers/). | | D1 Read | Grants read access to [D1](https://developers.cloudflare.com/d1/). | | D1 Write | Grants write access to [D1](https://developers.cloudflare.com/d1/). | | DDoS Botnet Feed Read | Grants read access to Botnet Feed reports. | | DDoS Botnet Feed Write | Grants write access to Botnet Feed configuration. | | DDoS Protection Read | Grants read access to [DDoS protection](https://developers.cloudflare.com/ddos-protection/). | | DDoS Protection Write | Grants write access to [DDoS protection](https://developers.cloudflare.com/ddos-protection/). | | DNS Firewall Read | Grants read access to [DNS Firewall](https://developers.cloudflare.com/dns/dns-firewall/). | | DNS Firewall Write | Grants write access to [DNS Firewall](https://developers.cloudflare.com/dns/dns-firewall/). | | Email Routing Addresses Read | Grants read access to [Email Routing Addresses](https://developers.cloudflare.com/email-routing/setup/email-routing-addresses/). | | Email Routing Addresses Write | Grants write access to [Email Routing Addresses](https://developers.cloudflare.com/email-routing/setup/email-routing-addresses/). | | Hyperdrive Read | Grants read access to [Hyperdrive](https://developers.cloudflare.com/hyperdrive/). | | Hyperdrive Write | Grants write access to [Hyperdrive](https://developers.cloudflare.com/hyperdrive/). | | Intel Read | Grants read access to [Intel](https://developers.cloudflare.com/security-center/intel-apis/). | | Intel Write | Grants write access to [Intel](https://developers.cloudflare.com/security-center/intel-apis/). | | Integration Write | Grants write access to integrations. | | IOT Read | Grants read access to [IOT ↗](https://blog.cloudflare.com/rethinking-internet-of-things-security/). | | IOT Write | Grants write access to [IOT ↗](https://blog.cloudflare.com/rethinking-internet-of-things-security/). | | IP Prefixes: Read | Grants access to read IP prefix settings. | | IP Prefixes: Write | Grants access to read/write IP prefix settings. | | IP Prefixes: BGP On Demand Read | Grants access to read IP prefix BGP configuration. | | IP Prefixes: BGP On Demand Write | Grants access to read and change IP prefix BGP configuration. | | L4 DDoS Managed Ruleset Read | Grants read access to [L3/4 DDoS managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/). | | L4 DDoS Managed Ruleset Write | Grants write access to [L3/4 DDoS managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/). | | Load Balancing: Monitors and Pools Read | Grants read access to account level [load balancer resources](https://developers.cloudflare.com/load-balancing/). | | Load Balancing: Monitors and Pools Write | Grants write access to account level [load balancer resources](https://developers.cloudflare.com/load-balancing/). | | Logs Read | Grants read access to logs using [Logpull or Instant Logs](https://developers.cloudflare.com/logs/). | | Logs Write | Grants read and write access to [Logpull, Logpush, and Instant Logs](https://developers.cloudflare.com/logs/). | | Magic Firewall Read | Grants read access to [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/). | | Magic Firewall Write | Grants write access to [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/). | | Magic Firewall Packet Captures - Read PCAPs API | Grants read access to [Packet Captures](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/collect-pcaps/). | | Magic Firewall Packet Captures - Write PCAPs API | Grants write access to [Packet Captures](https://developers.cloudflare.com/cloudflare-network-firewall/packet-captures/collect-pcaps/). | | Magic Network Monitoring Read | Grants read access to [Network Flow](https://developers.cloudflare.com/network-flow/). | | Magic Network Monitoring Write | Grants write access to [Network Flow](https://developers.cloudflare.com/network-flow/). | | Magic Transit Read | Grants read access to manage a user's [Magic Transit prefixes](https://developers.cloudflare.com/magic-transit/how-to/advertise-prefixes/). | | Magic Transit Write | Grants write access to manage a user's [Magic Transit prefixes](https://developers.cloudflare.com/magic-transit/how-to/advertise-prefixes/). | | Notifications Read | Grants read access to [Notifications](https://developers.cloudflare.com/notifications/). | | Notifications Write | Grants write access to [Notifications](https://developers.cloudflare.com/notifications/). | | Page Shield Read | Grants read access to [client-side security](https://developers.cloudflare.com/client-side-security/) (previously known as Page Shield). | | Page Shield Write | Grants write access to [client-side security](https://developers.cloudflare.com/client-side-security/) (previously known as Page Shield). | | Pipelines Read | Grants read access to Cloudflare Pipelines. | | Pipelines Write | Grants write access to Cloudflare Pipelines. | | Queues Read | Grants read access to [Queues](https://developers.cloudflare.com/queues/). | | Queues Write | Grants write access to [Queues](https://developers.cloudflare.com/queues/). | | Rule Policies Read | Grants read access to Rule Policies. | | Rule Policies Write | Grants write access to Rule Policies. | | Stream Read | Grants read access to [Cloudflare Stream](https://developers.cloudflare.com/stream/). | | Stream Write | Grants write access to [Cloudflare Stream](https://developers.cloudflare.com/stream/). | | Transform Rules Read | Grants read access to [Transform Rules](https://developers.cloudflare.com/rules/transform/). | | Transform Rules Write | Grants write access to [Transform Rules](https://developers.cloudflare.com/rules/transform/). | | Turnstile Read | Grants read access to [Turnstile](https://developers.cloudflare.com/turnstile/). | | Turnstile Write | Grants write access to [Turnstile](https://developers.cloudflare.com/turnstile/). | | URL Scanner Read | Grants read access to [URL Scanner](https://developers.cloudflare.com/radar/investigate/url-scanner/). | | URL Scanner Write | Grants write access to [URL Scanner](https://developers.cloudflare.com/radar/investigate/url-scanner/). | | Vectorize Read | Grants read access to [Vectorize](https://developers.cloudflare.com/vectorize/). | | Vectorize Write | Grants write access to [Vectorize](https://developers.cloudflare.com/vectorize/). | | Workers AI Read | Grants read access to [Workers AI](https://developers.cloudflare.com/workers-ai/). | | Workers AI Write | Grants write access to [Workers AI](https://developers.cloudflare.com/workers-ai/). | | Workers CI Read | Grants read access to [Workers CI](https://developers.cloudflare.com/workers/). | | Workers CI Write | Grants write access to [Workers CI](https://developers.cloudflare.com/workers). | | Workers KV Storage Read | Grants read access to [Cloudflare Workers KV Storage](https://developers.cloudflare.com/kv/api/). | | Workers KV Storage Write | Grants write access to [Cloudflare Workers KV Storage](https://developers.cloudflare.com/kv/api/). | | Workers R2 Storage Read | Grants read access to [Cloudflare R2 Storage](https://developers.cloudflare.com/r2/). | | Workers R2 Storage Write | Grants write access to [Cloudflare R2 Storage](https://developers.cloudflare.com/r2/). | | Workers Scripts Read | Grants read access to [Cloudflare Workers scripts](https://developers.cloudflare.com/workers/). | | Workers Scripts Write | Grants write access to [Cloudflare Workers scripts](https://developers.cloudflare.com/workers/). | | Workers Tail Read | Grants [wrangler tail](https://developers.cloudflare.com/workers/wrangler/commands/general/#tail) read permissions. | | Zero Trust Read | Grants read access to [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/) resources. | | Zero Trust Report | Grants reporting access to [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/). | | Zero Trust Write | Grants write access to [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/) resources. | | Zero Trust: PII Read | Grants read access to [Cloudflare Zero Trust](https://developers.cloudflare.com/cloudflare-one/) PII. | | Zero Trust: Seats Write | Grants write access to the number of [Zero Trust seats](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/) your organization can use (and be billed for). | ## Zone permissions The applicable scope of zone permissions is `com.cloudflare.api.account.zone`. * [ Dashboard ](#tab-panel-4603) * [ API ](#tab-panel-4604) | Name | Description | | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Access: Apps and Policies Read | Grants read access to [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) zone resources. | | Access: Apps and Policies Revoke | Grants ability to revoke all tokens to [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) zone resources. | | Access: Apps and Policies Edit | Grants write access to [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) zone resources. | | Analytics Read | Grants read access to [analytics](https://developers.cloudflare.com/analytics/account-and-zone-analytics/zone-analytics/). | | API Gateway Read | Grants read access to [API Gateway](https://developers.cloudflare.com/api-shield/) zone resources. | | API Gateway Edit | Grants write access to [API Gateway](https://developers.cloudflare.com/api-shield/) zone resources. | | Apps Edit | Grants full access to Cloudflare Apps (deprecated, refer to [Workers](https://developers.cloudflare.com/workers/) instead). | | Bot Management Read | Grants read access to [Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/). | | Bot Management Edit | Grants write access to [Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/). | | Bot Management Feedback Read | Grants read access to [Bot Management feedback](https://developers.cloudflare.com/bots/concepts/feedback-loop/). | | Bot Management Feedback Edit | Grants write access to [Bot Management feedback](https://developers.cloudflare.com/bots/concepts/feedback-loop/). | | Cache Purge | Grants access to [purge cache](https://developers.cloudflare.com/cache/how-to/purge-cache/). | | Cache Rules Read | Grants read access to [Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/). | | Cache Rules Edit | Grants write access to [Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/). | | Cloud Connector Read | Grants read access to [Cloud Connector rules](https://developers.cloudflare.com/rules/cloud-connector/). | | Cloud Connector Edit | Grants write access to [Cloud Connector rules](https://developers.cloudflare.com/rules/cloud-connector/). | | Config Rules Read | Grants read access to [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/). | | Config Rules Edit | Grants write access to [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/). | | Custom Error Rules Read | Grants read access to [Custom Error Rules](https://developers.cloudflare.com/rules/custom-errors/). | | Custom Error Rules Edit | Grants write access to [Custom Error Rules](https://developers.cloudflare.com/rules/custom-errors/). | | Custom Pages Read | Grants read access to [Custom Error Pages](https://developers.cloudflare.com/rules/custom-errors/). | | Custom Pages Edit | Grants write access to [Custom Error Pages](https://developers.cloudflare.com/rules/custom-errors/). | | Dmarc Management Read | Grants read access to [DMARC Management](https://developers.cloudflare.com/dmarc-management/). | | Dmarc Management Edit | Grants write access to [DMARC Management](https://developers.cloudflare.com/dmarc-management/). | | DNS Read | Grants read access to [DNS](https://developers.cloudflare.com/dns/). | | DNS Write | Grants write access to [DNS](https://developers.cloudflare.com/dns/). | | Email Routing Rules Read | Grants read access to [Email Routing Rules](https://developers.cloudflare.com/email-routing/setup/email-routing-addresses/). | | Email Routing Rules Edit | Grants write access to [Email Routing Rules](https://developers.cloudflare.com/email-routing/setup/email-routing-addresses/). | | Firewall Services Read | Grants read access to Firewall resources. | | Firewall Services Edit | Grants write access to Firewall resources. | | Health Checks Read | Grants read access to [Health Checks](https://developers.cloudflare.com/health-checks/). | | Health Checks Edit | Grants write access to [Health Checks](https://developers.cloudflare.com/health-checks/). | | HTTP DDoS Managed Ruleset Read | Grants read access to [HTTP DDoS managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/). | | HTTP DDoS Managed Ruleset Edit | Grants write access to [HTTP DDoS managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/). | | Load Balancers Read | Grants read access to [load balancer resources](https://developers.cloudflare.com/load-balancing/). | | Load Balancers Edit | Grants write access to [load balancer resources](https://developers.cloudflare.com/load-balancing/). | | Logs Read | Grants read access to logs using [Logpull](https://developers.cloudflare.com/logs/). | | Logs Edit | Grants write access to [Logpull and Logpush](https://developers.cloudflare.com/logs/). | | Managed Headers Read | Grants read access to [Managed Headers](https://developers.cloudflare.com/rules/transform/managed-transforms/). | | Managed Headers Edit | Grants write access to [Managed Headers](https://developers.cloudflare.com/rules/transform/managed-transforms/). | | Origin Rules Read | Grants read access to [Origin Rules](https://developers.cloudflare.com/rules/origin-rules/). | | Origin Rules Edit | Grants write access to [Origin Rules](https://developers.cloudflare.com/rules/origin-rules/). | | Page Rules Read | Grants read access to [Page Rules](https://developers.cloudflare.com/rules/page-rules/). | | Page Rules Edit | Grants write access to [Page Rules](https://developers.cloudflare.com/rules/page-rules/). | | Client-side security Read | Grants read access to [client-side security](https://developers.cloudflare.com/client-side-security/) (previously known as Page Shield). | | Client-side security Edit | Grants write access to [client-side security](https://developers.cloudflare.com/client-side-security/) (previously known as Page Shield). | | Response Compression Read | Grants read access to [Response Compression](https://developers.cloudflare.com/rules/compression-rules/). | | Response Compression Edit | Grants write access to [Response Compression](https://developers.cloudflare.com/rules/compression-rules/). | | Sanitize Read | Grants read access to sanitization. | | Sanitize Edit | Grants write access to sanitization. | | Single Redirect Read | Grants read access to zone-level [Single Redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/). | | Single Redirect Edit | Grants write access to zone-level [Single Redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/). | | SSL and Certificates Read | Grants read access to [SSL configuration and certificate management](https://developers.cloudflare.com/ssl/). | | SSL and Certificates Edit | Grants write access to [SSL configuration and certificate management](https://developers.cloudflare.com/ssl/). | | Transform Rules Read | Grants read access to [Transform Rules](https://developers.cloudflare.com/rules/transform/). | | Transform Rules Edit | Grants write access to [Transform Rules](https://developers.cloudflare.com/rules/transform/). | | Waiting Room Read | Grants read access to [Waiting Room](https://developers.cloudflare.com/waiting-room/). | | Waiting Room Edit | Grants write access to [Waiting Room](https://developers.cloudflare.com/waiting-room/). | | Web3 Hostnames Read | Grants read access to [Web3 Hostnames](https://developers.cloudflare.com/web3/). | | Web3 Hostnames Edit | Grants write access to [Web3 Hostnames](https://developers.cloudflare.com/web3/). | | Workers Routes Read | Grants read access to [Cloudflare Workers](https://developers.cloudflare.com/workers/) and [Workers KV Storage](https://developers.cloudflare.com/kv/api/). | | Workers Routes Edit | Grants write access to [Cloudflare Workers](https://developers.cloudflare.com/workers/) and [Workers KV Storage](https://developers.cloudflare.com/kv/api/). | | Zaraz Read | Grants read access to [Zaraz](https://developers.cloudflare.com/zaraz/) zone level settings. | | Zaraz Edit | Grants write access to [Zaraz](https://developers.cloudflare.com/zaraz/) zone level settings. | | Zone Read | Grants read access to zone management. | | Zone Edit | Grants write access to zone management. | | Zone Security Center Insights | Grants read access to zone level [Security Center Insights](https://developers.cloudflare.com/security-center/security-insights/). | | Zone Security Center Insights Edit | Grants write access to zone level [Security Center Zone Insights](https://developers.cloudflare.com/security-center/security-insights/). | | Zone Settings Read | Grants read access to zone settings. | | Zone Settings Edit | Grants write access to zone settings. | | Zone Versioning Read | Grants read access to [Zone Versioning](https://developers.cloudflare.com/version-management/) at zone level. | | Zone Versioning Edit | Grants write access to [Zone Versioning](https://developers.cloudflare.com/version-management/) at zone level. | | Zone WAF Read | Grants read access to [Zone WAF](https://developers.cloudflare.com/waf/). | | Zone WAF Edit | Grants write access to [Zone WAF](https://developers.cloudflare.com/waf/). | | Name | Description | | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Access: Apps and Policies Read | Grants read access to [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) zone resources. | | Access: Apps and Policies Revoke | Grants ability to revoke all tokens to [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) zone resources. | | Access: Apps and Policies Write | Grants write access to [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) zone resources. | | Analytics Read | Grants read access to [analytics](https://developers.cloudflare.com/analytics/account-and-zone-analytics/zone-analytics/). | | Domain API Gateway Read | Grants read access to [API Gateway](https://developers.cloudflare.com/api-shield/) zone resources. | | Domain API Gateway Write | Grants write access to [API Gateway](https://developers.cloudflare.com/api-shield/) zone resources. | | Apps Write | Grants full access to Cloudflare Apps (deprecated, refer to [Workers](https://developers.cloudflare.com/workers/) instead). | | Bot Management Read | Grants read access to [Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/). | | Bot Management Write | Grants write access to [Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/). | | Bot Management Feedback Read | Grants read access to [Bot Management feedback](https://developers.cloudflare.com/bots/concepts/feedback-loop/). | | Bot Management Feedback Write | Grants write access to [Bot Management feedback](https://developers.cloudflare.com/bots/concepts/feedback-loop/). | | Cache Purge | Grants access to [purge cache](https://developers.cloudflare.com/cache/how-to/purge-cache/). | | Cache Settings Read | Grants read access to [Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/). | | Cache Settings Write | Grants write access to [Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/). | | Cloud Connector Read | Grants read access to [Cloud Connector rules](https://developers.cloudflare.com/rules/cloud-connector/). | | Cloud Connector Write | Grants write access to [Cloud Connector rules](https://developers.cloudflare.com/rules/cloud-connector/). | | Config Settings Read | Grants read access to [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/). | | Config Settings Write | Grants write access to [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/). | | Custom Errors Read | Grants read access to [Custom Error Rules](https://developers.cloudflare.com/rules/custom-errors/). | | Custom Errors Write | Grants write access to [Custom Error Rules](https://developers.cloudflare.com/rules/custom-errors/). | | Custom Pages Read | Grants read access to [Custom Error Pages](https://developers.cloudflare.com/rules/custom-errors/). | | Custom Pages Write | Grants write access to [Custom Error Pages](https://developers.cloudflare.com/rules/custom-errors/). | | Email Security DMARC Reports Read | Grants read access to [DMARC Management](https://developers.cloudflare.com/dmarc-management/). | | Email Security DMARC Reports Write | Grants write access to [DMARC Management](https://developers.cloudflare.com/dmarc-management/). | | DNS Read | Grants read access to [DNS](https://developers.cloudflare.com/dns/). | | DNS Write | Grants write access to [DNS](https://developers.cloudflare.com/dns/). | | Email Routing Rules Read | Grants read access to [Email Routing Rules](https://developers.cloudflare.com/email-routing/setup/email-routing-addresses/). | | Email Routing Rules Write | Grants write access to [Email Routing Rules](https://developers.cloudflare.com/email-routing/setup/email-routing-addresses/). | | Firewall Services Read | Grants read access to Firewall resources. | | Firewall Services Write | Grants write access to Firewall resources. | | Health Checks Read | Grants read access to [Health Checks](https://developers.cloudflare.com/health-checks/). | | Health Checks Write | Grants write access to [Health Checks](https://developers.cloudflare.com/health-checks/). | | HTTP DDoS Managed Ruleset Read | Grants read access to [HTTP DDoS managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/). | | HTTP DDoS Managed Ruleset Write | Grants write access to [HTTP DDoS managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/). | | Load Balancers Read | Grants read access to [load balancer resources](https://developers.cloudflare.com/load-balancing/). | | Load Balancers Write | Grants write access to [load balancer resources](https://developers.cloudflare.com/load-balancing/). | | Logs Read | Grants read access to logs using [Logpull](https://developers.cloudflare.com/logs/). | | Logs Write | Grants write access to [Logpull and Logpush](https://developers.cloudflare.com/logs/). | | Managed headers Read | Grants read access to [Managed Headers](https://developers.cloudflare.com/rules/transform/managed-transforms/). | | Managed headers Write | Grants write access to [Managed Headers](https://developers.cloudflare.com/rules/transform/managed-transforms/). | | Origin Read | Grants read access to [Origin Rules](https://developers.cloudflare.com/rules/origin-rules/). | | Origin Write | Grants write access to [Origin Rules](https://developers.cloudflare.com/rules/origin-rules/). | | Page Rules Read | Grants read access to [Page Rules](https://developers.cloudflare.com/rules/page-rules/). | | Page Rules Write | Grants write access to [Page Rules](https://developers.cloudflare.com/rules/page-rules/). | | Domain Page Shield Read | Grants read access to [client-side security](https://developers.cloudflare.com/client-side-security/) (previously known as Page Shield). | | Domain Page Shield Write | Grants write access to [client-side security](https://developers.cloudflare.com/client-side-security/) (previously known as Page Shield). | | Response Compression Read | Grants read access to [Response Compression](https://developers.cloudflare.com/rules/compression-rules/). | | Response Compression Write | Grants write access to [Response Compression](https://developers.cloudflare.com/rules/compression-rules/). | | Sanitize Read | Grants read access to sanitization. | | Sanitize Write | Grants write access to sanitization. | | Dynamic URL Redirects Read | Grants read access to zone-level [Single Redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/). | | Dynamic URL Redirects Write | Grants write access to zone-level [Single Redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/). | | SSL and Certificates Read | Grants read access to [SSL configuration and certificate management](https://developers.cloudflare.com/ssl/). | | SSL and Certificates Write | Grants write access to [SSL configuration and certificate management](https://developers.cloudflare.com/ssl/). | | Zone Transform Rules Read | Grants read access to [Transform Rules](https://developers.cloudflare.com/rules/transform/). | | Zone Transform Rules Write | Grants write access to [Transform Rules](https://developers.cloudflare.com/rules/transform/). | | Waiting Rooms Read | Grants read access to [Waiting Room](https://developers.cloudflare.com/waiting-room/). | | Waiting Rooms Write | Grants write access to [Waiting Room](https://developers.cloudflare.com/waiting-room/). | | Web3 Hostnames Read | Grants read access to [Web3 Hostnames](https://developers.cloudflare.com/web3/). | | Web3 Hostnames Write | Grants write access to [Web3 Hostnames](https://developers.cloudflare.com/web3/). | | Workers Routes Read | Grants read access to [Cloudflare Workers](https://developers.cloudflare.com/workers/) and [Workers KV Storage](https://developers.cloudflare.com/kv/api/). | | Workers Routes Write | Grants write access to [Cloudflare Workers](https://developers.cloudflare.com/workers/) and [Workers KV Storage](https://developers.cloudflare.com/kv/api/). | | Zaraz Read | Grants read access to [Zaraz](https://developers.cloudflare.com/zaraz/) zone level settings. | | Zaraz Write | Grants write access to [Zaraz](https://developers.cloudflare.com/zaraz/) zone level settings. | | Zone Read | Grants read access to zone management. | | Zone Write | Grants write access to zone management. | | Zone Security Center Insights | Grants read access to zone level [Security Center Insights](https://developers.cloudflare.com/security-center/security-insights/). | | Zone Security Center Insights Write | Grants write access to zone level [Security Center Zone Insights](https://developers.cloudflare.com/security-center/security-insights/). | | Zone Settings Read | Grants read access to zone settings. | | Zone Settings Write | Grants write access to zone settings. | | Zone Versioning Read | Grants read access to [Zone Versioning](https://developers.cloudflare.com/version-management/) at zone level. | | Zone Versioning Write | Grants write access to [Zone Versioning](https://developers.cloudflare.com/version-management/) at zone level. | | Zone WAF Read | Grants read access to [Zone WAF](https://developers.cloudflare.com/waf/). | | Zone WAF Write | Grants write access to [Zone WAF](https://developers.cloudflare.com/waf/). | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/reference/permissions/","name":"API token permissions"}}]} ``` --- --- title: REST API image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/reference/rest-api.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # REST API ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/reference/rest-api/","name":"REST API"}}]} ``` --- --- title: SDKs description: Cloudflare offers language software development kits (SDKs) as well as curl examples to demonstrate how to use the Cloudflare API. The SDK libraries allow you to interact with the Cloudflare API in language-specific syntax and more easily integrate with your existing applications. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/reference/sdks.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SDKs Cloudflare offers language software development kits (SDKs) as well as `curl` examples to demonstrate how to use the Cloudflare API. The SDK libraries allow you to interact with the Cloudflare API in language-specific syntax and more easily integrate with your existing applications. Cloudflare currently offers the following SDKs: * [Go ↗](https://github.com/cloudflare/cloudflare-go) * [TypeScript ↗](https://github.com/cloudflare/cloudflare-typescript) * [Python ↗](https://github.com/cloudflare/cloudflare-python) ## When to use cURL vs SDK There is no definite answer on which you should use. Instead, consider your use case and determine whether cURL or an SDK is the best fit. | Use case | cURL | SDK | | ----------------------------------------------------------- | ---- | --- | | Quick testing within the CLI | ✅ | ❌ | | Use within bash scripts or CI | ✅ | ❌\* | | Usage from within an existing application or framework | ❌ | ✅ | | More complex usage where you need to chain together outputs | ❌ | ✅ | \* It is possible, although not straight forward, to use the SDKs within bash scripts or CI environments with additional runtime dependencies and setup. ## Example The following are examples of how you would query all of the Cloudflare zones you have access to. ### With cURL: Terminal window ``` curl "https://api.cloudflare.com/client/v4/zones" \ --header "Authorization: Bearer " ``` ### With the TypeScript SDK: JavaScript ``` const client = new Cloudflare({ apiToken: process.env["CLOUDFLARE_API_TOKEN"], }); const zones = await client.zones.list(); console.log(zones); ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/reference/sdks/","name":"SDKs"}}]} ``` --- --- title: API token templates description: Explore Cloudflare's API token templates to efficiently manage permissions. Start with a template and customize token permissions and resources as needed. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/reference/template.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # API token templates Below is a table of the currently available API token templates and the default [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) they grant. You can start creating a token with one of these templates and modify the permissions and resources from there. | Template Name | Permission | Resource | | --------------------------------------- | ---------------------------------------- | ------------------- | | Edit Zone DNS | DNS Write | Zone | | Read billing info | Billing Read | Account | | Account resources: Include all accounts | | | | Read analytics and logs | Analytics Read | Zone | | Logs Read | Zone | | | Edit Cloudflare Workers | Workers Routes Write | Zone | | Workers Scripts Write | Account | | | Workers KV Storage Write | Account | | | Workers Tail Read | Account | | | Workers R2 Storage Write | Account | | | Account Settings Read | Account | | | User Details Read | User | | | User Memberships Read | User | | | Edit load balancing configuration | Load Balancing: Monitors and Pools Write | Account | | Load Balancers Write | Zone | | | WordPress | Analytics Read | Zone | | Zone Read | Zone | | | Zone Settings Write | Zone | | | Account Settings Read | Account | | | DNS Read | Zone | | | Cache Purge | Zone | | | Account resources: Include all accounts | | | | Zone resources: Include all zones | | | | Create Additional Tokens | API Tokens Write | User | | Read All Resources | _(All read permissions)_ | Account, Zone, User | | Account resources: Include all accounts | | | | Zone resources: Include all zones | | | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/reference/template/","name":"API token templates"}}]} ``` --- --- title: Wrangler API image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/reference/wrangler-api.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Wrangler API ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/reference/","name":"Reference"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/reference/wrangler-api/","name":"Wrangler API"}}]} ``` --- --- title: Troubleshooting description: Ensure the token has been verified by running the following curl command and confirming that the response returns "status": "active". image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/api/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting ## The token is not verified Ensure the token has been verified by running the following `curl` command and confirming that the response returns `"status": "active"`. Terminal window ``` curl "https://api.cloudflare.com/client/v4/user/tokens/verify" \ --header "Authorization: Bearer " ``` ``` { "success": true, "errors": [], "messages": [], "result": { "id": "f267e341f3dd4697bd3b9f71dd96247f", "status": "active", "not_before": "2018-07-01T05:20:00Z", "expires_on": "2020-01-01T00:00:00Z" } } ``` ## The token has incorrect permissions Review the permissions groups for your token in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/profile/api-tokens). Refer to [API token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) for more information. ## The incorrect syntax is used Occasionally customers will attempt to use an API token with an API key syntax. Ensure you are using the Bearer option rather than the email and API key pair. ## You have the incorrect user permissions You cannot create a token that exceeds the permission granted to you on your account. For example, if you have been granted an **Admin (Read only)** role, you would need your Super Administrator to update your role so that you could create a token for yourself. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Accounts, zones, and profiles description: Within the Cloudflare ecosystem, there are three organizing concepts that control where specific settings live: user profiles, accounts, and zones. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/concepts/accounts-and-zones.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Accounts, zones, and profiles Within the Cloudflare ecosystem, there are three organizing concepts that control where specific settings live: user profiles, accounts, and zones. flowchart LR accTitle: Accounts contain zones and user profiles contain user settings subgraph Account subgraph Zone - example.com A[WAF] B[DNS] end subgraph Zone - example2.com C[Cache rules] D[Waiting Room] end Workers K[Account members] end subgraph User profile G[Email address] H[Language] I[Communication preferences] end --- ## User profiles Each user has a profile that contains several settings, such as [Communication preferences](https://developers.cloudflare.com/fundamentals/user-profiles/customize-account/#notifications) and [Language preferences](https://developers.cloudflare.com/fundamentals/user-profiles/customize-account/#language). To access your profile, select the user icon and then **My Profile** from any page within the [Cloudflare dashboard ↗](https://dash.cloudflare.com). ## Accounts An account refers to an organization account, which contains one or more users and zones. Users can belong to multiple accounts, and each account maintains its own settings, including [billing profiles](https://developers.cloudflare.com/billing/create-billing-profile/), [account members](https://developers.cloudflare.com/fundamentals/manage-members/), [lists](https://developers.cloudflare.com/waf/tools/lists/), and other configurations. Several account-level products - such as [Workers](https://developers.cloudflare.com/workers/), [Pages](https://developers.cloudflare.com/pages/), [Security Center](https://developers.cloudflare.com/security-center/), and [Bulk redirects](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) \- can affect some or all zones contained within that account. After you [log in ↗](https://dash.cloudflare.com) and select an account - but before you select a zone - the sidebar will list account-level products. When you log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com), you can access all accounts where your user is a member. To access account settings and account-level products from within a zone, use the **Accounts** option from the navigation sidebar. ## Zones Domains (or [subdomains](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/)) that are added to Cloudflare become zones[1](#user-content-fn-1), which have a direct impact on the security and performance of your website, application, or API. Use your zone to monitor security and performance, update configurations, and apply zone-level products and services. Zone-level services - such as [Load Balancers](https://developers.cloudflare.com/load-balancing/) and [Cache rules](https://developers.cloudflare.com/cache/how-to/cache-rules/) \- only affect your website, application, or API for that zone and not other zones, even if they are contained within the same account. When you log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com) and choose an account, you can view a list of all zones within that account. Once you are within a zone, items within the sidebar will be zone-related products. If you need to change to another zone, use the forward arrow next to the zone name or by go back to the homepage of your account. ## Footnotes 1. Similar to [DNS zones ↗](https://www.cloudflare.com/learning/dns/glossary/dns-zone/), but with additional capabilities. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/concepts/","name":"Concepts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/concepts/accounts-and-zones/","name":"Accounts, zones, and profiles"}}]} ``` --- --- title: Cloudflare IP addresses description: When you add a domain to Cloudflare and proxy its DNS records, visitors who look up your domain receive a Cloudflare IP address instead of your origin server's real IP address. This hides your origin server's IP address and allows Cloudflare to optimize, cache, and protect all requests before forwarding them to you. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/concepts/cloudflare-ip-addresses.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare IP addresses When you add a domain to Cloudflare and [proxy its DNS records](https://developers.cloudflare.com/dns/proxy-status/), visitors who look up your domain receive a Cloudflare IP address instead of your origin server's real IP address. This hides your origin server's IP address and allows Cloudflare to optimize, cache, and protect all requests before forwarding them to you. Cloudflare has several [IP address ranges ↗](https://www.cloudflare.com/ips/) which are shared by all proxied hostnames. Together, these IP addresses form the backbone of Cloudflare's anycast network — a routing method where the same IP address is announced from data centers worldwide, so each visitor's request is routed to a nearby data center. Note Cloudflare uses other IP ranges for various products and services, but these addresses will not make connections to your origin. ## Allow Cloudflare IP addresses All traffic to [proxied DNS records](https://developers.cloudflare.com/dns/proxy-status/) passes through Cloudflare before reaching your origin server. This means that your origin server will stop receiving traffic from individual visitor IP addresses and instead receive traffic from [Cloudflare IP addresses ↗](https://www.cloudflare.com/ips), which are shared by all proxied hostnames. To your origin server's firewall, this can look like a limited number of sources sending a high volume of traffic — which may trigger automatic blocking or rate limiting. Because all visitor traffic appears to come from Cloudflare IP addresses, blocking these IPs — even accidentally — will prevent visitor traffic from reaching your application. The guidance above applies to domains that use Cloudflare's HTTP proxy. [Magic Transit](https://developers.cloudflare.com/magic-transit/) works differently — instead of proxying web requests, it protects entire IP networks at the network layer. Cloudflare announces your IP address ranges (prefixes) via BGP so that all traffic destined for your network passes through Cloudflare for inspection and DDoS filtering before being forwarded to your infrastructure. ## Configure origin server ### Allowlist Cloudflare IP addresses To avoid blocking Cloudflare IP addresses unintentionally, you also want to allow Cloudflare IP addresses at your origin web server. You can explicitly allow these IP addresses with a [.htaccess file ↗](https://httpd.apache.org/docs/trunk/mod/mod%5Fauthz%5Fcore.html#require) or by using [iptables ↗](https://www.linode.com/docs/security/firewalls/control-network-traffic-with-iptables/#block-or-allow-traffic-by-port-number-to-create-an-iptables-firewall). The following example demonstrates how you could use an iptables rule to allow a Cloudflare IP address range. Replace `$ip` below with one of the [Cloudflare IP address ranges ↗](https://www.cloudflare.com/ips). You will need to run this command once for each IP range listed on that page. Terminal window ``` # For IPv4 addresses iptables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT # For IPv6 addresses ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $ip -j ACCEPT ``` For more specific guidance, contact your hosting provider or website administrator. ### Block other IP addresses (recommended) If someone discovers your origin server's IP address — for example, through historical DNS records or mail server configuration — they could send traffic directly to your server, bypassing Cloudflare's security protections entirely. To prevent this, block all traffic that does not come from Cloudflare IP addresses or the IP addresses of your trusted partners, vendors, or applications. For example, you might [update your iptables ↗](https://www.linode.com/docs/guides/control-network-traffic-with-iptables/#block-or-allow-traffic-by-port-number-to-create-an-iptables-firewall) with the following commands: Terminal window ``` # For IPv4 addresses iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP # For IPv6 addresses ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP ``` For more specific guidance, contact your hosting provider or website administrator. ## Review external tools To avoid blocking Cloudflare IP addresses unintentionally, review your external tools to check that: * Any security plugins — such as those for WordPress — allow Cloudflare IP addresses. * The [ModSecurity ↗](https://github.com/SpiderLabs/ModSecurity) plugin is up to date. ### Further protection For further recommendations on securing your origin server, refer to our guide on [protecting your origin server](https://developers.cloudflare.com/fundamentals/security/protect-your-origin-server/). ### Customize Cloudflare IP addresses Enterprise customers who do not want to use Cloudflare IP addresses — which are shared by all proxied hostnames — have two potential alternatives: * [**Bring Your Own IP (BYOIP)**](https://developers.cloudflare.com/byoip/): Cloudflare announces your IPs (an IP address range you lease/own) in all of our [locations ↗](https://www.cloudflare.com/network/). * **Static IP addresses**: Cloudflare sets static IP addresses for your domain. For more details, contact your account team. Business and Enterprise customers can also reduce the number of Cloudflare IPs that their domain shares with other Cloudflare customer domains by [uploading a Custom SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/). ### IP range updates Cloudflare's IP ranges do not change frequently. When they do change, they are added to our [list of IP ranges ↗](https://www.cloudflare.com/en-in/ips/) before being put into production. You can also use the Cloudflare API to programmatically keep your configuration updated. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/concepts/","name":"Concepts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/concepts/cloudflare-ip-addresses/","name":"Cloudflare IP addresses"}}]} ``` --- --- title: How Cloudflare DNS works description: To optimize your website or web application, Cloudflare provides DNS and CDN services, so we can reverse proxy the web traffic to and from your domain. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/concepts/how-cloudflare-works.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # How Cloudflare DNS works To optimize your website or web application, Cloudflare provides [DNS ↗](https://www.cloudflare.com/learning/dns/what-is-dns/) and [CDN ↗](https://www.cloudflare.com/learning/cdn/what-is-a-cdn/) services, so we can [reverse proxy ↗](https://www.cloudflare.com/learning/cdn/glossary/reverse-proxy/) the web traffic to and from your domain. ## DNS explained The Domain Name System (DNS) acts as the Internet's phonebook, translating domain names (for example, `cloudflare.com`) into numerical Internet Protocol (IP) addresses (for example, `103.21.244.0`). The IP address is like a home address of where a website lives, and the domain name is the human-readable name. A DNS query is like asking for directions to a place, and the DNS records are the source-of-truth for what exists where. DNS records live in authoritative [DNS servers ↗](https://www.cloudflare.com/learning/dns/dns-server-types/) and provide information about a domain, such as the [IP addresses ↗](https://www.cloudflare.com/learning/dns/glossary/what-is-my-ip-address/) of the servers that host the web content and services on that domain. With this information, Internet browsers know where to find a website or app, so they can render it for visitors using [HTTP ↗](https://www.cloudflare.com/learning/ddos/glossary/hypertext-transfer-protocol-http/). ## Cloudflare as a DNS provider When you onboard your website or application to Cloudflare, Cloudflare becomes the primary authoritative DNS provider for your domain. As the primary authoritative DNS provider, Cloudflare responds to DNS queries for your domain, and you manage your domain's DNS records via the Cloudflare dashboard or API. Note Cloudflare only becomes the primary authoritative DNS provider when you use the default, full DNS setup. For alternative options, refer to [DNS setups](https://developers.cloudflare.com/dns/zone-setups/). If your [domain's status](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) is active and the queried DNS record is set to `proxied`, Cloudflare responds with an [anycast IP address](https://developers.cloudflare.com/fundamentals/concepts/cloudflare-ip-addresses/), instead of the origin IP address defined in your DNS table. Your domain status is active when your [nameservers are updated](https://developers.cloudflare.com/dns/nameservers/update-nameservers/) to point to Cloudflare and have been authenticated. The [proxy status](https://developers.cloudflare.com/dns/proxy-status/) defines how Cloudflare treats queries for specific DNS records. The [anycast IP address](https://developers.cloudflare.com/fundamentals/concepts/cloudflare-ip-addresses/) is used to distribute traffic amongst Cloudflare's network, which protects your website or app from [DDoS ↗](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/) and other attacks, while optimizing site speed. ## Cloudflare as a reverse proxy A reverse proxy is a network of servers that sits in front of web servers and either forwards requests to those web servers, or handles requests on behalf of the web servers. Reverse proxies are typically implemented to help increase security, performance, and reliability of websites and web applications. ![The flow of a request from a server through Cloudflare to the origin server when Cloudflare is a reverse proxy.](https://developers.cloudflare.com/_astro/reverse-proxy.BUdeHa1B_18p3wj.webp) When Cloudflare receives a DNS query for your domain, the response is determined by the configuration [set in your DNS table](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/), including the [type of the record](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/), the record's [proxy eligibility](https://developers.cloudflare.com/dns/proxy-status/limitations/#proxy-eligibility), and its [proxy status](https://developers.cloudflare.com/dns/proxy-status/#proxied-records). When DNS records in your DNS table have a `proxied` status, the record's HTTP/HTTPS traffic will route through Cloudflare on its way between the client and the origin server. If the domain's status is active, all HTTP/HTTPS requests for proxied DNS records route through Cloudflare. Using Cloudflare as a reverse proxy has several benefits, including: * **Load balancing** A reverse proxy can provide a load balancing solution which distributes incoming traffic evenly among different servers to prevent any single server from becoming overloaded. In the event that a server fails completely, other servers can step up to handle the traffic. * **Protection from attacks.** With a reverse proxy in place, a web site or service never needs to reveal the IP address of their origin servers, which makes it much harder for attackers to leverage a targeted attack against them, such as a DDoS attack. Instead the attackers will only be able to target the reverse proxy, such as Cloudflare's CDN, which will have tighter security and more resources to fend off a cyber attack. * **Caching.** A reverse proxy can also cache content, resulting in faster performance. For example, if a user in Paris visits a reverse-proxied website with web servers in Los Angeles, the user might actually connect to a local reverse proxy server in Paris, which will then have to communicate with an origin server in L.A. The proxy server can then cache (or temporarily save) the response data. Subsequent Parisian users who browse the site will then get the locally cached version from the Parisian reverse proxy server, resulting in much faster performance. * **SSL encryption.** SSL/TLS is essential. Without an SSL/TLS certificate, your visitors will find a warning on their browser stating your website or application is not secure. However, encrypting and decrypting SSL (or TLS) communications for each client can be computationally expensive for an origin server. A reverse proxy can be configured to decrypt all incoming requests and encrypt all outgoing responses, freeing up valuable resources on the origin server. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/concepts/","name":"Concepts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/concepts/how-cloudflare-works/","name":"How Cloudflare DNS works"}}]} ``` --- --- title: Traffic flow through Cloudflare description: Internet traffic is made up of people, services, and agents requesting online resources from wherever they are hosted. Your resources may be publicly available, like a website or application that anyone on the Internet can access. Or your resources may be privately available, like an internal app or network that only your employees and partners should be able to access. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/concepts/traffic-flow-cloudflare.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Traffic flow through Cloudflare Internet traffic is made up of people, services, and agents requesting online resources from wherever they are hosted. Your resources may be publicly available, like a website or application that anyone on the Internet can access. Or your resources may be privately available, like an internal app or network that only your employees and partners should be able to access. Both public and private resources can be connected to the Cloudflare network to ensure only good actors can access what they are supposed to be able to access with high performance. For example, you may not always want the direct traffic because it can come from malicious sources, like hackers, or in the form of [DDoS attacks ↗](https://www.cloudflare.com/learning/ddos/ddos-attack-tools/how-to-ddos/). Additionally, depending on the location where the request originated, you want to ensure the traffic is [routed through the most efficient and fastest path](https://developers.cloudflare.com/argo-smart-routing/). ## Cloudflare's network [Cloudflare's global network ↗](https://www.cloudflare.com/network/), coupled with [Anycast ↗](https://www.cloudflare.com/learning/dns/what-is-anycast-dns/) IP addressing, ensures that requests are handled by a Cloudflare server that is as close to the source as possible. If you want to protect your traffic and ensure it travels efficiently, you need to configure Cloudflare to be in front of whatever you are trying to protect, such as your application, service, or server. How you put your resources behind Cloudflare's network will depend on the type of traffic and how you want to control it. Note Cloudflare supports all HTTP methods, with the exception of `CONNECT`, `TRACE`, and `PURGE`, which are restricted. Requests that use restricted methods are not proxied through Cloudflare's network. Note that other Cloudflare products may apply different restrictions on HTTP methods, and behavior can vary depending on the service. ## On-ramp and off-ramp traffic Traffic that enters Cloudflare's network is referred to as "on-ramping," and traffic that exits Cloudflare's network is referred to as "off-ramping." You may also know this as ingress and egress or "routing your traffic" through a network. ### On-ramp traffic to Cloudflare When you on-ramp traffic to Cloudflare, this allows Cloudflare to act on, secure, and increase performance of that traffic. One example of on-ramping traffic to Cloudflare is updating your public website to use Cloudflare as the primary authoritative [DNS provider](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/#cloudflare-as-a-dns-provider) for your domain. However, maybe you need to protect a private application that is not directly available on the Internet. In this scenario, you can: * Connect your private application to Cloudflare using [secure tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), and use a [device agent](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) to connect as a user. * For users already connected to a private company network, connect the entire network to Cloudflare using secure tunnels, and any request from a user device will access the private application through those tunnels. With these options, any request from a user device can access internal private applications via the secure private tunnels. Refer to the list below for products you can use to on-ramp traffic to Cloudflare. * [Anycast routing ↗](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) uses Anycast IP addressing to route traffic to the nearest Cloudflare data center. Selective routing allows an Anycast network to be resilient in the face of high traffic volume, network congestion, and[ DDoS attacks ↗](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/). * [DNS-based](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/#cloudflare-as-a-dns-provider) traffic resolves domains onboarded to [Cloudflare's CDN](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/). Cloudflare's DNS directs traffic to Cloudflare's global network of servers instead of a website's origin server. * [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connects your resources to Cloudflare without a publicly routable IP address so that your origins can serve traffic through Cloudflare without being vulnerable to attacks that bypass Cloudflare. * [Magic Transit](https://developers.cloudflare.com/magic-transit/about/) offers DDoS protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks by accepting IP packets destined for your network, processing them, and outputting the packets to your origin infrastructure. * The [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) securely and privately sends traffic from corporate devices to Cloudflare's global network while also applying advanced Zero Trust policies that check for a device's health before it connects to corporate applications. ### Off-ramp traffic from Cloudflare If you need to ensure traffic leaves Cloudflare's network in a specific way, you can manage how traffic is off-ramped. For example, if you need to adhere to [regional laws](https://developers.cloudflare.com/data-localization/regional-services/) that dictate user traffic and require data never leaves your country, you can configure off-ramp and on-ramp traffic on servers in the same geographical area. Or maybe you want to force traffic to off-ramp in a certain country to maintain your user's experience. For example, if you have employees in India who travel frequently, you can configure the off-ramp traffic to always appear to come from India so websites they visit maintain their language and preferences. You can also utilize [caching](https://developers.cloudflare.com/cache/) to help with performance. Instead of off-ramp traffic going to a server across the globe, Cloudflare can cache that content locally for the user to reduce the overall time for their request. Refer to the list below for products you can use to off-ramp traffic from Cloudflare. * [Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/) detects real-time network issues and routes your web traffic across the most efficient network path, avoiding congestion. * [Cache](https://developers.cloudflare.com/cache/) works with cached content to avoid off-ramping to origin servers and instead serving directly from Cloudflare's global network. * [Regional services](https://developers.cloudflare.com/data-localization/regional-services/) lets you choose which subset of data centers decrypt and service HTTPS traffic, which can help customers who have to meet regional compliance or have preferences for maintaining regional control over their data. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/concepts/","name":"Concepts"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/concepts/traffic-flow-cloudflare/","name":"Traffic flow through Cloudflare"}}]} ``` --- --- title: Available RSS Feeds description: Read about the various RSS feeds available for Cloudflare's changelogs. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/new-features/available-rss-feeds.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Available RSS Feeds Cloudflare offers various RSS feeds as part of our [changelog](https://developers.cloudflare.com/changelog/), which helps you stay up to date on new features and functionality. For more details on how these feeds are structured, refer to [Consuming RSS Feeds](https://developers.cloudflare.com/fundamentals/new-features/consuming-rss-feeds/). ## Feeds ### Global feed This feed contains entries for all Cloudflare products in the changelog: [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) ### Area-specific feeds Cloudflare also offers RSS feeds scoped to specific product areas or products in the [changelog](https://developers.cloudflare.com/changelog/). #### Application performance This feed is for all Application performance products in the changelog: [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/application-performance.xml) Included products * [Cache / CDN](https://developers.cloudflare.com/cache/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cache.xml) * [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-for-saas.xml) * [DNS](https://developers.cloudflare.com/dns/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/dns.xml) * [Load Balancing](https://developers.cloudflare.com/load-balancing/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/load-balancing.xml) * [SSL/TLS](https://developers.cloudflare.com/ssl/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/ssl.xml) * [Cloudflare Web Analytics](https://developers.cloudflare.com/web-analytics/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/web-analytics.xml) #### Application security This feed is for all Application security products in the changelog: [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/application-security.xml) Included products * [API Shield](https://developers.cloudflare.com/api-shield/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/api-shield.xml) * [Secrets Store](https://developers.cloudflare.com/secrets-store/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/secrets-store.xml) * [Security Center](https://developers.cloudflare.com/security-center/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/security-center.xml) * [Security Overview](https://developers.cloudflare.com/security/overview/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/security-overview.xml) * [WAF](https://developers.cloudflare.com/waf/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/waf.xml) DDoS ruleset feeds For [DDoS Protection](https://developers.cloudflare.com/ddos-protection/) updates to managed rulesets, please refer to their independent feeds: * [Network-layer DDoS managed ruleset](https://developers.cloudflare.com/ddos-protection/change-log/network/) [ Subscribe to RSS ](https://developers.cloudflare.com/ddos-protection/change-log/network/index.xml) * [HTTP DDoS managed ruleset](https://developers.cloudflare.com/ddos-protection/change-log/http/) [ Subscribe to RSS ](https://developers.cloudflare.com/ddos-protection/change-log/http/index.xml) #### Cloudflare One This feed is for all Cloudflare One products in the changelog: [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-one.xml) Included products * [Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/access.xml) * [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/browser-isolation.xml) * [CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/casb.xml) * [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-network-firewall.xml) * [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-one.xml) * [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-one-client.xml) * [Cloudflare Tunnel for SASE](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-tunnel-sase.xml) * [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/cloudflare-wan.xml) * [Digital Experience Monitoring](https://developers.cloudflare.com/cloudflare-one/insights/dex/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/dex.xml) * [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/dlp.xml) * [Email security](https://developers.cloudflare.com/cloudflare-one/email-security/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/email-security-cf1.xml) * [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/gateway.xml) * [Multi-Cloud Networking](https://developers.cloudflare.com/multi-cloud-networking/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/multi-cloud-networking.xml) * [Risk Score](https://developers.cloudflare.com/cloudflare-one/insights/risk-score/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/risk-score.xml) #### Consumer services This feed is for all Consumer services products in the changelog: [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/consumer-services.xml) Included products * [Radar](https://developers.cloudflare.com/radar/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/radar.xml) #### Core platform This feed is for all Core platform products in the changelog: [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/core-platform.xml) Included products * [AI Crawl Control](https://developers.cloudflare.com/ai-crawl-control/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/ai-crawl-control.xml) * [Analytics](https://developers.cloudflare.com/analytics/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/analytics.xml) * [Audit Logs](https://developers.cloudflare.com/fundamentals/account/account-security/review-audit-logs/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/audit-logs.xml) * [Cloudflare Fundamentals](https://developers.cloudflare.com/fundamentals/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/fundamentals.xml) * [Log Explorer](https://developers.cloudflare.com/log-explorer/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/log-explorer.xml) * [Logs](https://developers.cloudflare.com/logs/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/logs.xml) * [Registrar](https://developers.cloudflare.com/registrar/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/registrar.xml) * [Rules](https://developers.cloudflare.com/rules/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/rules.xml) * [SDK](https://developers.cloudflare.com/sdk/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/sdk.xml) * [Terraform](https://developers.cloudflare.com/terraform/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/terraform.xml) * [Cloudflare Tunnel](https://developers.cloudflare.com/tunnel/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/tunnel.xml) API deprecations feed Cloudflare also maintains a separate [API deprecations page.](https://developers.cloudflare.com/fundamentals/api/reference/deprecations/) [ Subscribe to RSS ](https://developers.cloudflare.com/fundamentals/api/reference/deprecations/index.xml) #### Developer platform This feed is for all Developer platform products in the changelog: [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/developer-platform.xml) Included products * [Agents](https://developers.cloudflare.com/agents/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/agents.xml) * [AI Gateway](https://developers.cloudflare.com/ai-gateway/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/ai-gateway.xml) * [AI Search](https://developers.cloudflare.com/ai-search/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/ai-search.xml) * [Browser Rendering](https://developers.cloudflare.com/browser-rendering/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/browser-rendering.xml) * [Containers](https://developers.cloudflare.com/containers/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/containers.xml) * [D1](https://developers.cloudflare.com/d1/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/d1.xml) * [Durable Objects](https://developers.cloudflare.com/durable-objects/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/durable-objects.xml) * [Email Routing](https://developers.cloudflare.com/email-routing/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/email-routing.xml) * [Hyperdrive](https://developers.cloudflare.com/hyperdrive/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/hyperdrive.xml) * [Cloudflare Images](https://developers.cloudflare.com/images/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/images.xml) * [KV](https://developers.cloudflare.com/kv/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/kv.xml) * [Pages](https://developers.cloudflare.com/pages/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/pages.xml) * [Pipelines](https://developers.cloudflare.com/pipelines/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/pipelines.xml) * [Queues](https://developers.cloudflare.com/queues/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/queues.xml) * [R2](https://developers.cloudflare.com/r2/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/r2.xml) * [R2 SQL](https://developers.cloudflare.com/r2-sql/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/r2-sql.xml) * [Realtime](https://developers.cloudflare.com/realtime/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/realtime.xml) * [Stream](https://developers.cloudflare.com/stream/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/stream.xml) * [Vectorize](https://developers.cloudflare.com/vectorize/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/vectorize.xml) * [Workers](https://developers.cloudflare.com/workers/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/workers.xml) * [Workers AI](https://developers.cloudflare.com/workers-ai/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/workers-ai.xml) * [Workers Analytics Engine](https://developers.cloudflare.com/analytics/analytics-engine/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/workers-analytics-engine.xml) * [Workers for Platforms](https://developers.cloudflare.com/cloudflare-for-platforms/workers-for-platforms/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/workers-for-platforms.xml) * [Workers VPC](https://developers.cloudflare.com/workers-vpc/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/workers-vpc.xml) * [Workflows](https://developers.cloudflare.com/workflows/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/workflows.xml) * [Zaraz](https://developers.cloudflare.com/zaraz/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/zaraz.xml) #### Network security This feed is for all Network security products in the changelog: [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/network-security.xml) Included products * [Magic Transit](https://developers.cloudflare.com/magic-transit/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/magic-transit.xml) * [Network Flow](https://developers.cloudflare.com/network-flow/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/network-flow.xml) * [Network Interconnect](https://developers.cloudflare.com/network-interconnect/) [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/network-interconnect.xml) ## Related resources * [Planned maintenance windows](https://developers.cloudflare.com/support/disruptive-maintenance/) * [Subscribe to Cloudflare Status](https://developers.cloudflare.com/support/cloudflare-status/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/new-features/","name":"RSS Feeds"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/new-features/available-rss-feeds/","name":"Available RSS Feeds"}}]} ``` --- --- title: Consuming RSS Feeds description: Learn how to consume our changelog RSS feeds. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/new-features/consuming-rss-feeds.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Consuming RSS Feeds Our [changelogs](https://developers.cloudflare.com/changelog/) are published to [various RSS feeds](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) with HTML in the `` tag. In feeds with multiple products, such as the global or product-area feeds, the products associated with a given entry are in the `` tag. A single product will also appear in the custom `` tag for legacy reasons, but we recommend you use the `` ## Example XML ``` Cloudflare changelogs Updates to various Cloudflare products https://developers.cloudflare.com/changelog/ Agents, Workers, Workflows - Build AI Agents with Example Prompts https://developers.cloudflare.com/changelog/2025-02-14-example-ai-prompts/ https://developers.cloudflare.com/changelog/2025-02-14-example-ai-prompts/

We've added an example prompt to help you get started with building AI agents and applications on Cloudflare ...

Fri, 14 Feb 2025 19:00:00 GMT Agents Agents Workers Workflows ``` ## Related resources You can surface RSS feeds in several different providers, including: * [Slack ↗](https://slack.com/help/articles/218688467-Add-RSS-feeds-to-Slack) * [Microsoft Teams ↗](https://learn.microsoft.com/en-us/microsoftteams/m365-custom-connectors) * [Google Chat ↗](https://developers.google.com/workspace/chat/quickstart/webhooks) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/new-features/","name":"RSS Feeds"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/new-features/consuming-rss-feeds/","name":"Consuming RSS Feeds"}}]} ``` --- --- title: Improve SEO description: The goal of Search Engine Optimization (SEO) is to get your website to rank higher on various search engine providers (Google, Bing, etc.). image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/performance/improve-seo.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Improve SEO The goal of Search Engine Optimization (SEO) is to get your website to rank higher on various search engine providers (Google, Bing, etc.). In practice, SEO is primarily about quality content, user experience, and not making things more difficult for search engine crawlers. While Cloudflare cannot write quality content for you, our service can help with user experience — especially related to [site speed ↗](https://www.cloudflare.com/learning/performance/how-website-speed-boosts-seo/) — and search crawlers. Tip: For general guidelines around SEO, refer to [Google's recommendations ↗](https://developers.google.com/search/docs/advanced/guidelines/overview). ## SEO improvements with Cloudflare Several Cloudflare features improve Search Engine site rankings. However, meaningful and regularly updated site content is still crucial to improving SEO. ### Increase site speed Since at least 2010, Google has publicly stated that [site speed affects your Google ranking ↗](https://webmasters.googleblog.com/2010/04/using-site-speed-in-web-search-ranking.html). Cloudflare offers multiple features to [optimize site performance](https://developers.cloudflare.com/speed/). ### Enable HTTPS Since search engines use HTTPS as [a ranking signal ↗](https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html), HTTPS is vital for SEO. To make sure your domain is accessible over HTTPS: 1. Get an [SSL/TLS certificate](https://developers.cloudflare.com/ssl/get-started/) for your domain. 2. [Redirect visitors](https://developers.cloudflare.com/ssl/edge-certificates/encrypt-visitor-traffic/) to the HTTPS version of your domain. ### Enable Crawler Hints With [Crawler Hints](https://developers.cloudflare.com/cache/advanced-configuration/crawler-hints/), search engines and other bot-powered experiences have the freshest version of your content, translating into happier users and ultimately influencing search rankings. ## Troubleshooting Depending on your domain's security settings, you might accidentally block search engine crawlers. If you notice SEO issues, make sure your: * [WAF custom rules](https://developers.cloudflare.com/waf/troubleshooting/faq/#caution-about-potentially-blocking-bots) are allowing **Verified Bots**. * [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) are allowing **Verified Bots**. * [Bot protection](https://developers.cloudflare.com/bots/concepts/bot/verified-bots/) settings are not blocking **Verified Bots**. If you still notice issues with search engine crawlers, refer to our [Troubleshooting guide](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/troubleshooting-crawl-errors/). ## Common misconceptions The following characteristics do not affect your domain's SEO: * **Changing your nameservers**: Using Cloudflare's nameservers does not affect your domain's SEO. * **Server location**: According to Google, [server location ↗](http://www.seroundtable.com/seo-geo-location-server-google-17468.html) is not important for SEO. * **Sites sharing IP addresses**: Search engines do not generally penalize domains using shared IP addresses unless several of these sites are malicious or spammy. * **Cloudflare caching**: When Cloudflare caches your content, it actually speeds up content delivery and only improves SEO. Our caching does not create duplicate content, rewrite URLs, or create additional subdomains. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/performance/improve-seo/","name":"Improve SEO"}}]} ``` --- --- title: Maintenance mode description: If you need to make large changes to your website, you may want to make your site temporarily unavailable. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/performance/maintenance-mode.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Maintenance mode If you need to make large changes to your website, you may want to make your site temporarily unavailable. ## With code If you are familiar with code, [create a Worker](https://developers.cloudflare.com/workers/get-started/guide/) that returns an [HTML page](https://developers.cloudflare.com/workers/examples/return-html/) to any site visitors. ![Workers maintenance page returned instead of your website](https://developers.cloudflare.com/_astro/workers-page.DnkGi-jv_ZQeG7r.webp) ## Without code ### Business and Enterprise For a maintenance page without code, Business and Enterprise uses can create a [Cloudflare Waiting Room](https://developers.cloudflare.com/waiting-room/how-to/create-waiting-room/). Certain customization and queue options depend on your [plan](https://developers.cloudflare.com/waiting-room/plans/). ![Waiting room page returned instead of your website](https://developers.cloudflare.com/_astro/waiting-room-page.C-z8rg-V_220ck.webp) ### All plans Users on all plans can [create an Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). Make sure to limit your [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/policy-management/#create-a-policy) to only include yourself and any collaborators. If needed, you can also further [customize the login page](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/access-login-page/). ![Example Access login page](https://developers.cloudflare.com/_astro/access-page.C47nT0tE_ZFEQLY.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/performance/maintenance-mode/","name":"Maintenance mode"}}]} ``` --- --- title: Minimize downtime description: Learn how to minimize downtime while onboarding your domain onto Cloudflare. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/performance/minimize-downtime.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Minimize downtime When making any change to the routing of an Internet application, there is always a possibility of downtime due to certificate issuance, misconfigured settings, or limitations at your origin server. To avoid downtime when going live, it is important to review the most common configurations. ## Update and review DNS records Before activating your domain on Cloudflare (exact steps depend on your [DNS setup](https://developers.cloudflare.com/dns/zone-setups/)), review the DNS records in your Cloudflare account. ### Start with unproxied records With a new domain, make sure all of your DNS records have a [proxy status](https://developers.cloudflare.com/dns/proxy-status/) of **DNS-only**. This setting prevents Cloudflare from proxying your traffic before you have an active edge certificate or before you have allowed Cloudflare IP addresses. ### Confirm record accuracy Take extra time to confirm the accuracy of your DNS records before activating your domain, paying special attention to: * [Zone apex records (example.com)](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-zone-apex/) * [Subdomain records (www.example.com or blog.example.com)](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-subdomain/) * [Email records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/email-records/) If you add DNS records to your authoritative DNS provider between onboarding your domain and activating your domain, you may need to also add these records within Cloudflare. ## Activate your domain Finish the [DNS setup](https://developers.cloudflare.com/dns/zone-setups/) for your domain, moving the [domain status](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) to **Active**: * [Full setups](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/): Update the authoritative nameservers at your registrar and wait for that change to be authenticated. * [Partial setups](https://developers.cloudflare.com/dns/zone-setups/partial-setup/setup/): Add the verification TXT record to your authoritative DNS and wait for that change to be authenticated. ## Verify SSL/TLS edge certificates Before proxying your traffic through Cloudflare, [verify](https://developers.cloudflare.com/ssl/reference/certificate-statuses/#monitor-certificate-statuses) that Cloudflare has an active **Edge Certificate** for your domain. For more details about timing and certificate recommendations, refer to [Certificate issuance](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#full-dns-setup). ## Optional - Test configuration You may want to test your configuration using your local machine or proxying traffic from a development domain or subdomain. If you experience issues, you should make sure that you have [allowed Cloudflare IP addresses](https://developers.cloudflare.com/fundamentals/concepts/cloudflare-ip-addresses/) at your origin server. ## Update proxy status Once you have verified that your SSL/TLS edge certificate is active and you have allowed Cloudflare IP addresses, change the [proxy status](https://developers.cloudflare.com/dns/proxy-status/) of appropriate DNS records to **Proxied**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/performance/minimize-downtime/","name":"Minimize downtime"}}]} ``` --- --- title: Optimize site speed image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/performance/optimize-speed-external-link.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Optimize site speed ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/performance/optimize-speed-external-link/","name":"Optimize site speed"}}]} ``` --- --- title: Prepare for surges or spikes in web traffic image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/performance/preparing-for-surges-or-spikes-in-web-traffic.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Prepare for surges or spikes in web traffic ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/performance/preparing-for-surges-or-spikes-in-web-traffic/","name":"Prepare for surges or spikes in web traffic"}}]} ``` --- --- title: Test speed description: Cloudflare offers several tools to test the speed of your website, as well as the speed of your Internet connection. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/performance/test-speed.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Test speed Cloudflare offers several tools to test the speed of your website, as well as the speed of your Internet connection. --- ## Test website speed ### Using Cloudflare Once your domain is [active on Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/), you can run speed tests within the [Cloudflare dashboard ↗](https://dash.cloudflare.com/?to=/:account/:zone/speed). This speed test will provide information about critical loading times, performance with and without [Cloudflare's proxy](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/), and recommended optimizations. If you experience any issues, make sure you are not blocking specific [user agents](https://developers.cloudflare.com/fundamentals/reference/cloudflare-site-crawling/#other-situations). ### Using third-party tools If your domain is not yet active on Cloudflare or you want to measure the before and after improvements of using Cloudflare, Cloudflare recommends using the following third-party tools: * [PageGym ↗](https://pagegym.com/) * [GTmetrix ↗](https://gtmetrix.com/) * [DebugBear ↗](https://www.debugbear.com/test/website-speed) * [Lighthouse ↗](https://developer.chrome.com/docs/lighthouse/) * [WebPageTest ↗](https://www.webpagetest.org/) If you use these third-party tools, you should do the following to test website speed: 1. [Pause Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/pause-cloudflare/) to remove performance and caching benefits. 2. Run a speed test. 3. Unpause Cloudflare. 4. Run a speed test[1](#user-content-fn-1). 5. Run a second speed test to get your baseline performance with Cloudflare. ### Improve speed Based on the results of these speed tests, you may want to explore other ways to [optimize your site speed](https://developers.cloudflare.com/speed/) using Cloudflare. Note Cloudflare does not consider Time to First Byte (TTFB) the most important measure of page load speed. If you are concerned about a slower TTFB while using Cloudflare, refer to our blog post about [Cloudflare and TTFB ↗](http://blog.cloudflare.com/ttfb-time-to-first-byte-considered-meaningles/). --- ## Test Internet speed To test the speed of your home network connection (download, update, packet loss, ping measurements, and more), visit [speed.cloudflare.com ↗](https://speed.cloudflare.com). ## Footnotes 1. The results of your first speed test with Cloudflare will likely contain uncached results, which will provide inaccurate results. One of the key ways Cloudflare speeds up your site is through [caching](https://developers.cloudflare.com/cache/), which will appear in the results of the second test. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/performance/test-speed/","name":"Test speed"}}]} ``` --- --- title: Account and domain management best practices description: More and more of our lives revolve around our online presence and maintaining access to our various online accounts, such as social media, banking, personal, and business accounts. These accounts are critical to remaining connected with our loved ones and business. As such, ensuring a level of continuity with these services is critical. Below is a list of important items to help ensure you are able to maintain access or delegate access to your Cloudflare account in the event that you are unable to manage your account. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/best-practices.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Account and domain management best practices More and more of our lives revolve around our online presence and maintaining access to our various online accounts, such as social media, banking, personal, and business accounts. These accounts are critical to remaining connected with our loved ones and business. As such, ensuring a level of continuity with these services is critical. Below is a list of important items to help ensure you are able to maintain access or delegate access to your Cloudflare account in the event that you are unable to manage your account. You can lose access to your account and or domain for several reasons: Death, divorce, disgruntled employee, or simply missing an email notification. To help prevent loss of access: * Decentralize access to your account. * Protect yourself by following good password management practices. * Maintain control of your domain name. * Save your 2FA backup keys. ## Relationships, partnerships, and business ventures Ensuring equal access with your partner, spouse, or your business partner is important to ensuring your account or domain names remain active. If you have a domain name or a portfolio of domain names for your business, ensuring you have a strict organization policy when it comes to vendor account creation or domain name registration is critical. The steps below will ensure your organization is the owner of the account and or domain names: * Ensure the registrant of the domain name is your organization's name. * Ensure the vendor account is in your organization's name. * Ensure that access to the email address used to set up these accounts is decentralized, but can still be used to send emails. Do not use a distribution list email address. ## Email addresses If you are operating a business, use an email address that is not tied to the domain name itself, such as `john@example.com`; instead, use one of the many well known email providers as best practice. Additionally, the email address itself should be one that is shared with your business partner with a name such as `ourbusiness@example.com`. This is important because many companies require the person who is contacting them for support have access to the email address associated with the account. ## Billing information Most if not all online services have automated billing processes that will attempt to bill the current or default credit card on file. Maintaining your billing information to avoid any payment failure is critical, as this can cause service disruptions if there is a failed billing attempt that is not resovlved in a timely manner. ## Deceased account holder or registrant While often overlooked, an important part of having an online presence is ensuring continuity in the event of an unexpected accident or incapacitation of the account holder. Create clear instructions for domain or account management in the event the account holder is unable to administer the account. If you learn no instructions are available on how to access the account of the deceased, Cloudflare may be able to assist you. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/best-practices/","name":"Account and domain management best practices"}}]} ``` --- --- title: /cdn-cgi/ endpoint description: When you add a domain to Cloudflare, Cloudflare adds a /cdn-cgi/ endpoint (www.example.com/cdn-cgi/) to that domain. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/cdn-cgi-endpoint.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # /cdn-cgi/ endpoint When you [add a domain to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/), Cloudflare adds a `/cdn-cgi/` endpoint (`www.example.com/cdn-cgi/`) to that domain. This endpoint is managed and served by Cloudflare. It cannot be modified or customized. The endpoint is not used by every Cloudflare product, but you may find some products use the endpoint in its URL. A few examples include (but are not limited to): * [Identify the Cloudflare data center serving your request](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#identify-the-cloudflare-data-center-serving-your-request), which is helpful for troubleshooting (`https:///cdn-cgi/trace`). * [JavaScript detection](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/) used by Cloudflare bot products (`example.com/cdn-cgi/challenge-platform/`) * [Image transformations](https://developers.cloudflare.com/images/transform-images) in the new URLs you would use for images (`example.com/cdn-cgi/image/`) * [Email address obfuscation](https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/) used to hide email addresses from malicious bots (`example.com/cdn-cgi/l/email-protection`) * [Web analytics](https://developers.cloudflare.com/web-analytics/get-started/#sites-proxied-through-cloudflare) for a website proxied through Cloudflare (`example.com/cdn-cgi/rum`). This endpoint returns a `204` HTTP status code. * [Speed Brain](https://developers.cloudflare.com/speed/optimization/content/speed-brain/) adds an HTTP header called `Speculation-Rules` to web page responses. This header contains a URL that hosts an opinionated Speculation-Rules configuration, which instructs the browser to initiate prefetch requests for anticipated future navigations. ## Recommended exclusions ### Exclude from security scanners Some scanners may display an error because certain `/cdn-cgi/` endpoints do not have an [HSTS setting](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/) applied to it or for similar reasons. Because the endpoint is managed by Cloudflare, you can ignore the error and do not need to worry about it. To prevent scanner errors, omit the `/cdn-cgi/` endpoint from your security scans. ### Disallow using robots.txt `/cdn-cgi/` also can cause issues with various web crawlers. Search engine crawlers can encounter [errors when crawling these endpoints](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/troubleshooting-crawl-errors/) and — though these errors do not impact site rankings — they may surface in your webmaster dashboard. SEO and other web crawlers may also mistakenly crawl these endpoints, thinking that they are part of your site's content. As a best practice, update your `robots.txt` file to include `Disallow: /cdn-cgi/`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/cdn-cgi-endpoint/","name":"/cdn-cgi/ endpoint"}}]} ``` --- --- title: Cloudflare Ray ID description: A Cloudflare Ray ID is an identifier given to every request that goes through Cloudflare. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/cloudflare-ray-id.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Ray ID A **Cloudflare Ray ID** is an identifier given to every request that goes through Cloudflare. Ray IDs are particularly useful when evaluating Security Events for patterns or false positives or more generally understanding your application traffic. Ray IDs are added as a [request header, cf-ray](https://developers.cloudflare.com/fundamentals/reference/http-headers/#cf-ray), to the connection from Cloudflare to the origin web server. As such the Ray IDs can be found using the Developer Tools in your browser or using curl with the `-v` option to show the headers. Warning Ray IDs are not guaranteed to be unique for every request. In some situations, different requests may have the same Ray ID. ## Look up Ray IDs ### Security events All customers can view Ray IDs and associated information — IP address, user agent, ASN, etc. — by looking through [sampled logs](https://developers.cloudflare.com/waf/analytics/security-events/#sampled-logs) in Security Events. ![Example list of events in sampled logs, with the Ray ID highlighted from one of the expanded events to show its details](https://developers.cloudflare.com/_astro/ray-id.CkgisnhS_12rad6.webp) Additionally, you can [add filters](https://developers.cloudflare.com/waf/analytics/security-events/#adjust-displayed-data) to look for specific Ray IDs. ![Example of adding a new filter in Security Events for the Block action](https://developers.cloudflare.com/_astro/events-add-filter.DDUuZ0g7_ZC975W.webp) Please note that Security Events may use sampled data to improve performance. If sampled data is applied to your search, you might not see all events, and filters might not return the expected results. To display more events, select a smaller timeframe. ### Log Explorer [Log Explorer](https://developers.cloudflare.com/log-explorer/) provides access to Cloudflare logs with all the context available within the Cloudflare platform. You can monitor security and performance issues with custom dashboards or investigate and troubleshoot issues with log search. Log explorer allows you to [build queries](https://developers.cloudflare.com/log-explorer/log-search/) for filtering specific Ray IDs. ### Logs Enterprise customers can enable Ray ID as a field in their [Cloudflare Logs](https://developers.cloudflare.com/logs/). ### Server logs For more details about sending Ray IDs to your server logs, refer to the [Cf-Ray](https://developers.cloudflare.com/fundamentals/reference/http-headers/#cf-ray) header. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/cloudflare-ray-id/","name":"Cloudflare Ray ID"}}]} ``` --- --- title: Cloudflare crawlers description: Cloudflare may crawl or make HTTP requests to your site to make sure its protected and performing properly. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/cloudflare-site-crawling.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare crawlers Cloudflare may crawl or make HTTP requests to your site to make sure its protected and performing properly. ## Crawling situations ### Specific products Cloudflare will crawl your site when you have specific products enabled: * [**Always Online**](https://developers.cloudflare.com/cache/how-to/always-online/) * _User-Agent_: `Mozilla/5.0 (compatible; CloudFlare-AlwaysOnline/1.0; +http://www.cloudflare.com/always-online)` * [**Health checks**](https://developers.cloudflare.com/health-checks/) * _User-Agent_: `Mozilla/5.0 (compatible; Cloudflare-Healthchecks/1.0; +https://www.cloudflare.com/; healthcheck-id: )` * `HEALTHCHECK_ID` is a 16-character string associated with the health check ID. * [**Load balancing monitors**](https://developers.cloudflare.com/load-balancing/monitors/) * _User-Agent_: `Mozilla/5.0 (compatible; Cloudflare-Traffic-Manager/1.0; +https://www.cloudflare.com/traffic-manager/; pool-id: )` * `POOL_ID` is a 16-character string associated with the load balancing pool ID being monitored. * [**Prefetch URLs**](https://developers.cloudflare.com/speed/optimization/content/prefetch-urls/) * _User-Agent_: `Mozilla/5.0 (compatible; CloudFlare-Prefetch/0.1; +http://www.cloudflare.com/)` * [**SSL/TLS recommender**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-tls-recommender/) * _User-Agent_: `Cloudflare-SSLDetector` * This crawler ignores your `robots.txt` file unless there are rules explicitly targeting the user agent. * [**Security Insights**](https://developers.cloudflare.com/security-center/security-insights/review-insights/) * _User-Agent_: `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 (compatible; +https://developers.cloudflare.com/security-center/)` ### Other situations Cloudflare will also crawl your site in other, specific situations: * **Speed tests** * _User-Agent_: `Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 PTST/190628.140653` * _Triggered when_: You launch a speed test from within [the Cloudflare dashboard](https://developers.cloudflare.com/speed/observatory/run-speed-test/). * **Support diagnostics**: * _User-Agent_: `Cloudflare-diagnostics` * _Triggered when_: Cloudflare Support Engineers perform error checks and by continuous monitoring used to raise intelligent alerts in the Cloudflare dashboard. * **Custom Hostname validation**: * _User-Agent_: `Cloudflare Custom Hostname Verification` * _Triggered when_: You choose to validate a custom hostname with an [HTTP ownership token](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/pre-validation/#http-tokens). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/cloudflare-site-crawling/","name":"Cloudflare crawlers"}}]} ``` --- --- title: Cloudy AI agent (beta) description: Cloudy is Cloudflare's first version of an AI agent, with assistant-like functionality designed to help users understand and improve their Cloudflare configurations in multiple areas of the product suite. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/cloudy-ai-agent.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudy AI agent (beta) Cloudy is Cloudflare's first version of an AI agent, with assistant-like functionality designed to help users understand and improve their Cloudflare configurations in multiple areas of the product suite. Cloudy is powered by [Workers AI](https://developers.cloudflare.com/workers-ai/) and helps identify and solve issues such as identifying redundant rules, optimizing execution order, analyzing conflicting rules, and identifying disabled rules. Cloudy can also help investigate threat events and provide actionable recommendations. ## Availability Cloudy, currently in beta, is available in several Cloudflare products such as WAF, Zero Trust, and Analytics. Throughout the rest of 2025, Cloudflare plans to roll out additional AI agent capabilities across other areas of Cloudflare. Send us your feedback We want to hear your thoughts as you get to meet Cloudy and try out these new AI features. You can send feedback to us at [cloudyfeedback@cloudflare.com](mailto:cloudyfeedback@cloudflare.com). Your feedback will help shape our roadmap for AI enhancement, and bring our users smarter, more efficient tooling that helps everyone get more secure. ## What data does Cloudy have access to? Cloudy has access to your Cloudflare configuration. It combines this data with a purpose-built LLM prompt. Additionally, Cloudy takes Role-Based Access Control (RBAC) restrictions into account: it can only access the same Cloudflare configuration settings as the currently logged in user, based on their [roles and permissions](https://developers.cloudflare.com/fundamentals/manage-members/roles/). All your configuration information is only included in the purpose-built prompt — it is not used to train Cloudy or the LLM model(s) powering it. ## Is Cloudy trained on user or customer data? No. Your Cloudflare configuration is used in the purpose-built prompt that enables Cloudy to turn raw configuration data into consistent, clear summaries and actionable recommendations. Cloudy does not share your Cloudflare configuration with other customers. Your configuration is also not used for LLM model training. Cloudy brings the same enterprise-grade security as the rest of Cloudflare's offerings. You can learn more about Cloudflare's approach to responsible AI in the [Trust Hub ↗](https://www.cloudflare.com/trust-hub/responsible-ai/). ## Can I opt out of Cloudy? Currently, Cloudflare does not provide an opt out mechanism that completely disables all possible use of Cloudy. You can only opt out of the chat interface available in the Cloudflare dashboard. However, Cloudy is an entirely optional tool that you can choose not to use. By not using Cloudy, you will not get summaries based on your current configuration or any actionable recommendations. To opt out of the chat interface, do the following: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and select your account. 2. Go to **Manage Account** \> **Configurations**. 3. Turn off the **Cloudy features** setting. As noted above, Cloudy is not trained on user or customer data and does not share your Cloudflare setup with other customers. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/cloudy-ai-agent/","name":"Cloudy AI agent (beta)"}}]} ``` --- --- title: Connection limits description: When HTTP/HTTPS traffic is proxied through Cloudflare, there are often two established TCP connections: the first is between the requesting client to Cloudflare and the second is between Cloudflare and the origin server. Each connection has their own set of TCP and HTTP limits, which are documented below. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/connection-limits.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Connection limits When HTTP/HTTPS traffic is [proxied through Cloudflare](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/#cloudflare-as-a-reverse-proxy), there are often two established [TCP connections](https://developers.cloudflare.com/fundamentals/reference/tcp-connections/): the first is between the requesting client to Cloudflare and the second is between Cloudflare and the origin server. Each connection has their own set of TCP and HTTP limits, which are documented below. ## Between client and Cloudflare | Type | Limit (seconds) | HTTP status code at limit | Configurable | | ------------------------------ | --------------- | ------------------------- | ------------ | | Connection Keep-Alive HTTP/1.1 | 400 | TCP connection closed | No | | Connection Idle HTTP/2 | 400 | TCP connection closed | No | ## Between Cloudflare and origin server Note If you are using [Cloudflare tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), refer to [Origin configuration](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/origin-parameters/) to view or modify your connection settings. | Type | Limit (seconds) | HTTP status code at limit | [Configurable](https://developers.cloudflare.com/fundamentals/reference/connection-limits/#configurable-limits) | | ----------------------- | --------------- | ------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | Complete TCP Connection | 19 | [522](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522/) | No | | TCP ACK Timeout | 90 | [522](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-522/) | No | | TCP Keep-Alive Interval | 30 | [520](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520/) | No | | Proxy Idle Timeout | 900 | [520](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-520/) | No | | Proxy Read Timeout | 120 | [524](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524/) | [Yes, for Enterprise zones](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) | | Proxy Write Timeout | 30 | [524](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-524/) | No | | HTTP/2 Pings to Origin | Off | \- | Yes | | HTTP/2 Connection Idle | 900 | No | No | ## Configurable limits Some TCP connections can be customized for Enterprise customers. Reach out to your account team for more details. ## Keep-Alives Cloudflare maintains keep-alive connections to improve performance and reduce cost of recurring TCP connects in the request transaction as Cloudflare proxies customer traffic from its global network to the site's origin server. Ensure HTTP keep-alive connections are enabled on your origin. Cloudflare reuses open TCP connections up to the `Proxy Idle Timeout` limit after the last HTTP request. Origin web servers close TCP connections if too many are open. HTTP keep-alive helps avoid connection resets for requests proxied by Cloudflare. ## Request limits URLs have a limit of 16 KB. Request headers have a total limit of 128 KB. ## Response limits Response headers observe a total limit of 128 KB. ## Cache limits Refer to the [Cache documentation](https://developers.cloudflare.com/cache/concepts/default-cache-behavior/#customization-options-and-limits) for more details about the max upload size and the cacheable file size limits. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/connection-limits/","name":"Connection limits"}}]} ``` --- --- title: Cryptographic Attestation of Personhood description: Cloudflare developed an alternative to CAPTCHA authentication, the Cryptographic Attestation of Personhood (CAP). image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/cryptographic-personhood.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cryptographic Attestation of Personhood Cloudflare developed an [alternative ↗](https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/) to CAPTCHA authentication, the Cryptographic Attestation of Personhood (CAP). CAP lets you prove that you are a legitimate website visitor by touching a hardware key, instead of solving a CAPTCHA puzzle. This article provides answers to common questions about usability and privacy concerns. You can also test CAP by going to the [demo site ↗](https://cloudflarechallenge.com/). ## Privacy questions The answer to most privacy concerns are summarized in this table: | Property | Cloudflare could | Cloudflare does | | ----------------------------------------------------- | ------------------------------------------------ | ------------------- | | Collect biometrics (fingerprints or face pictures) | No | N/A | | Collect information about your hardware authenticator | Yes, limited to the number of keys in your batch | Yes, when available | No, Cloudflare cannot collect biometrics. Our CAP process uses the WebAuthn API, which prevents the collection of [biometrics by default ↗](https://www.w3.org/TR/webauthn-2/#sctn-biometric-privacy). When your device asks for a biometric authentication — such as via a fingerprint sensor — it all happens locally. As such, we never see your biometric data: that remains on your device. Once your device confirms a match, it sends only a basic attestation message. In effect, your device sends a message proving “yes, someone correctly entered a fingerprint on this trustworthy device” and never sends the fingerprint itself. Yes, Cloudflare does collect a limited amount of data about your key. We store the manufacturer of your key and batch identifier ([minimum of 100,000 ↗](https://fidoalliance.org/specs/fido-uaf-v1.1-ps-20170202/fido-uaf-protocol-v1.1-ps-20170202.html#full-basic-attestation) keys per batch) for verification purposes. From our perspective, your key looks like all other keys in the batch. Some self-signed keys and keys from certain manufacturers have been found to [not meet this requirement ↗](https://www.chromium.org/security-keys) and should be avoided if you are minimizing your online privacy risk. --- For more details on how we set up Cryptographic Attestation of Personhood, refer to the [introductory blog post ↗](https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/). --- ## What devices are and are not allowed? ### Allowed devices CAP supports a wide variety of hardware authenticators: * **Roaming (cross-platform) authenticators**: * _Supported_: All security keys found in the [FIDO Metadata Service 3.0 ↗](https://fidoalliance.org/metadata/), unless they have been revoked for security reasons. * _Examples_: YubiKeys, HyperFIDO keys, Thetis FIDO U2F keys * **Platform authenticators:** * _Examples_: Apple Touch ID and Face ID on iOS mobile devices and macOS laptops; Android mobile devices with fingerprint readers; Windows Hello ### Known limitations Most combinations of of web browsers and WebAuthn-capable authenticators will work, but there are some known compatibility issues with WebAuthn attestation that may prevent CAP from working successfully: * **Basic CAP**: * _macOS desktop_: For TouchID, browser must be Safari * _Android_: Browser must be Chrome * **CAP with Zero-Knowledge Proof**: * _Apple platform authenticators_ (e.g., iPhone with Touch ID/Face ID) are incompatible with the [zero-knowledge proof system ↗](https://blog.cloudflare.com/introducing-zero-knowledge-proofs-for-private-web-attestation-with-cross-multi-vendor-hardware/). If this fails, you will immediately be redirected to basic CAP route without having to take any further action. Since Apple uses a privacy-preserving [Apple Anonymous Attestation ↗](https://www.w3.org/TR/webauthn/#sctn-apple-anonymous-attestation) to show that an authenticator is valid while blocking tracking, this method maintains a high standard of privacy. We are updating this list as the ecosystem evolves and as we continue to test different combinations. ## Can hackers bypass the Cryptographic Attestation of Personhood? CAP is one of many techniques to identify and block bots. To date, we have seen some attempts to test CAP’s security system, such as [one thoughtfully-executed, well-documented test ↗](https://betterappsec.com/building-a-webauthn-click-farm-are-captchas-obsolete-bfab07bb798c). The blog post discussing the test specifically calls out that this method does not break the Cloudflare threat model. This does not mean that CAP is broken, but rather shows that it raises the cost of an attack over the current CAPTCHA model. ## What happens if I lose my key? If you do not have the necessary hardware (such as a Yubikey), you can still solve a regular CAPTCHA challenge (e.g., selecting pictures). ## What are the common error codes and what do they mean? * **Unsupported\_att\_fmt**: * _Cause_: Your authenticator is using an unsupported attestation format (combination of browser and key). Also occurs when you use _Firefox_ and select the option to "anonymise your key". * _Solution:_ If this error occurs during [zero-knowledge version of CAP ↗](https://blog.cloudflare.com/introducing-zero-knowledge-proofs-for-private-web-attestation-with-cross-multi-vendor-hardware/), you will automatically be redirected to the basic CAP flow. If basic CAP fails, try a different combination of supported hardware device and browser or opt for a CAPTCHA. * **Unsupported\_issuer**: * _Cause_: Your key is currently not supported. * _Solution_: Use a [supported key](#allowed-devices). ## Related resources * [https://cloudflarechallenge.com ↗](https://cloudflarechallenge.com/) (demo site) * [Introducing Cryptographic Attestation of Personhood ↗](https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/) (blog) * [Expanding Crypotgraphic Attestation of Personhood ↗](https://blog.cloudflare.com/cap-expands-support/) (blog) * [Introducing Zero-Knowledge Proofs ↗](https://blog.cloudflare.com/introducing-zero-knowledge-proofs-for-private-web-attestation-with-cross-multi-vendor-hardware/) (blog) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/cryptographic-personhood/","name":"Cryptographic Attestation of Personhood"}}]} ``` --- --- title: Glossary description: Review the definitions for terms used across Cloudflare's documentation. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/glossary.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Glossary Review the definitions for terms used across Cloudflare's documentation. | Term | Definition | Product | | -------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | | account | Accounts group one or more members together with specific roles or permissions. Accounts can be associated with any number of domains. | Fundamentals | | ACK (Acknowledge) | The final step in the TCP three-way handshake, confirming the establishment of a connection. | Spectrum | | active zone | A DNS zone that is active on Cloudflare requires changing its nameservers to Cloudflare's for management. | DNS | | address map | A data structure enabling customers with BYOIP prefixes or account-level static IPs to specify which IP addresses should be mapped to DNS records when they are proxied through Cloudflare. | BYOIP | | AI crawler | A bot which scrapes content from websites in support of an AI model, including by scraping content for indexing, retrieval augmented generation, or training. | AI Crawl Control | | AI models | [An AI model](https://developers.cloudflare.com/workers-ai/models) is a trained system that processes input data to generate predictions, decisions, or outputs based on patterns it has learned. | Workers AI | | alarm | A Durable Object alarm is a mechanism that allows you to schedule the Durable Object to be woken up at a time in the future. | Durable Objects | | allowlist | An allowlist is a list of items (usually websites, IP addresses, email addresses, etc.) that are permitted to access a system. | WAF | | anycast | Anycast is a network addressing and routing method in which incoming requests can be routed to a variety of different locations. Anycast typically routes incoming traffic to the nearest data center with the capacity to process the request efficiently. | Cloudflare WAN | | apex domain | Apex domain is used to refer to a domain that does not contain a subdomain part, such as example.com (without www.). It is also known as "root domain" or "naked domain". | DNS | | API call | Also known as an API request. An API call is a message sent to a server asking an API to provide a service or information. | API Shield | | API endpoint | The API endpoint is the location where API calls or requests are fulfilled. API Shield defines endpoints as a host, method, and path tuple. | API Shield | | API key | An API key is unique to each Cloudflare user and used to confirm identity when using the [Cloudflare API](https://developers.cloudflare.com/api/). | Fundamentals | | API schema | The API schema defines which API requests are valid based on several request properties like target endpoint, path or query variable format, and HTTP method. | API Shield | | API token | API tokens authorize access to specific Cloudflare dashboard pages, accounts, and zones. API tokens are associated to the user that created them. | Fundamentals | | API Tokens | [API Tokens](https://developers.cloudflare.com/workers-ai/get-started/rest-api/) are authentication credentials used to securely access and manage Workers AI resources via the REST API. | Workers AI | | App Launcher | The App Launcher portal provides end users with a single dashboard to open applications secured by Cloudflare One. | Cloudflare One | | application | The resource protected by Cloudflare One, which can be a subdomain, a path, or a SaaS application. | Cloudflare One | | application token | A piece of data that grants a user access to a specific Access application for a period of time. Can be stored in a browser cookie or passed to the application in place of a normal password. | Cloudflare One | | attack score | A number from 1 (likely malicious) to 99 (likely clean) classifying how likely an incoming request is malicious or not. Allows you to detect new attack techniques before they are publicly known. | WAF | | attribute | Traffic that flows through Area 1 can receive one or more attributes, which indicate that a specific condition has been met. | Area 1 | | Authenticated Origin Pulls | Authenticated Origin Pulls allow origin web servers to validate that a web request came from Cloudflare using TLS client certificate authentication. | SSL/TLS | | autonomous system numbers (ASNs) | A large network or group of networks that has a unified routing policy. Every computer or device that connects to the Internet is connected to an autonomous system. | BYOIP | | Auxiliary Worker | A Worker created locally via the [Workers Vitest integration](https://developers.cloudflare.com/workers/testing/vitest-integration/) that runs in a separate isolate to the test runner, with a different global scope. | Workers | | backup codes | Backup codes allow restoration of Cloudflare account access outside the normal [two-factor authentication process](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/). A backup code becomes invalid after use. | Fundamentals | | bandwidth | The maximum rate of data transfer across a network. | Speed | | binding | [Bindings](https://developers.cloudflare.com/workers/runtime-apis/bindings/) allow your Workers to interact with resources on the Cloudflare Developer Platform. | Workers | | bit field matching | Matches raw bits in a packet to certain values specified in your rules. | Cloudflare Network Firewall | | blocklist | A blocklist is a list of items (usually websites, IP addresses, email addresses, etc.) that are prevented from accessing a system. | WAF | | bookmark | A bookmark represents the state of a database at a specific point in time. Bookmarks are lexicographically sortable. Sorting orders a list of bookmarks from oldest-to-newest. | D1 | | bookmark | A bookmark is a mostly alphanumeric string like 0000007b-0000b26e-00001538-0c3e87bb37b3db5cc52eedb93cd3b96b which represents a specific state of a SQLite database at a certain point in time. Bookmarks are designed to be lexically comparable: a bookmark representing an earlier point in time compares less than one representing a later point, using regular string comparison. | Durable Objects | | Border Gateway Protocol (BGP) | The routing protocol for the Internet, which is responsible for picking the most efficient routes to deliver Internet traffic. | BYOIP | | bot | A software application programmed to do tasks that can be used for good (chatbots, search engine crawlers) or for evil (inventory hoarding, credential stuffing). | Bots | | bot score | A score from 1 to 99 that indicates how likely that request came from a bot, in which 1 to 29 is likely automated and 30 to 99 is likely human. | Bots | | bot tags | Additional information about a bot request, such as why Cloudflare has given it a bot score and whether the request came from a verified bot or a category of verified bots. | Bots | | brotli compression | Brotli compression is a data compression algorithm developed by Google, optimized for web content, and designed to achieve higher compression ratios than traditional algorithms like Gzip. | Speed | | C3 | [C3](https://developers.cloudflare.com/learning-paths/workers/get-started/c3-and-wrangler/) is a command-line tool designed to help you set up and deploy new applications to Cloudflare. | Workers | | cache | A temporary storage area where frequently accessed data is stored for quick retrieval. | Cache | | cache hit | When a requested piece of content is found in the cache, reducing the need to fetch it from the origin server. | Cache | | cache lock | Cache lock (or mutex) is a mechanism employed by CDN data centers, comprising numerous servers, to prevent the overloading of origin servers. This mechanism ensures that only one server can request a specific file from the origin at any given time, facilitating efficient coordination among the servers. | Cache | | cache miss | When a requested piece of content is not found in the cache, requiring the server to fetch it from the origin server. | Cache | | cached bandwidth (cached egress bandwidth) | The amount of bandwidth served from Cloudflare without hitting the origin server. Cached bandwidth is the sum of all EdgeResponseBytes where CacheCacheStatus equals hit, stale, updating, ignored, or revalidated. | Cache | | cached requests | The number of requests served from Cloudflare without having to hit the origin server. Cached requests are the sum of all requests where CacheCacheStatus equals hit, stale, updating, ignored. This does not include revalidated since the request had to be sent to the origin server. | Cache | | cacheTtl | CacheTtl is a parameter that defines the length of time in seconds that a KV result is cached in the global network location it is accessed from. | KV | | caching | The process of storing copies of files or data in a cache to accelerate future requests. | Cache | | CAPTCHA | A CAPTCHA test is designed to determine if an online user is really a human and not a bot. CAPTCHA is an acronym that stands for "Completely Automated Public Turing test to tell Computers and Humans Apart." | Turnstile | | captive portal | A login screen shown to users when they connect to a public Wi-Fi. Captive portals typically occur in places such as airports, cafes, and hotels. | Cloudflare One | | category | A classification describing a crawler's stated purpose: "AI Crawler", "AI Search", "AI Assistant", or "Search Engine". One category per crawler. | AI Crawl Control | | certificate | SSL certificates enable encryption over HTTPS for traffic between a client and a website. SSL certificates contain the website's public key and the website's identity along with related information. Devices attempting to communicate with the origin web server reference the SSL certificate to obtain the public key and verify the server's identity. Cloudflare provides a [Universal SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) for each active Cloudflare domain. | SSL/TLS | | Certificate Authority (CA) | A CA is a trusted third party that provides SSL certificates for encrypting network traffic. | SSL/TLS | | certificate packs | Certificate packs allow Cloudflare to fallback to a different SSL certificate for browsers that do not support the latest standards. Certificate packs allow Custom SSL certificates to contain different signature algorithms for the same hostnames listed within the SSL certificate without taking up additional Custom SSL certificate quota for your Cloudflare account. | SSL/TLS | | certificate pinning | A security mechanism used to prevent on-path attacks on the Internet by hardcoding information about the certificate that the application expects to receive. If the wrong certificate is received, even if it is trusted by the system, the application will refuse to connect. | SSL/TLS | | Certification Authority Authorization (CAA) record | A CAA record declares which CAs are allowed to issue an SSL certificate for a domain. | SSL/TLS | | cf-aig-backoff | Header to customize the backoff type for [request retries](https://developers.cloudflare.com/ai-gateway/configuration/request-handling/#request-retries) of a request. | AI Gateway | | cf-aig-cache-key | The [cf-aig-cache-key-aig-cache-key](https://developers.cloudflare.com/ai-gateway/features/caching/#custom-cache-key-cf-aig-cache-key) let you override the default cache key in order to precisely set the cacheability setting for any resource. | AI Gateway | | cf-aig-cache-status | [Status indicator for caching](https://developers.cloudflare.com/ai-gateway/features/caching/#default-configuration), showing if a request was served from cache. | AI Gateway | | cf-aig-cache-ttl | Specifies the [cache time-to-live for responses](https://developers.cloudflare.com/ai-gateway/features/caching/#cache-ttl-cf-aig-cache-ttl). | AI Gateway | | cf-aig-collect-log | The [cf-aig-collect-log](https://developers.cloudflare.com/ai-gateway/observability/logging/#collect-logs-cf-aig-collect-log) header allows you to bypass the default log setting for the gateway. | AI Gateway | | cf-aig-custom-cost | Allows the [customization of request cost](https://developers.cloudflare.com/ai-gateway/configuration/custom-costs/#custom-cost) to reflect user-defined parameters. | AI Gateway | | cf-aig-dlp | A response header returned when a [DLP policy](https://developers.cloudflare.com/ai-gateway/features/dlp/set-up-dlp/#dlp-response-header) matches a request or response. Contains JSON with the action taken (Flag or Block), matched policy IDs, matched profile IDs, and detection entry IDs. | AI Gateway | | cf-aig-event-id | [cf-aig-event-id](https://developers.cloudflare.com/ai-gateway/evaluations/add-human-feedback-api/#3-retrieve-the-cf-aig-log-id) is a unique identifier for an event, used to trace specific events through the system. | AI Gateway | | cf-aig-log-id | The [cf-aig-log-id](https://developers.cloudflare.com/ai-gateway/evaluations/add-human-feedback-api/#3-retrieve-the-cf-aig-log-id) is a unique identifier for the specific log entry to which you want to add feedback. | AI Gateway | | cf-aig-max-attempts | Header to customize the number of max attempts for [request retries](https://developers.cloudflare.com/ai-gateway/configuration/request-handling/#request-retries) of a request. | AI Gateway | | cf-aig-metadata | [Custom metadata](https://developers.cloudflare.com/ai-gateway/configuration/custom-metadata/)allows you to tag requests with user IDs or other identifiers, enabling better tracking and analysis of your requests. | AI Gateway | | cf-aig-request-timeout | Header to trigger a fallback provider based on a [predetermined response time](https://developers.cloudflare.com/ai-gateway/configuration/fallbacks/#request-timeouts) (measured in milliseconds). | AI Gateway | | cf-aig-retry-delay | Header to customize the retry delay for [request retries](https://developers.cloudflare.com/ai-gateway/configuration/request-handling/#request-retries) of a request. | AI Gateway | | cf-aig-skip-cache | Header to [bypass caching for a specific request](https://developers.cloudflare.com/ai-gateway/features/caching/#skip-cache-cf-aig-skip-cache). | AI Gateway | | cf-aig-step | [cf-aig-step](https://developers.cloudflare.com/ai-gateway/configuration/fallbacks/#response-headercf-aig-step) identifies the processing step in the AI Gateway flow for better tracking and debugging. | AI Gateway | | cf-cache-ttl | Deprecated: This header is replaced by cf-aig-cache-ttl. It specifies cache time-to-live. | AI Gateway | | cf-skip-cache | Deprecated: This header is replaced by cf-aig-skip-cache. It bypasses caching for a specific request. | AI Gateway | | Challenge solve rate (CSR) | The percentage of issued challenges that were solved. | Bots | | CIDR | CIDR stands for Classless Inter-Domain Routing. CIDR often refers to CIDR notation, which is an IP address represented as a series of four 8-bit octets, separated by dots (e.g., 192.168.1.1). Additionally, CIDR notation includes a suffix that indicates the number of bits used for the network portion of the address. The format is typically written as "/X," where X is the number of bits in the network portion. | Fundamentals | | cipher suite | A set of encryption algorithms for establishing a secure communications connection. There are several cipher suites in wide use, and a client and server agree on the cipher suite to use when establishing the TLS connection. Support of multiple cipher suites allows compatibility across various clients. | SSL/TLS | | client-side resource | A file with JavaScript code loaded by your visitors' browser, or a connection made by one of the loaded scripts. | Client-side security | | cloud | A network of remote servers used to store and maintain data. | Fundamentals | | Cloudflare Access | Cloudflare Access replaces corporate VPNs with Cloudflare's network. It verifies attributes such as identity and device posture to grant users secure access to internal tools. | Cloudflare One | | Cloudflare Browser Isolation | Cloudflare Browser Isolation seamlessly executes active webpage content in a secure isolated browser to protect users from zero-day attacks, malware, and phishing. | Cloudflare One | | Cloudflare CASB | Cloudflare CASB provides comprehensive visibility and control over SaaS apps to prevent data leaks and compliance violations. It helps detect insider threats, shadow IT, risky data sharing, and bad actors. | Cloudflare One | | Cloudflare Dashboard | [Cloudflare Dashboard](https://developers.cloudflare.com/workers-ai/get-started/dashboard/) is a web-based interface that allows users to manage Workers AI services, including model deployment and monitoring. | Workers AI | | Cloudflare Data Loss Prevention (DLP) | Cloudflare [Data Loss Prevention](https://www.cloudflare.com/learning/access-management/what-is-dlp/) (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code. | Cloudflare One | | Cloudflare DEX | Cloudflare Digital Experience Monitoring (DEX) provides visibility into device, network, and application performance across your Zero Trust Organization. | Cloudflare One | | Cloudflare Gateway | Cloudflare Gateway is a modern next-generation firewall between your user, device, or network and the public Internet. It includes DNS filtering to inspect and apply policies to all Internet-bound DNS queries. | Cloudflare One | | Cloudflare One | The name for Cloudflare's Secure Access Service Edge (SASE) platform, which includes Zero Trust and network services. | Cloudflare One | | Cloudflare One Agent | The name of the Cloudflare One Client app on iOS and Android devices. | Cloudflare One | | Cloudflare One Client | An application that connects corporate devices to Cloudflare for private network access, advanced web filtering, and other security functions. | Cloudflare One | | Cloudflare Tunnel | Cloudflare Tunnel uses software agents (cloudflared or WARP Connector) to establish a secure connection between a private network and Cloudflare. | Cloudflare One | | Cloudflare Zero Trust | Cloudflare Zero Trust provides the power of Cloudflare's global network to your internal teams and infrastructure. It empowers users with secure, fast, and seamless access to any device on the Internet. | Cloudflare One | | cloudflared | The software powering Cloudflare Tunnel. It runs on origin servers to connect applications or private networks to Cloudflare. | Cloudflare One | | cloudflared replica | An additional instance of cloudflared that points to the same Cloudflare Tunnel. It ensures that your network remains online in case a single host running cloudflared goes down. | Cloudflare One | | CNAME setup | Also known as partial setup, a CNAME setup allows you to use Cloudflare's reverse proxy without using Cloudflare for your authoritative nameservers. | DNS | | code example | A code example illustrates how to use a programming element to implement specific functionality | Fundamentals | | compression | The process of reducing the size of files or data to speed up their transfer over the network. | Speed | | consumer | A consumer is the term for a client that is subscribing to or consuming messages from a queue. | Queues | | content delivery network (CDN) | A geographically distributed group of servers which work together to provide fast delivery of Internet content. | Fundamentals | | content object | A content object is any binary part of a request body (as detected by Cloudflare systems) that does not match any of the following content types: text/html, text/x-shellscript, application/json, text/csv, or text/xml. | WAF | | content security policy (CSP) | An added layer of security that helps detect and mitigate certain types of attacks such as cross-site scripting (XSS) attacks. | Fundamentals | | Content Signals | An emerging IETF standard for expressing AI content preferences via HTTP headers or metadata. Aims to replace non-standard vendor signals. Refer to contentsignals.org. | AI Crawl Control | | Context Window | In generative AI, the context window is the sum of the number of input, reasoning, and completion or response tokens a model supports. You can find the context window limit on each [model page](https://developers.cloudflare.com/workers-ai/models/). | Workers AI | | core web vitals | Core web vitals are a set of user-centric performance metrics, including Largest Contentful Paint (LCP), Cumulative Layout Shift (CLS), and First Input Delay (FID), used by Google to assess the overall user experience of a webpage. | Speed | | CPU time | [CPU time](https://developers.cloudflare.com/workers/platform/limits/#cpu-time) is the amount of time the central processing unit (CPU) actually spends doing work, during a given request. | Workers | | crawl | A single HTTP request from a bot to access a page on your site. | AI Crawl Control | | crawler | A specific bot operated by a company to access web content. One operator (like OpenAI) may run multiple crawlers (GPTBot, ChatGPT-User). | AI Crawl Control | | credential stuffing | Credential stuffing is the automated injection of stolen username and password pairs (known as "credentials") into website login forms, trying to gain access to user accounts. | WAF | | credit | An amount applied to a specific Cloudflare account as credit for recurring subscriptions or plan payments. The Cloudflare billing system automatically applies credits in the next billing cycle. | Fundamentals | | Cron Triggers | [Cron Triggers](https://developers.cloudflare.com/workers/configuration/cron-triggers/) allow users to map a cron expression to a Worker using a [scheduled() handler](https://developers.cloudflare.com/workers/runtime-apis/handlers/scheduled/) that enables Workers to be executed on a schedule. | Workers | | cumulative layout shift (CLS) | Cumulative layout shift (CLS) is a web performance metric that quantifies the visual stability of a webpage by measuring the sum of unexpected layout shifts of elements during the page's loading and rendering process. | Speed | | D1 | [D1](https://developers.cloudflare.com/d1/) is Cloudflare's native serverless database. | Workers | | D1 | [D1](https://developers.cloudflare.com/d1/) is Cloudflare's managed, serverless database with SQLite's SQL semantics, built-in disaster recovery, and Worker and HTTP API access. | Workers AI | | daemon | A program that performs tasks without active management or maintenance. | Cloudflare One | | data center | A physical location where servers run and other IT operations are hosted. | Fundamentals | | data packet | A data packet is a unit of data consisting of user and control information. Information in a network is broken down into packets, that might follow different paths to their final destination. | Cloudflare WAN | | debugging | The process of identifying and resolving errors or issues within software applications or systems, often facilitated by analyzing log data. | Logs | | demo application | A demo application is a functional application in GitHub that you can clone and deploy on your own. | Fundamentals | | denial-of-service (DoS) attack | A DoS attack is a type of cyber attack in which an attacker aims to render a computer or other device unavailable to its intended users by interrupting the device's normal functioning. | Fundamentals | | deployment | [Deployments](https://developers.cloudflare.com/workers/configuration/versions-and-deployments/#deployments) track the version(s) of your Worker that are actively serving traffic. | Workers | | deprecation | Deprecation in software development involves officially labeling a feature as outdated. While a deprecated software feature remains within the software, users are warned and encouraged to adopt alternatives. Eventually, deprecated features may be removed. This approach ensures backward compatibility and gives programmers time to update their code. | Logs | | detection ID | Static rules that are used to detect predictable bot behavior with no overlap with human traffic. | Bots | | device posture | A way to evaluate the security of a user's device, for example by verifying its serial number or checking if it has the latest software updates. | Cloudflare One | | device profile | A collection of WARP client settings applied to a specific set of devices in your organization. | Cloudflare One | | device registration | An individual session of the WARP client on a physical device, with associated configuration including a unique public key, device profile, and virtual IP addresses (one IPv4 and one IPv6). | Cloudflare One | | disposition | Represents Area 1's evaluation of a specific message. For example, after evaluating an email it may get a disposition of malicious. Email messages with this disposition exhibit characteristics typical of malicious emails. | Area 1 | | distributed denial-of-service (DDoS) attack | A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. | Fundamentals | | DNS filtering | DNS filtering uses the Domain Name System to block malicious websites and filter out harmful content, enhancing security and access control. | Cloudflare One | | DNS location | DNS locations are a collection of DNS endpoints which can be mapped to physical entities such as offices, homes, or data centers. | Cloudflare One | | DNS over HTTPS | DNS over HTTPS (DoH) is a standard for encrypting DNS traffic via the HTTPS protocol, preventing tracking and spoofing of DNS queries. | DNS | | DNS over TLS | DNS over TLS (DoT) is a standard for encrypting DNS traffic using its own port (853) and TLS encryption. | DNS | | DNS record | DNS records are instructions that live in authoritative DNS servers and provide information about a domain, including what IP address is associated with that domain and how to handle requests for that domain. | DNS | | DNS server | DNS servers translate human-readable domain names into IP addresses, eliminating the need to remember complex IP addresses. | DNS | | DNS zone | A portion of the DNS namespace that is managed by a specific organization or administrator. | DNS | | DoH subdomain | A unique DoH subdomain for each DNS location in Cloudflare One used in WARP client settings. | Cloudflare One | | domain | The domain name of your application on Cloudflare. | Fundamentals | | domain control validation (DCV) | Process by which a certificate authority (CA) can verify domain ownership before issuing an SSL/TLS certificate. | SSL/TLS | | Domain Name System (DNS) | The Domain Name System (DNS) is the phonebook of the Internet. DNS translates domain names to IP addresses. | DNS | | downtime | Downtime is the duration during which a system, service, or equipment is not operational or unavailable for use. | Waiting Room | | Durable Execution | "Durable Execution" is a programming model that allows applications to execute reliably, automatically persist state, retry, and be resistant to errors caused by API, network or even machine/infrastructure failures. Cloudflare Workflows provide a way to build and deploy applications that align with this model. | Workflows | | Durable Object | A Durable Object is an individual instance of a Durable Object class. A Durable Object is globally unique (referenced by ID), provides a global point of coordination for all methods/requests sent to it, and has private, persistent storage that is not shared with other Durable Objects within a namespace. | Durable Objects | | Durable Object class | The JavaScript class that defines the methods (RPC) and handlers (fetch, alarm) as part of your Durable Object, and/or an optional constructor. All Durable Objects within a single namespace share the same class definition. | Durable Objects | | Durable Objects | The product name, or the collective noun referring to more than one Durable Object. | Durable Objects | | Durable Objects | [Durable Objects](https://developers.cloudflare.com/durable-objects/) is a globally distributed coordination API with strongly consistent storage. | Workers | | duration | [Duration](https://developers.cloudflare.com/workers/platform/limits/#duration) is a measurement of wall-clock time — the total amount of time from the start to end of an invocation of a Worker. | Workers | | dynamic content | Dynamic content refers to website content that changes based on factors specific to the user such as time of visit, location, and device. News websites or social media are examples of this type of content. For this type of website, content has to be fetched from the origin server every time it is requested. | Cache | | edge certificate | The SSL/TLS certificates that Cloudflare presents to clients visiting your website or application. Because of [how Cloudflare works](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/), there can actually be [two certificates involved in a single request](https://developers.cloudflare.com/ssl/concepts/): an edge certificate and an origin certificate. | SSL/TLS | | edge response status code | HTTP response code sent from Cloudflare to the client (end user). The Cloudflare dashboard **Analytics** app uses the edge response status code. | Fundamentals | | edge server | A server located at the edge of a network, typically within a CDN, that serves content to end-users. | Cache | | EDNS Client Subnet (ECS) | ECS is a DNS extension that enables recursive DNS resolvers to include client IP address information in their DNS queries. Not all resolvers use ECS but, if they do, usually a part of the IP address is omitted. Sending ECS headers is generally intended to reduce latency and speed up content delivery in connection to [CDNs](https://developers.cloudflare.com/glossary/?term=cdn) and [load balancers](https://www.cloudflare.com/learning/performance/what-is-load-balancing/). The ECS mechanism is specified in [RFC 7871](https://www.rfc-editor.org/rfc/rfc7871.html). | DNS | | encryption algorithm | An encryption algorithm is a set of mathematical operations performed on data to ensure the data is only understood by the intended recipient. | SSL/TLS | | endpoint | Any service or hardware that intercepts and processes incoming public or private traffic. Examples of endpoints include origins, hostnames, private or public IP addresses, virtual IP addresses (VIPs), servers, and other dedicated hardware boxes. | Load Balancing | | environment | [Environments](https://developers.cloudflare.com/workers/wrangler/environments/) allow you to deploy the same Worker application with different configuration for each environment. Only available for use with a [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/). | Workers | | environment variable | [Environment variables](https://developers.cloudflare.com/workers/configuration/environment-variables/) are a type of binding that allow you to attach text strings or JSON values to your Worker. | Workers | | Environment Variables | [Environment Variables](https://developers.cloudflare.com/workers-ai/configuration/bindings/) are dynamic values that can be used within Workers to manage configuration settings, including those related to AI integrations. | Workers AI | | equal-cost multi-path routing | A technique that uses hashes calculated from packet data to determine the route chosen. | Cloudflare WAN | | error page | An error page is a webpage shown to users when they try to access a specific webpage or resource that is unavailable due to a server error, broken link, or other issues. It typically includes details about the encountered error and offers potential solutions or guidance to help users navigate the problem. | Waiting Room | | event | An occurrence or happening that is significant and worthy of being recorded in a log. | Logs | | Event | The event that triggered the Workflow instance. A WorkflowEvent may contain optional parameters (data) that a Workflow can operate on. | Workflows | | example | Hello, world! You can use **Markdown** features inside of your tooltips. | Style Guide | | Extended Validation (EV) certificate | EV certificates provide maximum trust to visitors, but require the most validation effort by the CA. EV certificates show the name of the company or organization in the address bar of the visitor’s browser. An EV certificate requires additional documentation by the company or organization in order for the CA to approve the certificate. | SSL/TLS | | feature | A feature is a setting in the Cloudflare dashboard that corresponds to functionality within a Cloudflare product or API. | Fundamentals | | Fine-Tuning | [Fine-Tuning](https://developers.cloudflare.com/workers-ai/fine-tunes/) is a general term for modifying an AI model by continuing to train it with additional data. | Workers AI | | firewall | A firewall is a security system that monitors and controls network traffic based on a set of security rules. | WAF | | firewall-as-a-service | Also known as cloud firewall. A security product that is hosted in the cloud. | Cloudflare Network Firewall | | first contentful paint (FCP) | First contentful paint (FCP) is a web performance metric that measures the time it takes for the first piece of content to be rendered on the screen during the loading of a web page. | Speed | | first input delay (FID) | First input delay (FID) is a web performance metric that measures the delay between a user's first interaction with a page (for example, clicking a button) and the moment the browser responds, indicating the page's interactivity and responsiveness. | Speed | | fleet | A fleet is a collection of user devices. All devices in a fleet have WARP installed and are connected to a [Zero Trust Organization](https://developers.cloudflare.com/cloudflare-one/setup/#create-a-zero-trust-organization). | Cloudflare One | | flow data | Represents records of communication between devices. There are a number of flow data protocols, such as NetFlow or sFlow. | Network Flow | | FTP (File Transfer Protocol) | A standard network protocol used for transferring files from one host to another over a TCP-based network. | Spectrum | | FTPS (File Transfer Protocol Secure) | An extension of FTP that adds support for the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) cryptographic protocols. | Spectrum | | Function Calling | [Function Calling](https://developers.cloudflare.com/workers-ai/function-calling/) enables people to take Large Language Models (LLMs) and use the model response to execute functions or interact with external APIs. | Workers AI | | GRE tunnel | Stands for generic routing encapsulation. It is a protocol wrapping one data packet within another type of data packet. This is useful for enabling protocols that are not normally supported by a network. | Cloudflare WAN | | handler | [Handlers](https://developers.cloudflare.com/workers/runtime-apis/handlers/) are methods on Workers that can receive and process external inputs, and can be invoked from outside your Worker. | Workers | | health check | Requests issued by a monitor at regular interval and — depending on the monitor settings — return a **pass** or **fail** value to make sure an endpoint is still able to receive traffic. Each health monitor request is trying to answer two questions: **Is the endpoint offline?**: Does the endpoint respond to the health monitor request at all? If so, does it respond quickly enough (as specified in the monitor's **Timeout** field)? **Is the endpoint working as expected?**: Does the endpoint respond with the expected HTTP response codes? Does it include specific information in the response body? If the answer to either of these questions is "No", then the endpoint fails the health monitor request. | Load Balancing | | Hops | Hops refer to the stops an email makes as it travels from the sender to the recipient. | Cloudflare One | | hostname | The name given to a server or node on a network, often the public DNS name of a server. | DNS | | HTTP request | An HTTP request is the way Internet communications platforms such as web browsers ask for the information they need to load a website. | Fundamentals | | ICMP | Internet Control Message Protocol (ICMP) is used by network devices to send error messages and other operational information. ICMP is useful for diagnostic purposes, for example. | Cloudflare WAN | | identity provider | An identity provider (IdP) stores and manages users' digital identities, enabling single sign-on and authentication for multiple applications. | Cloudflare One | | idle connection | When a TCP connection is in an idle state, it means that the connection has been established, but neither endpoint is sending any data. In the context of HTTP, an idle connection is when an established connection between a client and a server is not currently transmitting any HTTP requests or responses. | Fundamentals | | iFrame | An iFrame, short for Inline Frame, is an HTML element used to embed and display external content within a webpage, allowing the incorporation of another document or web page seamlessly within the main document. | Waiting Room | | In-band pricing | Pricing transmitted in HTTP response headers alongside content. In Pay Per Crawl, the origin sets prices via the crawler-price header. | AI Crawl Control | | Inference | [Inference](https://developers.cloudflare.com/workers-ai/fine-tunes/public-loras/#running-inference-with-public-loras) refers to the process of using a trained machine learning model to make predictions or generate outputs based on new data. | Workers AI | | initial resolved IP | A unique, ephemeral IP address that Gateway assigns to DNS queries when filtering network traffic by hostname. The IP is randomly selected from the 100.80.0.0/16 (IPv4) or 2606:4700:0cf1:4000::/64 (IPv6) range. | Cloudflare One | | input gate | While a storage operation is executing, no events shall be delivered to a Durable Object except for storage completion events. Any other events will be deferred until such a time as the object is no longer executing JavaScript code and is no longer waiting for any storage operations. We say that these events are waiting for the "input gate" to open. | Durable Objects | | instance | See "Durable Object". | Durable Objects | | instance | A specific instance (running, paused, errored) of a Workflow. A Workflow can have a potentially infinite number of instances. | Workflows | | interaction to next paint (INP) | Interaction to next paint (INP) is a web performance metric that measures the time it takes for a web page to become interactive and respond to user input after the initial paint, providing insights into the user experience during the interaction phase of page loading. | Speed | | intermediate certificate | For security purposes, CAs issue intermediate certificates for signing website certificates. Intermediate certificates provide a means for the CA to revoke a single intermediate certificate, thus affecting only a small subset of website certificates. | SSL/TLS | | Internet | The Internet is a global system of computer networks that provides a wide range of information and communication facilities. | Fundamentals | | Internet key exchange (IKE) | The protocol Cloudflare uses to create the IPsec tunnel between Cloudflare WAN and the customer's device. | Cloudflare WAN | | Internet Routing Registry (IRR) | A globally distributed database of routing information which contains announced routes and routing policies in a common format. Network operators use this information, as well as [RPKI](https://developers.cloudflare.com/byoip/concepts/route-filtering-rpki/), to configure backbone routers. | BYOIP | | IP address | IP stands for Internet Protocol, which is the set of rules that makes it possible for devices to communicate over the Internet. With billions of people accessing the Internet every day, unique identifiers are necessary to keep track of who is doing what. The Internet Protocol solves this by assigning IP numbers to every device accessing the Internet. Every assigned number is an IP address. | Fundamentals | | IP spoofing | IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address to hide the identity of the sender, impersonate another computer system, or both. | DDoS Protection | | IPsec tunnel | Stands for Internet Protocol secure. It is a group of protocols for securing connections between devices, by encrypting IP packets. | Cloudflare WAN | | isolate | [Isolates](https://developers.cloudflare.com/workers/reference/how-workers-works/#isolates) are lightweight contexts that provide your code with variables it can access and a safe environment to be executed within. | Workers | | JA3 fingerprint | JA3 and JA4 fingerprints profile specific SSL/TLS clients across different destination IPs, Ports, and X509 certificates. | Bots | | JSON web token | A compact way to securely transmit information between parties as a JSON object, often used for authentication. | Cloudflare One | | JSON web token (JWT) | A common authentication and authorization method used in web applications and APIs. | Rules | | JSON-friendly | JSON-friendly refers to data or formats that are easily and naturally represented in JSON (JavaScript Object Notation), a lightweight data interchange format, without requiring complex transformations or modifications. | Waiting Room | | KV | [Workers KV](https://developers.cloudflare.com/kv/) is Cloudflare's key-value data storage. | Workers | | KV API | API methods part of Storage API that support persisting key-value data. | Durable Objects | | KV namespace | A KV namespace is a key-value database replicated to Cloudflare’s global network. A KV namespace must require a binding and an id. | KV | | largest contentful paint (LCP) | Largest contentful paint (LCP) is a web performance metric that measures the time it takes for the largest content element to be fully rendered and visible to the user during the loading of a web page. | Speed | | latency | The delay between a user action and the corresponding response from the system. | Speed | | layer 3 | The network layer in the OSI model, responsible for logical addressing, routing, and forwarding of data between devices on different networks. | Spectrum | | layer 4 | The transport layer in the OSI model, managing end-to-end communication, error-checking, and flow control. | Spectrum | | lazy loading | Loading images or other resources only when they are about to be displayed, rather than loading everything at once. | Speed | | leaked credentials | Leaked credentials refers to sensitive authentication information disclosed in some way (for example, due to misconfigurations, data breaches, or simple human error), allowing other parties to gain access to digital resources. Credentials may include usernames, passwords, API keys, authentication tokens, or private keys. | WAF | | legitimate traffic | Legitimate traffic refers to authorized and permissible network activity, data transmissions, or communications that adhere to established norms and rules within a given system or network. | Waiting Room | | letter of agency | Sometimes referred to as a Letter of Authorization. A document that authorizes Cloudflare to advertise your prefixes. This is required so transit providers can accept the routes Cloudflare advertises on your behalf. | Magic Transit | | LLM | A machine learning model that can comprehend and generate human language text. It works by analyzing massive data sets of language. | WAF | | locally-managed tunnel | A Cloudflare Tunnel that was created by running cloudflared tunnel create on the command line. Tunnel configuration is stored in your local cloudflared directory. | Cloudflare One | | log | A chronological record of events, actions, or transactions, typically used for tracking and troubleshooting purposes. | Logs | | log file | A file containing a collection of log entries, usually stored in a structured or semi-structured format. | Logs | | logging | The process of recording events, actions, or transactions in a log. | Logs | | LoRA Adapters | [LoRA Adapters](https://developers.cloudflare.com/workers-ai/fine-tunes/loras/) (Low-Rank Adaptation adapters) are used in machine learning to fine-tune models efficiently by adjusting a small number of parameters, allowing for customization of AI models in Workers AI.[Public LoRA Adapters](https://developers.cloudflare.com/workers-ai/fine-tunes/public-loras/) are pre-trained Low-Rank Adaptation adapters available for public use. | Workers AI | | managed network | A network location, such as an office, that is associated with a specific WARP client device profile. | Cloudflare One | | maximum segment size (MSS) | MSS limits the size of packets, or small chunks of data, that travel across a network, such as the Internet. | Cloudflare WAN | | Maximum Tokens | In generative AI, the user-defined property max\_tokens defines the maximum number of tokens at which the model should stop responding. This limit cannot exceed the context window. | Workers AI | | MCP client | A Model Context Protocol (MCP) client is an AI program that can request information and receive responses from an MCP server. Examples of MCP clients include Claude Desktop, Cursor AI, and Windsurf. | Cloudflare One | | MCP server | A web application that allows AI agents to access third-party data sources and APIs using the Model Context Protocol (MCP). For example, you can use an MCP server to connect an AI assistant to your Google Drive account. | Cloudflare One | | MCP server portal | A web application in Cloudflare One that serves as a gateway to multiple MCP servers. | Cloudflare One | | MCP server tool | An integration provided by an MCP server which allows an AI agent to perform a limited set of actions on a third-party system. | Cloudflare One | | MDM file | A Mobile Device Management (MDM) file is a configuration file that allows organizations to manage the software, settings, and certificates installed on their devices. | Cloudflare One | | member or user | A member or user is an email account in Cloudflare that you can grant access to your organization account. Members belonging to multiple accounts can select which account to manage via the Cloudflare dashboard. | Fundamentals | | Merchant of Record | The entity who facilitates "buying and selling". For pay per crawl, Cloudflare is the merchant of record. | AI Crawl Control | | metadata | A metadata is a serializable value you append to each KV entry. | KV | | MFA | Multi-factor authentication (MFA) checks multiple aspects of a user's identity, not only their username and password, before allowing them access to an application. | Cloudflare One | | migration | A Durable Object migration is a mapping process from a class name to a runtime state. Initiate a Durable Object migration when you need to: Create a new Durable Object class. Rename a Durable Object class. Delete a Durable Object class. Transfer an existing Durable Objects class. | Durable Objects | | minification | The process of removing unnecessary characters from code (such as whitespace or comments) to reduce file size and improve loading times. | Speed | | mitigated request | A request to which Cloudflare applied a terminating action such as block or challenge. | WAF | | Model Catalog | [Model Catalog](https://developers.cloudflare.com/workers-ai/models/) is a curated collection of AI models available within Workers AI, providing developers with a variety of pre-trained models for different tasks. | Workers AI | | module Worker | Refers to a Worker written in [module syntax](https://developers.cloudflare.com/workers/reference/migrate-to-module-workers/). | Workers | | monitor | A monitor issues health monitor requests at regular intervals to evaluate the health of each endpoint within a [pool](https://developers.cloudflare.com/load-balancing/pools/). When a pool [becomes unhealthy](https://developers.cloudflare.com/load-balancing/understand-basics/health-details/), your load balancer takes that pool out of the endpoint rotation. | Load Balancing | | MQTT (Message Queuing Telemetry Transport) | A lightweight, publish-subscribe messaging protocol often used for communication in the Internet of Things (IoT) and other resource-constrained scenarios. | Spectrum | | mTLS (mutual TLS) | [Mutual TLS (mTLS)](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) authentication is a common security practice that uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource. | SSL/TLS | | nameserver | A nameserver is a dedicated server that translates human readable hostnames (www.example.com) into IP addresses. Nameservers like root servers, TLD servers, and [authoritative nameservers](https://developers.cloudflare.com/dns/nameservers/) are fundamental components of the Domain Name System (DNS). | DNS | | namespace | A logical collection of Durable Objects that all share the same Durable Object (class) definition. A single namespace can have (tens of) millions of Durable Objects. Metrics are scoped per namespace. The binding name of the namespace (as it will be exposed inside Worker code) is defined in the Wrangler file under the durable\_objects.bindings.name key. Note that the binding name may not uniquely identify a namespace within an account. Instead, each namespace has a unique namespace ID, which you can view from the Cloudflare dashboard. You can instantiate a unique Durable Object within a namespace using [Durable Object namespace methods](https://developers.cloudflare.com/durable-objects/api/namespace/#methods). | Durable Objects | | NetFlow | Network protocol developed by Cisco to collect and monitor network traffic flow data. | Network Flow | | non-browser traffic | Non-browser traffic refers to data exchanges and communication occurring between devices or systems that do not involve web browsers, such as a mobile app or web apps. | Waiting Room | | OAuth | A protocol for authorizing users, allowing them to perform actions and view data on different platforms without sharing credentials. | Cloudflare One | | OIDC | OpenID Connect (OIDC) is an identity authentication protocol built on top of OAuth 2.0\. It is used verifying user identity and obtaining basic profile information. | Cloudflare One | | on-ramp | Refers to a way of connecting a business network to Cloudflare. Examples of on-ramps, or ways to connect to Cloudflare, are Anycast GRE tunnels, Anycast IPsec tunnels, Cloudflare Network Interconnect (CNI), Cloudflare Tunnel, and WARP. | Cloudflare One | | on-ramp | Refers to a way of connecting a business network to Cloudflare. Examples of on-ramps, or ways to connect to Cloudflare, are Anycast GRE tunnels, Anycast IPsec tunnels, Cloudflare Network Interconnect (CNI), Cloudflare Tunnel, and WARP. | Cloudflare WAN | | operator | The company or organization that owns and operates an AI crawler. Examples include OpenAI, Microsoft, Google, ByteDance, Anthropic, and Meta. In AI Crawl Control, crawlers are grouped by their operators. | AI Crawl Control | | Organization Validated (OV) certificate | OV certificates are used by corporations or governments to portray an extra layer of confidence for their visitors. Rather than just validating domain ownership, the CA also validates the company’s registration using qualified independent information sources. The organization’s name is listed in the certificate. | SSL/TLS | | origin | [Origin](https://www.cloudflare.com/learning/cdn/glossary/origin-server/) generally refers to the web server behind Cloudflare where your application is hosted. | Workers | | origin bandwidth (origin egress bandwidth) | The amount of data transferred from the origin server to Cloudflare within a certain period of time. Origin bandwidth is the sum of all EdgeResponseBytes where OriginResponseStatus does not equal 0. | Cache | | origin certificate | A Cloudflare Origin Certificate is a free SSL/TLS certificate issued by Cloudflare that can be installed on your origin server to facilitate making sure your data is encrypted in transit from Cloudflare to your origin server using HTTPS. | SSL/TLS | | origin request | An origin request is a request served from the origin server. | Fundamentals | | origin response status code | An origin response status code is an HTTP response code sent from the origin server to Cloudflare. | Fundamentals | | origin server | The original server where the web content is hosted before it is distributed to edge servers in a CDN. | Cache | | origin/host server | The server where the website content is hosted. | Fundamentals | | OSI model (Open Systems Interconnection model) | A conceptual framework that standardizes the functions of a telecommunication or computing system into seven abstraction layers. | Spectrum | | output gate | When a storage write operation is in progress, any new outgoing network messages will be held back until the write has completed. We say that these messages are waiting for the "output gate" to open. If the write ultimately fails, the outgoing network messages will be discarded and replaced with errors, while the Durable Object will be shut down and restarted from scratch. | Durable Objects | | PAC file | A file containing a JavaScript function which can instruct a browser to forward traffic to a proxy server instead of directly to the destination server. | Cloudflare One | | page load time | The time it takes for a web page to fully load in a user's browser. | Speed | | Pages | [Cloudflare Pages](https://developers.cloudflare.com/pages/) is Cloudflare's product offering for building and deploying full-stack applications. | Workers | | paranoia level | Classifies rules of the OWASP managed ruleset according to their aggressiveness. | WAF | | phishing | The practice of trying to acquire sensitive data through fraudulent emails or other means. Usually, the perpetrators try to pass for a legitimate company when asking for sensitive data. | Area 1 | | plan | Plans distinguish the breadth of Cloudflare features accessible to a specific domain. Plan options include [Free, Pro, Business, or Enterprise](https://www.cloudflare.com/plans/). | Fundamentals | | policy | A set of rules that regulate network activity, such as login access and website reachability. | Cloudflare One | | policy-based routing | Policy-based routing (PBR) is a technique used to make routing decisions based on policies set by your administrador. | Magic Transit | | pool | Within Cloudflare, pools represent your endpoints and how they are organized. As such, a pool can be a group of several endpoints, or you could also have only one endpoint (an origin server, for example) per pool. If you are familiar with DNS terminology, think of a pool as a “record set,” except Cloudflare only returns addresses that are considered healthy. You can attach health monitors to individual pools for customized monitoring. A pool can have either a single monitor or a monitor group attached — but not both. | Load Balancing | | prefix | A number that identifies the network portion of an IP address. It tells devices if an IP address is on the same network or not. It is shown as a number after a slash (for example, /31) at the end of the IP address. Using an analogy, the prefix is like a street address. If an IP is in the same street, it belongs to the same network of devices. | Magic Transit | | primary certificate / secondary certificate | Primary and secondary indicates the order in which Custom SSL certificates were uploaded to Cloudflare. The primary certificate is the first certificate added to a pack. The primary certificate defines the hostnames covered by the certificate. | SSL/TLS | | primary database instance | The primary database instance is the original instance of a database. This database instance only exists in one location in the world. | D1 | | producer | A producer is the term for a client that is publishing or producing messages on to a queue. | Queues | | Prompt Engineering | [Prompt Engineering](https://developers.cloudflare.com/workers-ai/guides/prompting/) is the practice of designing and refining input prompts to effectively elicit desired responses from AI models. | Workers AI | | prompt injection | The process of overwriting the system prompt for a large language model (LLM), which instructs the LLM on how to respond to user input. | WAF | | Prompt Templates | [Prompt Templates](https://developers.cloudflare.com/workers-ai/guides/prompting/) are predefined structures that guide the input provided to AI models, enhancing consistency and effectiveness in responses. | Workers AI | | protocol | A protocol is a set of rules governing the exchange or transmission of data between devices. | Fundamentals | | proxy protocol | A protocol used by network proxies to convey client connection information to the destination server, facilitating proper handling of client requests. | Spectrum | | proxy read timeout | A proxy read timeout is the maximum amount of time a proxy server waits for a response from the origin server before terminating the connection. | Fundamentals | | proxy read timeout config | Enterprise customers can increase the a proxy read timeout using a [cache rule](https://developers.cloudflare.com/cache/how-to/cache-rules/settings/#proxy-read-timeout-enterprise-only) or the [edit zone setting API endpoint](https://developers.cloudflare.com/api/resources/zones/subresources/rate%5Fplans/methods/get/). | Fundamentals | | proxy server | The server that sits between the origin server and the client. Cloudflare is a proxy server for example. | Fundamentals | | proxy status | The proxy status of a DNS record defines whether requests for your domain will route through Cloudflare (proxied) or not (DNS-only). When a [DNS record is proxied](https://developers.cloudflare.com/dns/proxy-status/), requests are processed according to your configurations, and Cloudflare can optimize, cache, and protect your domain. Refer to [How Cloudflare works](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/) for details. | DNS | | proxy write timeout | A proxy write timeout is the maximum amount of time a proxy server allows for sending data to the client before terminating the connection. | Fundamentals | | public key / private key | SSL public and private keys are essentially long strings of characters used for encrypting and decrypting data. Data encrypted with the public key can only be decrypted with the private key, and vice versa. Private keys are kept secret and unshared. | SSL/TLS | | purge | The process of removing outdated content from the cache to make room for updated content and ensure the delivery of the latest content. | Cache | | Quarantine policies | Policies that block specific types of emails (usually malicious and suspicious emails), preventing emails from reaching the end-user or the next mail service provider. Emails that are quarantined are reviewed by administrators and potentially released if falsely flagged. | Cloudflare One | | query planner | A component in a database management system which takes a user query and generates the most efficient plan of executing that query (the query plan). For example, the query planner decides which indices to use, or which table to access first. | D1 | | queue | A queue is a buffer or list that automatically scales as messages are written to it, and allows a consumer Worker to pull messages from that same queue. | Queues | | Queues | [Queues](https://developers.cloudflare.com/queues/) integrates with Cloudflare Workers and enables you to build applications that can guarantee delivery. | Workers | | R2 | [R2](https://developers.cloudflare.com/r2/) is an S3-compatible distributed object storage designed to eliminate the obstacles of sharing data across clouds. | Workers | | rate limiting | Rate limiting is a technique used in computer systems to control the rate at which requests are processed. It can be used as a security measure to prevent attacks, or to limit resource usage in your origin servers. | WAF | | RDP | Remote Desktop Protocol (RDP) allows remote desktop connections to a computer, often used on Windows and Mac operating systems. | Cloudflare One | | read replica | A read replica is an eventually-replicated copy of the primary database instance which only serve read requests. There may be multiple read replicas for a single primary database instance. | D1 | | real user monitoring (RUM) | Real user monitoring (RUM) is a web performance monitoring technique that collects and analyzes data based on actual user interactions and experiences, providing insights into how users interact with a website or application in real-time. | Speed | | redirect | URL redirects navigate the user from a source URL to a target URL using a given HTTP status code. URL redirection is also known as URL forwarding. | Fundamentals | | reference architecture | A reference architecture provides a high-level view of how all or part of the Cloudflare platform is built and how Cloudflare products would fit into a customer's existing infrastructure. | Fundamentals | | Referrer | The site a user was on before visiting your domain, tracked via the HTTP Referer header. In AI Crawl Control, referrer data shows traffic arriving from AI platforms like ChatGPT or Perplexity. | AI Crawl Control | | remotely-managed tunnel | A Cloudflare Tunnel whose configuration is stored on Cloudflare rather than on your local machine. You can manage the tunnel in the dashboard or by using the API. | Cloudflare One | | render time | The time it takes for a browser to display a fully rendered web page after receiving the necessary resources. | Speed | | replica lag | The time it takes for the primary database instance to replicate its changes to a specific read replica. | D1 | | request | A request is a message that is sent between a client, or web browser, to a server. Each request that has been processed through the Cloudflare network generates a record. | Fundamentals | | Resource Public Key Infrastructure (RPKI) | A cryptographic method of signing records that associate a route with an originating autonomous system number. | BYOIP | | REST API | [REST API](https://developers.cloudflare.com/workers-ai/get-started/rest-api/) is an application programming interface that allows developers to interact with Workers AI services over HTTP, enabling model management and inference requests. | Workers AI | | reverse proxy | A server that handles requests on behalf of clients, forwarding them to backend servers and managing tasks like load balancing and security. | Spectrum | | robots.txt | A text file at the root of a website that instructs crawlers which pages they should or should not access. Compliance is voluntary. AI Crawl Control helps monitor which crawlers violate your robots.txt rules. | AI Crawl Control | | roles | Authorize which Cloudflare products and features a member is allowed to access in a Cloudflare account. Learn more about [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/). | Fundamentals | | rollback | [Rollbacks](https://developers.cloudflare.com/workers/configuration/versions-and-deployments/rollbacks/) are a way to deploy an older deployment to the Cloudflare global network. | Workers | | root certificate | A root certificate is generated by a CA and is used to sign certificates. Every browser includes a root store of trusted root certificates. Any certificate signed with the private key of a root certificate is automatically trusted by a browser. | SSL/TLS | | Route Origin Authorization (ROA) | The RPKI-signed object that states an autonomous system is authorized to originate a particular IP address prefix or set of prefixes. | BYOIP | | rule characteristics | The set of parameters of a rate limiting rule that define how Cloudflare tracks the rate for the rule. | WAF | | Rule group | A set of Access rules that can be configured once and then quickly applied across many Access policies. | Cloudflare One | | SafeSearch | SafeSearch is a feature of search engines that filters explicit or offensive content from search results. | Cloudflare One | | SAML | Security Assertion Markup Language (SAML) enables single sign-on and authentication for multiple applications. | Cloudflare One | | sampling | In the context of Network Flow, sampling is the process of taking samples of packets for a specific period to identify potential attacks. | Network Flow | | SASE | Secure Access Service Edge (SASE) is a cloud-based security model bundling networking and security functions. | Cloudflare One | | saved bandwidth (saved egress bandwidth) | The percentage of bandwidth saved by caching on the Cloudflare network. | Cache | | SCIM | System for Cross-domain Identity Management (SCIM) is an open standard protocol that allows identity providers (such as Okta or Microsoft Entra ID) to synchronize user identity information with cloud applications and services. | Cloudflare One | | search engine optimization (SEO) | SEO, or search engine optimization, is the practice of optimizing online content to improve its visibility and ranking in search engine results, thereby increasing organic traffic and relevance. | Speed | | seat | A unique, billable user within your Zero Trust organization who has performed [an authentication event](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/seat-management/#authentication-events). Service tokens do not consume seats. | Cloudflare One | | secret | [Secrets](https://developers.cloudflare.com/workers/configuration/secrets/) are a type of binding that allow you to attach encrypted text values to your Worker. | Workers | | secret key | The secret key allows communication between your application backend and the Cloudflare Turnstile server to validate the widget response. | Turnstile | | Secure Sockets Layer (SSL) | SSL was a widely used cryptographic protocol for providing data security for Internet communications. SSL was superseded by TLS; however, most people still refer to Internet cryptographic protocols as SSL. | SSL/TLS | | SEO crawlers | SEO crawlers, or web crawlers, are automated programs employed by search engines to systematically browse and index web content, gathering information about the structure and relevance of pages to determine search result rankings. | Waiting Room | | Server Name Indication (SNI) | SNI allows a server to host multiple TLS Certificates for multiple websites using a single IP address. SNI adds the website hostname in the TLS handshake to inform the server which website to present when using shared IPs. Cloudflare uses SNI for all Universal SSL certificates. | SSL/TLS | | server response time | The time it takes for a server to respond to a request from a user's browser. | Speed | | Serverless GPUs | [Serverless GPUs](https://developers.cloudflare.com/workers-ai/) are graphics processing units provided by Cloudflare in a serverless environment, enabling scalable and efficient execution of machine learning models without the need for managing underlying hardware. | Workers AI | | Service Level Agreement (SLA) | An SLA is a contractual obligation for Cloudflare to maintain a specific level of service. Read the [Service Level Agreement (SLA) for the Cloudflare Business plan](https://www.cloudflare.com/business-sla/). Enterprise customers refer to the Enterprise SLA provided with their contract. | Fundamentals | | service provider (SP) | A service provider (SP) provides federated access to an application for a user from an identity provider (IdP). | Cloudflare One | | service token | Authentication credentials generated by Cloudflare Access which enable automated systems to access protected applications. | Cloudflare One | | service Worker | Refers to a Worker written in [service worker](https://developer.mozilla.org/en-US/docs/Web/API/Service%5FWorker%5FAPI) [syntax](https://developers.cloudflare.com/workers/reference/migrate-to-module-workers/). | Workers | | session | An event generated when a user logs in to an Access application. | Cloudflare One | | session | A session encapsulates all the queries from one logical session for your application. For example, a session may correspond to all queries coming from a particular web browser session. | D1 | | session identifier | A session identifier is a unique identifier that a website assigns to identify a specific user for the duration of their visit. | API Shield | | Set-Cookie | Set-Cookie is an HTTP header used by web servers to send a cookie to a user's browser during an HTTP response, enabling the server to store information on the client side, often used for session management and user preferences. | Waiting Room | | sFlow | An industry standard packet sampling protocol to monitor network devices. | Network Flow | | SFTP (Secure File Transfer Protocol) | A secure file transfer protocol that uses the Secure Socket Shell (SSH) protocol for encryption and authentication. | Spectrum | | shadow IT | Shadow IT is the unsanctioned use of software, hardware, or other systems and services within an organization, often without the knowledge of that organization's information technology (IT) department. For more information, refer to the [Cloudflare Learning Center](https://www.cloudflare.com/learning/access-management/what-is-shadow-it/). | Cloudflare One | | SIEM | A Security Information and Event Management (SIEM) solution collects, analyzes, and correlates data to help manage security incidents, detect anomalies, and meet compliance requirements. | WAF | | sitekey | The sitekey is used to invoke Turnstile on your site. | Turnstile | | SMB | Secure Messaging Block (SMB) is a network file sharing protocol used for accessing files and services on a network. | Cloudflare One | | SMTP | Stands for Simple Mail Transfer Protocol. It is an Internet standard based on TCP/IP to send and receive email. | Area 1 | | SMTP Server (Simple Mail Transfer Protocol Server) | A server responsible for sending, receiving, and relaying email messages over a network, following the SMTP protocol. | Spectrum | | Snippets subrequest | Any request that a Snippet makes to either Internet resources using the Fetch API or requests to other Cloudflare services. | Rules | | source endpoint | The source endpoint is the endpoint managed by API Shield in Endpoint Management by its routing feature. | API Shield | | speed index | Speed index is a web performance metric that quantifies how quickly a user perceives a webpage to load by measuring the visual progression of content rendering over time, providing a comprehensive assessment of the overall user experience during page loading. | Speed | | SQL API | API methods part of Storage API that support SQL querying. | Durable Objects | | SSH | Secure Shell (SSH) protocol allows users to connect to infrastructure remotely and execute commands. | Cloudflare One | | SSO | Single Sign-On (SSO) is a technology that combines multiple application logins into one, requiring users to enter credentials only once. | Cloudflare One | | static content | Static content, like images, stylesheets, and JavaScript, remains the same for all users. It can be directly served from the cache without fetching from the origin server because it does not change without manual intervention. | Cache | | static route | A fixed configuration to route traffic through Anycast tunnels from Cloudflare global network to the customer's locations. | Cloudflare WAN | | step | A step is self-contained, individually retryable component of a Workflow. Steps may emit (optional) state that allows a Workflow to persist and continue from that step, even if a Workflow fails due to a network or infrastructure issue. A Workflow can have one or more steps up to the [step limit](https://developers.cloudflare.com/workflows/reference/limits/). | Workflows | | Storage API | The transactional and strongly consistent (serializable) [Storage API](https://developers.cloudflare.com/durable-objects/api/sqlite-storage-api/) for persisting data within each Durable Object. State stored within a unique Durable Object is "private" to that Durable Object, and not accessible from other Durable Objects. Storage API includes key-value (KV) API, SQL API, and point-in-time-recovery (PITR) API. Durable Object classes with the key-value storage backend can use KV API. Durable Object classes with the SQLite storage backend can use KV API, SQL API, and PITR API. | Durable Objects | | Storage Backend | By default, a Durable Object class can use Storage API that leverages a key-value storage backend. New Durable Object classes can opt-in to using a [SQLite storage backend](https://developers.cloudflare.com/durable-objects/best-practices/access-durable-objects-storage/#sqlite-storage-backend). | Durable Objects | | stub | An object that refers to a unique Durable Object within a namespace and allows you to call into that Durable Object via RPC methods or the fetch API. For example, let stub = env.MY\_DURABLE\_OBJECT.get(id) | Durable Objects | | Subject Alternative Names (SANs) | The SAN field of an SSL certificate specifies additional hostnames (sites, IP addresses, common names, subdomains, apex domains, etc.) protected by a single SSL Certificate. | SSL/TLS | | subnet | Also known as subnetwork. It refers to a network that is part of another network. | Cloudflare WAN | | subrequest | A subrequest is any request that a Worker makes to either Internet resources using the [Fetch API](https://developers.cloudflare.com/workers/runtime-apis/fetch/) or requests to other Cloudflare services like [R2](https://developers.cloudflare.com/r2/), [KV](https://developers.cloudflare.com/kv/), or [D1](https://developers.cloudflare.com/d1/). | Workers | | SYN (Synchronize) | The initial step in establishing a TCP connection, where a device requests a connection with another by sending a SYN packet. | Spectrum | | SYN-ACK (Synchronize-Acknowledge) | The second step in the TCP three-way handshake, where the server responds to a SYN request with a SYN-ACK packet. | Spectrum | | synthetic test | A synthetic test is an artificial simulation of user interactions and system behaviors designed to evaluate and measure the performance, responsiveness, and functionality of a website or application under controlled conditions. | Speed | | Tail Worker | A [Tail Worker](https://developers.cloudflare.com/workers/observability/logs/tail-workers/) receives information about the execution of other Workers (known as producer Workers), such as HTTP statuses, data passed to console.log() or uncaught exceptions. | Workers | | target | A resource with an IP address or hostname that is reachable by Cloudflare, such as a server or web application. | Cloudflare One | | target endpoint | The target endpoint is the ultimate destination that a request is sent to by API Shield's routing feature. | API Shield | | target hostname | A label used to identify a set of targets in an Access for Infrastructure application. | Cloudflare One | | TCP (Transmission Control Protocol) | A connection-oriented protocol in the transport layer of the Internet Protocol Suite, providing reliable and ordered delivery of data between devices. | Spectrum | | TCP Fast Open (TFO) | TCP Fast Open (TFO) is a protocol extension that can significantly improve the speed of establishing TCP connections by allowing data to be sent in the initial SYN packet, rather than requiring a separate handshake before data transmission begins. | Fundamentals | | TCP Keep-Alive | A TCP keep-alive is used to maintain a connection between two endpoints by sending packets to check if the connection is still active. This helps prevent idle connections from being prematurely closed. If a response is not received after a defined period, the connection is terminated. | Fundamentals | | TCP RST (reset) | A TCP Reset (RST) packet is used by a TCP sender to close a connection. | Fundamentals | | TCP three-way handshake | TCP uses a three-way handshake to establish a reliable connection (SYN, SYN-ACK, ACK) over an IP based connection. SYN is short for synchronize, and ACK is short for acknowledgement. | Fundamentals | | team domain | A unique subdomain assigned to your Cloudflare account (for example, .cloudflareaccess.com), where users will find the apps you have secured behind Cloudflare One. | Cloudflare One | | team name | The customizable portion of your team domain (.cloudflareaccess.com). You can view your team name in Cloudflare One under **Settings**. | Cloudflare One | | terminating action | A rule action like _Block_ that stops the evaluation of remaining rules. | Ruleset Engine | | Terraform | An infrastructure as code software tool that allows you to deploy services from different providers using a standardized configuration syntax. | Cloudflare One | | threat score | The threat score was a score from 0 (zero risk) to 100 (high risk) classifying the IP reputation of a visitor. Currently, the threat score is always 0 (zero). | WAF | | time to first byte (TTFB) | Time to first byte (TTFB) is the duration measured from the initiation of a web page request to the moment the first byte of data is received by the user's browser from the web server, indicating the server's initial response time. | Speed | | time to interactive (TTI) | Time to interactive (TTI) is a web performance metric that measures the time it takes for a web page to become fully interactive and responsive to user input, indicating when users can effectively engage with and use the page. | Speed | | time-to-live (TTL) | The duration for which a cached copy of a resource is considered valid before it needs to be refreshed or revalidated. | Cache | | timestamp | A data field indicating the date and time when an event occurred, often used for sequencing and analysis. | Logs | | TLS (Transport Layer Security) | TLS is a cryptographic protocol that ensures data security over a computer network, such as the Internet. It encrypts the data that is transmitted between a user's computer and a web server. | SSL/TLS | | total bandwidth (total egress bandwidth, edge bandwidth) | Total bandwidth is the amount of data transferred from Cloudflare to end users within a certain period of time. Total bandwidth equals the sum of all EdgeResponseBytes for a certain period of time. | Cache | | total blocking time (TBT) | Total blocking time (TBT) is a web performance metric that measures the total amount of time between First Contentful Paint (FCP) and Time to Interactive (TTI) where the main thread was blocked for long enough to prevent input responsiveness. | Speed | | traffic | Traffic is the data sent and received by visitors to a website. Cloudflare serves and protects this data as it passes through the Cloudflare network. | Fundamentals | | traffic management | The process of controlling and optimizing the flow of network data to ensure efficient and reliable communication. | Waiting Room | | traffic steering | Cloudflare evaluates your route's health and steers traffic according to priorities defined by you and / or tunnel health. | Cloudflare WAN | | tunnel | A secure pathway for network traffic to flow between a device and Cloudflare's global network. | Cloudflare One | | tunnel health-check | A probe sent by Cloudflare to check for tunnel health. If a tunnel is not considered healthy, Cloudflare reroutes traffic to one that is considered healthy. | Cloudflare WAN | | tutorial | A tutorial is a practical lesson that takes you from a clear starting to ending point. The goal is to connect products to real-world scenarios to meet a user’s goal. | Fundamentals | | two-factor authentication (2FA) | Two-factor authentication (2FA) is a security process in which a user provides two different authentication factors to verify their identity. In addition to something you know, typically your password, 2FA adds an extra layer of security to user logins by requiring users to also present something they have, such as Yubikey or a one-time login code, or something you are, such as a fingerprint. It adds an extra layer of security to user logins by requiring users to present two or more separate pieces of evidence (factors) that establish their identity. | Fundamentals | | UDP (User Datagram Protocol) | UDP (User Datagram Protocol) is a connectionless transport layer protocol that provides fast and lightweight data transmission between devices on a network, prioritizing speed over reliability. | Spectrum | | uncached bandwidth (uncached egress bandwidth) | Uncached bandwidth is the amount of bandwidth that is not cached and therefore is served from the origin. Uncached bandwidth is the sum of all EdgeResponseBytes where CacheCacheStatus does not equal hit, stale, updating, ignored, or revalidated. | Cache | | uncached requests | Uncached requests are requests that are not cached and therefore are served from the origin server. Uncached requests are the sum of all requests where CacheCacheStatus does not equal to hit, stale, updating, or ignored. | Cache | | Unicast Reverse Path Forwarding (uRPF) | A security feature that can prevent spoofing attacks. | BYOIP | | Universal SSL certificate | By default, Cloudflare issues — and [renews](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/#universal-ssl) — free, unshared, publicly trusted SSL certificates to all domains [added to](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) and [activated on](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) Cloudflare. | SSL/TLS | | URL normalization | The process of modifying the URLs of incoming requests so that they conform to a consistent formatting standard. | Rules | | URL rewrite | An operation performed by a server that converts a source URL into a target URL. | Rules | | User risk score | Ranks the likelihood of a user to introduce risk to your organization's systems and data based on the detection of security risk behaviors. Risk scores add user and entity behavior analytics (UEBA) to the Cloudflare One platform. | Cloudflare One | | User risk score level | Cloudflare One assigns a risk score of Low, Medium or High based on detections of users' activities, posture, and settings. A user's risk score is equal to the highest-level risk behavior they trigger. | Cloudflare One | | V8 | Chrome V8 is a [JavaScript engine](https://www.cloudflare.com/learning/serverless/glossary/what-is-chrome-v8/), which means that it [executes JavaScript code](https://developers.cloudflare.com/workers/reference/how-workers-works/). | Workers | | validation level | The level to which a certificate authority validates domain ownership before issuing an SSL/TLS certificate. The different certificate validation levels are DV (Domain Validated), OV (Organization Validated), or EV (Extended Validation). | SSL/TLS | | verified bot | Bots that are transparent about who they are and what they do. | Bots | | version | A [version](https://developers.cloudflare.com/workers/configuration/versions-and-deployments/#versions) is defined by the state of code as well as the state of configuration in a Worker's Wrangler file. | Workers | | Virtual network | A software abstraction that allows you to logically segregate resources on a private network. Virtual networks are especially useful for exposing resources which have overlapping IP routes. | Cloudflare One | | Virtual Private Cloud | A logically isolated section of cloud infrastructure that provides secure, private networking within a public cloud environment. | Workers VPC | | Virtual Private Cloud (VPC) | A secure, isolated private network hosted on public cloud infrastructure. Examples of public cloud providers include Google Cloud, AWS, and Microsoft Azure. | Cloudflare One | | Virtual Private Network (VPN) | A tool that allows users to send and receive data across shared or public networks as if their devices were directly connected to the private network. For example, employees working from home can use a VPN to access files on the corporate network. | Cloudflare One | | virtual waiting room | A virtual waiting room is an online system or feature that manages and controls access to a website or service during periods of high traffic, preventing server overload by placing users in a queue until they can be accommodated, ensuring a more equitable and efficient user experience. | Waiting Room | | wall-clock time | [Wall-clock time](https://developers.cloudflare.com/workers/platform/limits/#duration) is the total amount of time from the start to end of an invocation of a Worker. | Workers | | WAN | Stands for Wide Area Network. It refers to a computer network that connects groups of computers over large distances. WANs are often used by businesses to connect their office networks. The objective is to make each of the local area networks (LANs) be remotely connected and accessible. | Cloudflare WAN | | WARP CGNAT IP | A unique, virtual IP address assigned to each WARP device from the 100.96.0.0/12 range. | Cloudflare One | | WARP client | The previous name for the Cloudflare One Client, an application that connects corporate devices to Cloudflare for private network access, advanced web filtering, and other security functions. | Cloudflare One | | WARP Connector | An extension of the WARP client used to establish site-to-site, bidirectional, and mesh networking connectivity. WARP Connector software installs on a Linux server within a private network, which then becomes a gateway for other local networks that need to on-ramp traffic to Cloudflare. | Cloudflare One | | website | A website is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. | Fundamentals | | Worker Bindings | [Worker Bindings](https://developers.cloudflare.com/workers-ai/configuration/bindings/) are configurations that connect Workers scripts to external resources, such as AI models, enabling seamless integration and functionality. | Workers AI | | workerd | [workerd](https://github.com/cloudflare/workerd?cf%5Ftarget%5Fid=D15F29F105B3A910EF4B2ECB12D02E2A) is a JavaScript / Wasm server runtime based on the same code that powers Cloudflare Workers. | Workers | | Workers AI | [Workers AI](https://developers.cloudflare.com/workers-ai/) is a Cloudflare service that enables running machine learning models on Cloudflare's global network, utilizing serverless GPUs. It allows developers to integrate AI capabilities into their applications using Workers, Pages, or via the REST API. | Workers AI | | Workers KV | [Workers KV](https://developers.cloudflare.com/kv/)is a data storage that allows you to store and retrieve data globally. | Workers AI | | Workflow | The named Workflow definition, associated with a single Workers script. | Workflows | | Wrangler | [Wrangler](https://developers.cloudflare.com/learning-paths/workers/get-started/c3-and-wrangler/) is the Cloudflare Developer Platform command-line interface (CLI) that allows you to manage projects, such as Workers, created from the Cloudflare Developer Platform product offering. | Workers | | Wrangler CLI | [Wrangler CLI](https://developers.cloudflare.com/workers-ai/get-started/workers-wrangler/) is a command-line tool for building and deploying Cloudflare Workers, facilitating the integration of AI models into applications. | Workers AI | | wrangler.toml / wrangler.json / wrangler.jsonc | The [configuration](https://developers.cloudflare.com/workers/wrangler/configuration/) used to customize the development and deployment setup for a Worker or a Pages Function. | Workers | | Zero Trust Security | Zero Trust Security is an IT security model that requires strict identity verification for every person and device accessing resources on a network. | Cloudflare One | | zero-shot classification model | A pretrained machine learning model capable of categorizing data (text or images) into classes it has never seen during training. | WAF | | zone | A zone is a portion of DNS namespace that is managed by a specific organization or administrator. | Fundamentals | | zone apex | Zone apex refers to the domain or subdomain on which the control of DNS records starts. | DNS | View more terms ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/glossary/","name":"Glossary"}}]} ``` --- --- title: Cloudflare and Google Analytics description: Using Cloudflare does not affect Google Analytics (GA) tracking if it is added to the website in one of ways recommended by Google. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/google-analytics.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare and Google Analytics Using Cloudflare does not affect Google Analytics (GA) tracking if it is added to the website [in one of ways recommended by Google ↗](https://support.google.com/analytics/answer/9304153#add-tag). ## Standard GA setup Cloudflare proxies traffic to your origin web server, but the GA JavaScript code never actually sends traffic to your server. Instead, it executes directly in a user's browser and does not interact with Cloudflare. Cloudflare only affects analytics tools that read logs directly from your web server (like awstats). Note To troubleshoot potential issues with Google Analytics, refer to [Common GA setup mistakes ↗](https://support.google.com/analytics/answer/1009683). ## Zaraz As an alternative to the standard setup of Google Analytics with tag/snippet, Cloudflare offers a way to use Google Analytics with [Zaraz](https://developers.cloudflare.com/zaraz/). Zaraz is a solution that allows Google Analytics to collect data without its script loaded on the website. If GA is set up this way, then not all features may be available. Note Details about features of Google Analytics that are unavailable with Zaraz can be found in [Zaraz FAQ](https://developers.cloudflare.com/zaraz/faq/#tools) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/google-analytics/","name":"Cloudflare and Google Analytics"}}]} ``` --- --- title: Cloudflare HTTP headers description: Cloudflare passes all HTTP request headers to your origin web server and adds additional headers as specified below. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/http-headers.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare HTTP headers ## Request headers Cloudflare passes all HTTP request headers to your origin web server and adds additional headers as specified below. Note Cloudflare may remove HTTP request headers with names considered invalid [according to NGINX ↗](https://nginx.org/en/docs/http/ngx%5Fhttp%5Fcore%5Fmodule.html#ignore%5Finvalid%5Fheaders) — for example, header names containing a `.` (dot) character. ### Accept-Encoding For incoming requests, the value of this header will always be set to `accept-encoding: br, gzip`. If the client set a different value, such as `accept-encoding: deflate`, it will be overwritten and the original value will be available in `request.cf.clientAcceptEncoding`. ### CF-Connecting-IP `CF-Connecting-IP` provides the client IP address connecting to Cloudflare to the origin web server. This header will only be sent on the traffic from Cloudflare's edge to your origin web server. For guidance on logging your visitor's original IP address, refer to [Restoring original visitor IPs](https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/). Alternatively, if you do not wish to receive the `CF-Connecting-IP` header or any HTTP header that may contain the visitor's IP address, [enable the **Remove visitor IP headers** Managed Transform](https://developers.cloudflare.com/rules/transform/managed-transforms/configure/). #### CF-Connecting-IP in Worker subrequests In same-zone Worker subrequests, the value of `CF-Connecting-IP` reflects the value of `x-real-ip` (the client's IP). `x-real-ip` can be altered by the user in their Worker script. In cross-zone subrequests from one Cloudflare zone to another Cloudflare zone, the `CF-Connecting-IP` value will be set to the Worker client IP address `'2a06:98c0:3600::103'` for security reasons. For Worker subrequests destined for a non-Cloudflare customer zone, the `CF-Connecting-IP` and `x-real-ip` headers will both reflect the client's IP address, with only the `x-real-ip` header able to be altered. When no Worker subrequest is triggered, `cf-connecting-ip` reflects the client's IP address and the `x-real-ip` header is stripped. ### CF-Connecting-IPv6 Cloudflare provides [free IPv6 support](https://developers.cloudflare.com/network/ipv6-compatibility/) to all domains without requiring additional configuration or hardware. To support migrating to IPv6, Cloudflare's [Pseudo IPv4](https://developers.cloudflare.com/network/pseudo-ipv4/) provides an IPv6 to IPv4 translation service for all Cloudflare domains. If **Pseudo IPv4** is set to `Overwrite Headers` \- Cloudflare overwrites the existing `Cf-Connecting-IP` and `X-Forwarded-For` headers with a pseudo IPv4 address while preserving the real IPv6 address in `CF-Connecting-IPv6` header. ### CF-EW-Via This header is used for loop detection, similar to the `CDN-Loop` [header ↗](https://blog.cloudflare.com/preventing-request-loops-using-cdn-loop/). ### CF-Pseudo-IPv4 If [Pseudo IPv4](https://developers.cloudflare.com/network/pseudo-ipv4/) is set to `Add Header` \- Cloudflare automatically adds the `CF-Pseudo-IPv4` header with a Class E IPv4 address hashed from the original IPv6 address. ### True-Client-IP (Enterprise plan only) `True-Client-IP` provides the original client IP address to the origin web server. `True-Client-IP` is only available on an Enterprise plan. In the example below, `203.0.113.1` is the original visitor IP address. For example: `True-Client-IP: 203.0.113.1` There is no difference between the `True-Client-IP` and `CF-Connecting-IP` headers besides the name of the header. Some Enterprise customers with legacy devices need `True-Client-IP` to avoid updating firewalls or load-balancers to read a custom header name. To add a `True-Client-IP` HTTP header to requests, [enable the **Add "True-Client-IP" header** Managed Transform](https://developers.cloudflare.com/rules/transform/managed-transforms/configure/). Alternatively, if you do not wish to receive the `True-Client-IP` header or any HTTP header that may contain the visitor's IP address, [enable the **Remove visitor IP headers** Managed Transform](https://developers.cloudflare.com/rules/transform/managed-transforms/configure/). Warning If you are using Cloudflare in a stacked CDN and authenticating HTTP requests based on the IP address value in the `True-Client-IP` header, you must add a `True-Client-IP` header to your requests. If you do not add this header, its value can be spoofed to any value. ### X-Forwarded-For `X-Forwarded-For` maintains proxy server and original visitor IP addresses. If there was no existing `X-Forwarded-For`header in the request sent to Cloudflare, `X-Forwarded-For` has an identical value to the `CF-Connecting-IP` header. For example, if the original visitor IP address is `203.0.113.1` and the request sent to Cloudflare does not contain an `X-Forwarded-For` header, then Cloudflare will send `X-Forwarded-For: 203.0.113.1` to the origin. If, on the other hand, an `X-Forwarded-For` header was already present in the request to Cloudflare, Cloudflare will append the IP address of the HTTP proxy connecting to Cloudflare to the header. For example, if the original visitor IP address is `203.0.113.1` and a request is proxied through two proxies: proxy A with an IP address of `198.51.100.101` and proxy B with an IP address of `198.51.100.102` before being proxied to Cloudflare, then Cloudflare will send `X-Forwarded-For: 203.0.113.1,198.51.100.101,198.51.100.102` to the origin. Proxy A will append the original visitor's IP address (`203.0.113.1`) to `X-Forwarded-For` before proxying the request to proxy B which, in turn, will append Proxy A's IP address (`198.51.100.101`) to `X-Forwarded-For` before proxying the request to Cloudflare. And finally, Cloudflare will append proxy B's IP address (`198.51.100.102`) to `X-Forwarded-For` before proxying the request to the origin. If you do not wish to receive the visitor's IP address in the `X-Forwarded-For` header, or any HTTP header that may contain the visitor's IP address, [enable the **Remove visitor IP headers** Managed Transform](https://developers.cloudflare.com/rules/transform/managed-transforms/configure/). Note To restore the original visitor IP address at your origin web server, Cloudflare recommends that your logs or applications look at `CF-Connecting-IP` or `True-Client-IP` instead of `X-Forwarded-For`. `CF-Connecting-IP` and `True-Client-IP` both have a consistent format containing only one IP address. ### X-Forwarded-Proto `X-Forwarded-Proto` is used to identify the protocol (HTTP or HTTPS) that a visitor used to connect to Cloudflare. By default, the protocol used is `https`, unless the visitor selected a different [encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/#custom-ssltls). For incoming requests, the value of this header will be set to the protocol the client used (`http` or `https`). If the client set a different value, it will be overwritten. ### Cf-Ray The `Cf-Ray` header (otherwise known as a [Ray ID](https://developers.cloudflare.com/fundamentals/reference/cloudflare-ray-id/)) is a hashed value that encodes information about the data center and the visitor's request. For example: `Cf-Ray: 230b030023ae2822-SJC`. The Cf-Ray header identifies the data center processing the request when displayed as a response header. This is represented by a three-letter code corresponding to the data center's location. The Cf-Ray header is also sent to upstream origins and may be modified to reflect the connecting data center. This occurs when a request is routed through [Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/) or [Argo Tiered Caching](https://developers.cloudflare.com/cache/how-to/tiered-cache/). In such cases, the three-letter code in the Cf-Ray header will indicate the data center connecting to the origin, not the ingress data center. Add the [Cf-Ray header to your origin web server logs](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#add-the-cf-ray-header-to-your-logs) to match requests proxied to Cloudflare to requests in your server logs. Enterprise customers can see all requests via [Cloudflare Logs](https://developers.cloudflare.com/logs/), including data related to the ingress data center. ### CF-IPCountry The `CF-IPCountry` header contains a two-character country code of the originating visitor's country. Besides the [ISO-3166-1 alpha-2 codes ↗](https://www.iso.org/iso-3166-country-codes.html), Cloudflare uses the following special country codes: * `XX` \- Used for clients without country code data. * `T1` \- Used for clients using the Tor network. To add this header to requests, along with other HTTP headers with location information for the visitor's IP address, [enable the **Add visitor location headers** Managed Transform](https://developers.cloudflare.com/rules/transform/managed-transforms/configure/). Note The `CF-IPCountry` header is removed from requests made from a Worker to an origin that is not proxied behind Cloudflare. ### CF-Visitor Currently, this header is a JSON object, containing only one key called `scheme`. The header will be either HTTP or HTTPS, and it is only relevant if you need to enable Flexible SSL in your Cloudflare settings. For example: `CF-Visitor: { \"scheme\":\"https\"}`. ### CDN-Loop `CDN-Loop` allows Cloudflare to specify how many times a request can enter Cloudflare's network before it is blocked as a looping request. For example: `CDN-Loop: cloudflare`. ### CF-Connecting-O2O If [SSL for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) is used for [the SaaS provider-owned zone](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/how-it-works/), a HTTP header will be set to `cf-connecting-o2o: 1`. ### CF-Worker The `CF-Worker` request header is added to an edge Worker subrequest that identifies the host that spawned the subrequest. For example: `CF-Worker: example.com`. You can add `CF-Worker` header on server logs similar to the way you add the [CF-RAY](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#add-the-cf-ray-header-to-your-logs) header. To do that, add `$http_cf_worker` in the log format file: `log_format cf_custom "CF-Worker:$http_cf_worker"'` `CF-Worker` is added to all Worker subrequests sent via `fetch()`. It is set to the name of the zone which owns the Worker making the subrequest. For example, a Worker script on route for `foo.example.com/*` from `example.com` will have all subrequests with the header: ``` CF-Worker: example.com ``` The intended purpose of this header is to provide a means for recipients (for example, origins, load balancers, other Workers) to recognize, filter, and route traffic generated by Workers on specific zones. Note When configuring WAF custom rules, do not match on this header. These rules are applied before Cloudflare adds the `CF-Worker` header. Instead, use the [cf.worker.upstream\_zone](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.worker.upstream%5Fzone/) field, which contains the same value and exists for the same purpose. To block a specific Worker, add a `Block` action triggered by the expression `cf.worker.upstream_zone eq "example.com"`. To block all Worker subrequests except those from your own zone's Worker, add a `Block` action triggered by the expression `not (cf.worker.upstream_zone in {"" "customer-zone.com"})`. ### Connection For incoming requests, the value of this header will always be set to `Keep-Alive`. If the client set a different value, such as `close`, it will be overwritten. Note that is also the case when the client uses HTTP/2 or HTTP/3 to connect. ### Considerations for Spectrum When using Spectrum with a TCP application, these headers are not visible at the origin as they are HTTP headers. If you wish to utilize these in your application, there are two options: * Use an HTTP or HTTPS Spectrum app instead of TCP * Use the [Proxy Protocol feature](https://developers.cloudflare.com/spectrum/how-to/enable-proxy-protocol/) ## Response headers Cloudflare will remove some HTTP headers from the response sent back to the visitor and add some Cloudflare-specific HTTP headers. ### Removed response headers Cloudflare passes all HTTP headers in the response from the origin server back to the visitor with the exception of the following headers: * `X-Accel-Buffering` * `X-Accel-Charset` * `X-Accel-Limit-Rate` * `X-Accel-Redirect` * `Alt-Svc` ### Added response headers Cloudflare adds the HTTP headers specified below to the response sent to the visitor. #### Cf-Ray The `Cf-Ray` value returned to the visitor will be the same `Cf-Ray` value that was sent to the origin server. #### Cf-Cache-Status A list of all possible `Cf-Cache-Status` values is contained in [Cloudflare cache responses](https://developers.cloudflare.com/cache/concepts/cache-responses/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/http-headers/","name":"Cloudflare HTTP headers"}}]} ``` --- --- title: Markdown for Agents description: Markdown has quickly become the lingua franca for agents and AI systems as a whole. The format’s explicit structure makes it ideal for AI processing, ultimately resulting in better results while minimizing token waste. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/markdown-for-agents.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Markdown for Agents ## What is Markdown for Agents Markdown has quickly become the lingua franca for agents and AI systems as a whole. The format’s explicit structure makes it ideal for AI processing, ultimately resulting in better results while minimizing token waste. Cloudflare's network supports real-time content conversion at the source, for enabled zones using [content negotiation ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Content%5Fnegotiation) headers. When AI systems request pages from any website that uses Cloudflare and has Markdown for Agents enabled, they can express the preference for `text/markdown` in the request and our network will automatically and efficiently convert the HTML to Markdown, when possible, on the fly. Read the [announcement ↗](https://blog.cloudflare.com/markdown-for-agents/) in our blog for more information. ## How to use To fetch the Markdown version of any page from a zone with Markdown for Agents enabled, the client needs to add the `Accept` negotiation header with `text/markdown` as one of the options. Cloudflare will detect this, fetch the original HTML version from the origin, and convert it to Markdown before serving it to the client. Here's a curl example with the `Accept` negotiation header requesting this page from our developer documentation: Terminal window ``` curl https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/ \ -H "Accept: text/markdown" ``` Or if you’re building an AI Agent using Workers, you can use TypeScript: * [ JavaScript ](#tab-panel-4630) * [ TypeScript ](#tab-panel-4631) JavaScript ``` const r = await fetch( `https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/`, { headers: { Accept: "text/markdown", }, }, ); const tokenCount = r.headers.get("x-markdown-tokens"); const markdown = await r.text(); ``` TypeScript ``` const r = await fetch( `https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/`, { headers: { Accept: "text/markdown", }, }, ); const tokenCount = r.headers.get("x-markdown-tokens"); const markdown = await r.text(); ``` The response to this request is now formatting in markdown: ``` HTTP/2 200 date: Wed, 11 Feb 2026 11:44:48 GMT content-type: text/markdown; charset=utf-8 content-length: 2899 vary: accept x-markdown-tokens: 725 content-signal: ai-train=yes, search=yes, ai-input=yes --- title: Markdown for Agents · Cloudflare Agents docs --- ## What is Markdown for Agents Markdown has quickly become the lingua franca for agents and AI systems as a whole. The format’s explicit structure makes it ideal for AI processing, ultimately resulting in better results while minimizing token waste. ... ``` ### x-markdown-tokens Note that we include an `x-markdown-tokens` header with the converted response that indicates the estimated number of tokens in the markdown document. You can use this value in your flow, for example to calculate the size of a context window or to decide on your chunking strategy. ### Content Signals Policy [Content Signals ↗](https://contentsignals.org/) is a framework that allows anyone to express their preferences for how their content can be used after it has been accessed. By default Markdown for Agents converted responses include the `Content-Signal: ai-train=yes, search=yes, ai-input=yes` header signaling that the content can be used for AI Training, Search results and AI Input, which includes agentic use. Markdown for Agents will provide options to define custom Content Signal policies in the future. ## How to enable * [ Dashboard ](#tab-panel-4627) * [ API ](#tab-panel-4628) * [ Custom Hostnames ](#tab-panel-4629) To enable Markdown for Agents for your zone in the dashboard: 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and select your account (you need a Pro or Business plan). 2. Select the zone you want to configure. 3. Visit the [AI Crawl Control ↗](https://dash.cloudflare.com/?to=/:account/:zone/ai) section. 4. Enable **Markdown for Agents**. ### Enable for specific subdomains or paths To enable Markdown for Agents for specific subdomains or paths instead of your entire zone, create a [configuration rule](https://developers.cloudflare.com/rules/configuration-rules/): 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and select your account. 2. Select the zone you want to configure. 3. Go to **Rules** \> **Overview** and select **Create rule** \> **Configuration Rules**. 4. Under **When incoming requests match**, build an expression to match your subdomain (for example, `http.host eq "docs.example.com"`) or path. 5. Under **Then the settings are**, select **Add setting** \> **Markdown for Agents** and set it to **On**. 6. Select **Deploy**. To enable Markdown for Agents for your zone using APIs, send a `PATCH` to `/client/v4/zones/{zone_tag}/settings/content_converter` with the payload `{"value": "on"}` to the Cloudflare API. You will need to create an API token with the Zone Settings edit permissions enabled. Example: Enable Markdown for Agents ``` curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/{zone_tag}/settings/content_converter' \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer {api_token}" --data-raw '{"value": "on"}' ``` ### Enable for specific subdomains or paths To enable Markdown for Agents for specific subdomains or paths instead of your entire zone, create a [configuration rule](https://developers.cloudflare.com/rules/configuration-rules/create-api/): Enable Markdown for Agents for a subdomain ``` curl --request PUT \ --url "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_config_settings/entrypoint" \ --header "Authorization: Bearer {api_token}" \ --header "Content-Type: application/json" \ --data '{ "rules": [{ "expression": "http.host eq \"docs.example.com\"", "action": "set_config", "action_parameters": { "content_converter": true }, "description": "Enable Markdown for Agents for docs subdomain" }] }' ``` You can also use path-based expressions like `starts_with(http.request.uri.path, "/blog/")`. For more information on building expressions, refer to [Rules language](https://developers.cloudflare.com/ruleset-engine/rules-language/). If you are using [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) and want to enable Markdown for Agents for your [custom hostnames](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/), you have two options: ### Enable for all custom hostnames To enable Markdown for Agents for all custom hostnames on your SaaS zone: 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com/) and select your account. 2. Select your SaaS zone. 3. Look for **Quick Actions**. 4. Toggle the **Markdown for Agents** button to enable. ### Enable for specific custom hostnames Enabling Markdown for Agents for specific custom hostnames requires an [advanced subscription](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/plans/) with access to [custom metadata](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/). #### Step 1: Set custom metadata on the custom hostname When creating or updating a custom hostname via API, add `content_converter` to the `custom_metadata` object: Terminal window ``` curl --request PATCH \ --url "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_hostnames/{custom_hostname_id}" \ --header "Authorization: Bearer {api_token}" \ --header "Content-Type: application/json" \ --data '{ "custom_metadata": { "content_converter": "enabled" } }' ``` #### Step 2: Create a Configuration Rule Create a Configuration Rule on your SaaS zone that matches custom hostnames with the metadata and enables content conversion: Terminal window ``` curl --request PUT \ --url "https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_config_settings/entrypoint" \ --header "Authorization: Bearer {api_token}" \ --header "Content-Type: application/json" \ --data '{ "rules": [{ "expression": "lookup_json_string(cf.hostname.metadata, \"content_converter\") eq \"enabled\"", "action": "set_config", "action_parameters": { "content_converter": true }, "description": "Enable content converter for opted-in custom hostnames" }] }' ``` This will enable the feature on custom hostnames that have the `content_converter` custom metadata tag set. ## Availability and Pricing Markdown for Agents is available to Pro, Business and Enterprise plans, and SSL for SaaS customers at no cost. ## Try it with Cloudflare We have enabled this feature in our [Developer Documentation ↗](https://developers.cloudflare.com/) and our [Blog ↗](https://blog.cloudflare.com/), inviting all AI crawlers and agents to consume our content using markdown instead of HTML. Terminal window ``` curl https://blog.cloudflare.com/markdown-for-agents/ \ -H "Accept: text/markdown" ``` ## Limitations * We only convert from HTML, other types of documents may be included in the future. * The origin response cannot exceed 2 MB (2,097,152 bytes). * If the feature is enabled but responses are still `text/html`, contact [Cloudflare Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/) to verify your zone's compatibility. ## Other Markdown conversion APIs If you’re building AI systems that require arbitrary document conversion from outside Cloudflare or Markdown for Agents is not available from the content source, we provide other ways to convert documents to Markdown for your applications: * Workers AI [AI.toMarkdown() ↗](https://developers.cloudflare.com/workers-ai/features/markdown-conversion/) supports multiple document types and summarization. * Browser Rendering [/markdown ↗](https://developers.cloudflare.com/browser-rendering/rest-api/markdown-endpoint/) REST API supports markdown conversion if you need to render a dynamic page or application in a real browser before converting it. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/markdown-for-agents/","name":"Markdown for Agents"}}]} ``` --- --- title: SCIM v1 to v2 Migration description: Migrate from SCIM v1 Virtual Groups to Cloudflare’s GA SCIM User Groups image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/migration-guides/scim-virtual-groups-migration.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SCIM v1 to v2 Migration Cloudflare's first iteration of SCIM integration introduced a concept called _Virtual Groups_, typically identified by the pattern `CF--` in your IdP. Virtual Groups were an early implementation of group-based access control: they acted as placeholders created automatically by SCIM to map IdP groups to account memberships. While customers could add or remove members from these groups within their IdP, Virtual Groups had important limitations: * They could not be renamed or deleted in the IdP. * They could not be managed within Cloudflare. * Functionally, managing a Virtual Group was equivalent to syncing users and editing each member’s policies individually. With the GA of [User Groups](https://developers.cloudflare.com/changelog/2025-06-23-user-groups-ga/), Virtual Groups are now deprecated. Customers should migrate to [User Groups](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/), which provide a more flexible and scalable way to assign and manage policies. To maintain SCIM synchronization with the Cloudflare Dashboard, we strongly recommend migrating to **SCIM User Groups**. If you have never synced a group linked to a `CF--` Virtual Group from your IdP to Cloudflare, no action is needed. ## Migration steps 1. **Create a new SCIM integration** in your IdP using an [Account Owned Token](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/) provisioned in Cloudflare. 2. **Assign users & groups to your new Application** in your IdP, following a naming convention that aligns with your internal processes. 3. **Sync groups to Cloudflare** and verify they appear in the **User Groups** pane of the Cloudflare Dashboard. 4. **Attach permission policies** to the new User Groups so members inherit the correct access upon assignment to the group. 5. **Migrate users** into the new groups incrementally, testing synchronization of users & groups into the Cloudflare Dashboard. 6. **Clean up legacy resources** by removing SCIM v1 Virtual Groups and IdP mappings that follow the `CF--` pattern. ## More resources * [User Groups changelog](https://developers.cloudflare.com/changelog/2025-06-02-user-groups-beta/) * [User Groups documentation](https://developers.cloudflare.com/fundamentals/manage-members/user-groups/) * [Create an Account Owned Token](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/#create-an-account-owned-token) * [SCIM provisioning setup guide](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/migration-guides/","name":"Migration guides"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/migration-guides/scim-virtual-groups-migration/","name":"SCIM v1 to v2 Migration"}}]} ``` --- --- title: Network Layers description: Below is a list of the different layers that makes up the open systems interconnection (OSI) model and the associated Cloudflare products. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/network-layers.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Network Layers Below is a list of the different layers that makes up the [open systems interconnection (OSI) model ↗](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/) and the associated Cloudflare products. Note The list of related products is representative but not comprehensive. | Network layer | Protocol and related products | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 7 Application layer | **HTTP, DNS** [Authoritative DNS](https://developers.cloudflare.com/dns), [Bot Management](https://developers.cloudflare.com/bots), [CDN](https://developers.cloudflare.com/cache/), [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/), [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) (outbound only), [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), [Load Balancing](https://developers.cloudflare.com/load-balancing/understand-basics/proxy-modes/), [Stream](https://developers.cloudflare.com/stream/), [WAF](https://developers.cloudflare.com/waf/) | | 6 Presentation layer | | | 5 Session layer | | | 4 Transport layer | **TCP/UDP** [Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/), [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) (outbound only), [Load Balancing](https://developers.cloudflare.com/load-balancing/understand-basics/proxy-modes/), [Spectrum](https://developers.cloudflare.com/spectrum/) | | 3 Network layer | **IP, GRE, any packet/protocol** [Cloudflare Network Firewall](https://developers.cloudflare.com/cloudflare-network-firewall/), [Magic Transit](https://developers.cloudflare.com/magic-transit), [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan) | | 2 Datalink layer | **Direct connection** [Cloudflare Network Interconnect (CNI)](https://developers.cloudflare.com/network-interconnect) | | 1 Physical layer | **Direct connection** [Cloudflare Network Interconnect (CNI)](https://developers.cloudflare.com/network-interconnect) | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/network-layers/","name":"Network Layers"}}]} ``` --- --- title: Network ports description: Learn which network ports Cloudflare proxies by default and how to enable Cloudflare's proxy for additional ports. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/network-ports.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Network ports Learn which network ports Cloudflare proxies by default and how to enable Cloudflare's proxy for additional ports. ## Network ports compatible with Cloudflare's proxy By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below. HTTP ports supported by Cloudflare * 80 * 8080 * 8880 * 2052 * 2082 * 2086 * 2095 HTTPS ports supported by Cloudflare * 443 * 2053 * 2083 * 2087 * 2096 * 8443 Ports supported by Cloudflare, but with caching disabled * 2052 * 2053 * 2082 * 2083 * 2086 * 2087 * 2095 * 2096 * 8880 * 8443 Note Enterprise customers that want to enable caching on these ports can do so by creating a [cache rule](https://developers.cloudflare.com/cache/how-to/cache-rules/settings/#caching-on-port-enterprise-only). ## How to enable Cloudflare's proxy for additional ports If traffic for your domain is destined for a different port than the ones listed above, for example you have an SSH server that listens for incoming connections on port 22, either: * Change your subdomain to be [gray-clouded](https://developers.cloudflare.com/dns/proxy-status/), via your Cloudflare DNS app, to bypass the Cloudflare network and connect directly to your origin. * Configure a [Spectrum application](https://developers.cloudflare.com/spectrum/get-started/) for the hostname running the server. Spectrum supports all ports. Spectrum for all TCP and UDP ports is only available on the Enterprise plan. If you would like to know more about Cloudflare plans, please reach out to your Cloudflare account team. ## How to block traffic on additional ports Block traffic on ports other than 80 and 443 in Cloudflare paid plans by doing one of the following: * If you are using [WAF managed rules (previous version)](https://developers.cloudflare.com/waf/reference/legacy/old-waf-managed-rules/), enable rule ID `100015` (`Anomaly:Port - Non Standard Port (not 80 or 443)`). * If you are using the new [Cloudflare Web Application Firewall (WAF)](https://developers.cloudflare.com/waf/), enable rule ID ...664ed6fe (`Anomaly:Port - Non Standard Port (not 80 or 443)`), which is disabled by default. This rule is part of the Cloudflare Managed Ruleset. Ports 80 and 443 are the only ports compatible with: * HTTP/HTTPS traffic within China data centers for domains that have the **China Network** enabled Due to the nature of Cloudflare's anycast network, ports other than `80` and `443` will be open so that Cloudflare can serve traffic for other customers on these ports. In general, Cloudflare makes available several different products on [Cloudflare IPs ↗](https://www.cloudflare.com/ips), so you can expect tools like Netcat and security scanners to report these non-standard ports as open in specific conditions. If you have questions on security compliance, review [Cloudflare's certifications and compliance resources ↗](https://www.cloudflare.com/en-gb/trust-hub/compliance-resources/) and contact your Cloudflare enterprise account manager for more information. The WAF's [Cloudflare Managed Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) includes a rule that will block traffic at the application layer (layer 7 in the [OSI model ↗](https://www.cloudflare.com/learning/ddos/glossary/open-systems-interconnection-model-osi/)), preventing HTTP/HTTPS requests over non-standard ports from reaching the origin server. Note [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/) does not support port numbers in URLs. Port numbers are stripped from requests for URLs protected through Cloudflare Access. ## Related resources * [Managing DNS records at Cloudflare](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/network-ports/","name":"Network ports"}}]} ``` --- --- title: Partners description: Cloudflare Technology Partners offer purpose-built integrations with our products, providing expanded functionality for our users. Learn how to configure these integrations with our tutorials and how-to guides. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/partners.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Partners [Cloudflare Technology Partners ↗](https://www.cloudflare.com/partners/technology-partners/) offer purpose-built integrations with our products, providing expanded functionality for our users. Learn how to configure these integrations with our tutorials and how-to guides. ## Analytics integrations Learn how to configure a variety of products with Cloudflare Analytics: * [ Datadog ](https://developers.cloudflare.com/analytics/analytics-integrations/datadog/) * [ Graylog ](https://developers.cloudflare.com/analytics/analytics-integrations/graylog/) * [ New Relic ](https://developers.cloudflare.com/analytics/analytics-integrations/new-relic/) * [ Splunk ](https://developers.cloudflare.com/analytics/analytics-integrations/splunk/) * [ Sentinel ](https://developers.cloudflare.com/analytics/analytics-integrations/sentinel/) ## Cloudflare Network Interconnect Connect your network infrastructure with Cloudflare [network connectivity partners](https://developers.cloudflare.com/network-interconnect/get-started/#connectivity-partners) for increased reliability and security. ## Cloudflare Zero Trust Technology Partners Our third-party integrations allow you to deploy the Cloudflare One Client application and configure devices remotely. * [ Fleet ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/fleet/) * [ Hexnode ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/hexnode/) * [ Intune ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/intune/) * [ Jamf ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/jamf/) * [ JumpCloud ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/jumpcloud/) * [ Kandji ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/partners/kandji/) ## Cloudflare Logs Enterprise customers have access to detailed logs of the metadata generated by our products, and logs from Cloudflare solutions can be pushed to a variety of log management providers and storage services. * [ Enable Cloudflare R2 ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/r2/) * [ Enable HTTP destination ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/http/) * [ Enable Amazon S3 ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/aws-s3/) * [ Enable S3-compatible endpoints ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/s3-compatible-endpoints/) * [ Enable Datadog ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/datadog/) * [ Enable Elastic ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/elastic/) * [ Enable Google Cloud Storage ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/google-cloud-storage/) * [ Enable BigQuery ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/bigquery/) * [ Enable Microsoft Azure ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/azure/) * [ Enable New Relic ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/new-relic/) * [ Enable SentinelOne ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/sentinelone/) * [ Enable Splunk ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/splunk/) * [ Enable Sumo Logic ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/sumo-logic/) * [ Enable Amazon Kinesis ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/kinesis/) * [ Enable IBM QRadar ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/ibm-qradar/) * [ Enable IBM Cloud Logs ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/ibm-cloud-logs/) * [ Enable other providers ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/other-providers/) * [ Third-party integrations ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/third-party/) * [ Dedicated Egress IP for Logpush ](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/egress-ip/) ## Cloudflare Technology Partners for Cloudflare WAN Cloudflare WAN (formerly Magic WAN) integrates with a number of third-party partners, which enables our users to securely route their Internet traffic. * [ Alibaba Cloud VPN Gateway ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/alibaba-cloud/) * [ Amazon AWS Transit Gateway ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/aws/) * [ Aruba EdgeConnect Enterprise ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/aruba-edgeconnect/) * [ Cisco IOS XE ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/cisco-ios-xe/) * [ Cisco SD-WAN ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/viptela/) * [ Fortinet ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/fortinet/) * [ Furukawa Electric FITELnet ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/fitelnet/) * [ Google Cloud VPN ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/google/) * [ Juniper Networks SRX Series Firewalls ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/juniper/) * [ Microsoft Azure ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/azure/) * [ Oracle Cloud ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/oracle/) * [ Palo Alto Networks NGFW ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/palo-alto/) * [ pfSense ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/pfsense/) * [ SonicWall ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/sonicwall/) * [ Sophos Firewall ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/sophos-firewall/) * [ strongSwan ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/strongswan/) * [ Ubiquiti ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/ubiquiti/) * [ Velocloud ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/velocloud/) * [ VyOS ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/vyos/) * [ Yamaha RTX Router ](https://developers.cloudflare.com/cloudflare-wan/configuration/manually/third-party/yamaha/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/partners/","name":"Partners"}}]} ``` --- --- title: Cloudflare Cookies description: Cloudflare uses various cookies to maximize network resources, manage traffic, and protect our customers’ sites from malicious traffic. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/policies-compliances/cloudflare-cookies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Cookies Cloudflare uses various cookies to maximize network resources, manage traffic, and protect our customers’ sites from malicious traffic. ## Understanding the Cloudflare Cookies As defined in our [Privacy Policy ↗](https://www.cloudflare.com/privacypolicy/), all the cookies listed below are strictly necessary to provide the services requested by our customers, unless otherwise stated. As mentioned in our Privacy Policy, Cloudflare encourages our customers to disclose the use of these cookies to their end users. In some jurisdictions, customers may be required by law to disclose these cookies to their end users. By default, cookie data may be processed in Cloudflare's data center in the United States and is subject to the cross-border data transfer section 7 of the Cloudflare [Privacy Policy ↗](https://www.cloudflare.com/privacypolicy/). Customers who use the [Data Localization Suite](https://developers.cloudflare.com/data-localization/) can control where cookie data is processed (with [Regional Services](https://developers.cloudflare.com/data-localization/regional-services/)) and logged (using the [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/)). ### \_\_cflb cookie for Cloudflare Load Balancer session affinity When enabling session affinity with [Cloudflare Load Balancer](https://developers.cloudflare.com/load-balancing/understand-basics/session-affinity/), Cloudflare sets a `__cflb` cookie with a unique value on the first response to the requesting client. Cloudflare routes future requests to the same origin, optimizing network resource usage. In the event of a failover, Cloudflare sets a new `__cflb` cookie to direct future requests to the failover pool. The `__cflb` cookie allows Cloudflare to return an end user to the same customer origin for a specific period of time configured by the customer. This allows the end user to have a seamless experience (for example, this cookie is used for keeping an end user’s items in a shopping cart while they continue to navigate around the website). This cookie is a session cookie that lasts from several seconds up to 24 hours. Note Currently Cloudflare only supports Session Affinity in "orange-cloud" (proxied) mode. ### \_\_cf\_bm cookie for Cloudflare bot products Cloudflare's [bot products](https://developers.cloudflare.com/bots/) identify and mitigate automated traffic to protect your site from bad bots. Cloudflare places the `__cf_bm` cookie on end-user devices that access customer sites protected by Bot Management or Bot Fight Mode. The `__cf_bm` cookie is necessary for these bot solutions to function properly. This cookie expires after 30 minutes of continuous inactivity by the end user. The cookie contains information related to the calculation of Cloudflare's proprietary bot score and, when Anomaly Detection is enabled on Bot Management, a session identifier. The information in the cookie (other than time-related information) is encrypted and can only be decrypted by Cloudflare. A separate `__cf_bm` cookie is generated for each site that an end user visits, as Cloudflare does not track users from site to site or from session to session. The `__cf_bm` cookie is generated independently by Cloudflare, and does not correspond to any user ID or other identifiers in a customer's web application. Note Bot Management is available to Enterprise customers as an add-on service. Contact your Cloudflare account team to enable Bot Management for your site. Non-Enterprise customers can enable [Bot Fight Mode or Super Bot Fight Mode](https://developers.cloudflare.com/bots/). You can disable the `__cf_bm` cookie using the `bm_cookie_enabled` field [via the API](https://developers.cloudflare.com/api/resources/bot%5Fmanagement/methods/update/). ### \_\_cfseq cookie for Cloudflare bot products [Sequence rules](https://developers.cloudflare.com/bots/additional-configurations/sequence-rules/) uses cookies to track the order of requests a user has made and the time between requests and makes them available via [Cloudflare Rules](https://developers.cloudflare.com/rules/). This allows you to write rules that match valid or invalid sequences. The specific cookies used to validate sequences are called sequence cookies. ### cf\_clearance cookie for Cloudflare bot products The `cf_clearance` cookie is required for [JavaScript detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/). JavaScript detections are stored in the `cf_clearance` cookie. ### cf\_ob\_info and cf\_use\_ob cookie for Cloudflare Always Online The `cf_ob_info` cookie provides information on: * The HTTP Status Code returned by the origin web server * The Ray ID of the original failed request * The data center serving the traffic The `cf_use_ob` cookie informs Cloudflare to fetch the requested resource from the Always Online cache on the designated port. Applicable values are: 0, 80, and 443\. The `cf_ob_info` and `cf_use_ob` cookies are persistent cookies that expire after 30 seconds. ### \_\_cfwaitingroom for Cloudflare Waiting Room [Cloudflare's Waiting Room](https://developers.cloudflare.com/waiting-room/) product enables a waiting room for a particular host and path combination within a zone. Visitors are put in the waiting room and provided an estimate of when they will be allowed to access the application, if not immediately available. The `__cfwaitingroom` cookie is only used to track visitors that access a waiting room enabled host and path combination for a zone. Visitors using a browser that does not accept cookies cannot visit the host and path combination while the waiting room is active. For more details, refer to [Waiting Room cookies](https://developers.cloudflare.com/waiting-room/reference/waiting-room-cookie/). ### \_\_cfruid to support Cloudflare Rate Limiting (previous version) The `__cfruid` cookie is strictly necessary to support Cloudflare Rate Limiting products. As part of our Rate Limiting solution, this cookie is required to manage incoming traffic and to have better visibility on the origin of a particular request. ### \_cfuvid for Rate Limiting Rules The Rate Limiting Rules product uses a number of techniques for applying rate limits to traffic where multiple unique visitors share the same IP address, such as traffic from behind a NAT. These techniques can be enabled by using the `cf.unique_visitor_id` field in the rate limiting configuration. The `_cfuvid` cookie is only set when a site uses this option in a Rate Limiting Rule, and is only used to allow the Cloudflare WAF to distinguish individual users who share the same IP address. Visitors who do not provide the cookie are likely to be grouped together and may not be able to access the site if there are many other visitors from the same IP address. ### Additional cookies used by the Challenge Platform The table below shows additional cookies used by the Challenge Platform. | Cookie Name | Description | | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | cf\_clearance | Clearance Cookie stores the proof of challenge passed. It is used to no longer issue a challenge if present. It is required to reach an origin server. | | cf\_chl\_rc\_i; cf\_chl\_rc\_ni; cf\_chl\_rc\_m | These cookies are for internal use which allows Cloudflare to identify production issues on clients. | Warning If your website is not [using HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/encrypt-visitor-traffic/), you may experience issues with the [cf\_clearance cookie](https://developers.cloudflare.com/waf/troubleshooting/samesite-cookie-interaction/#known-issues-with-samesite-and-cf%5Fclearance-cookies). ### Cloudflare Access cookies To review Cloudflare Access cookies and their behavior, refer to [Access cookies](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#access-cookies). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/policies-compliances/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/policies-compliances/cloudflare-cookies/","name":"Cloudflare Cookies"}}]} ``` --- --- title: Compliance documentation description: Super Administrators can access common compliance documentation, such as PCI, SOC 2, ISO, and more, through the Cloudflare dashboard. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/policies-compliances/compliance-docs.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Compliance documentation Super Administrators can access common compliance documentation, such as PCI, SOC 2, ISO, and more, through the Cloudflare dashboard. To access compliance documentation: 1. Visit [Compliance Documents ↗](https://dash.cloudflare.com/?to=/:account/compliance-docs) and select your account where you are a **Super Administrator**. 2. If you have not accessed this page before, read the confidentiality statement and select **I Agree**. 3. Choose the document you need and select **Download**. Note For confidentiality purposes, only **Super Administrators** for an account can access compliance documentation. ## Public data protection and compliance documentation Information and documents about Cloudflare's privacy & data protection are available on our public website at [cloudflare.com/trust-hub/ ↗](https://www.cloudflare.com/trust-hub/). On the [Trust Hub ↗](https://www.cloudflare.com/trust-hub/), you will find information & documents related to: * Privacy Policy * Data Processing Addendum (DPA) * Europe General Data Protection Regulation (GDPR) * Brazil General Data Protection Law (LGPD) * Japan Act on the Protection of Personal Information (APPI) * Singapore Personal Data Protection Act (PDPA) * South Korea Personal Information Protection Act (PIPA) * India Digital Personal Data Protection Bill (DPDP) * Australia Privacy Act * United States California Consumer Privacy Act (CCPA) & Consumer Privacy Rights Act (CPRA) * EU Digital Operational Resilience Act (DORA) * ISO 27001:2022 * ISO 27701:2019 * ISO 27018:2019 * FedRAMP Moderate * SOC 2 Type II * PCI DSS 4.0 * Global CBPR * Global PRP * EU Cloud Code of Conduct * Cyber Essentials * C5:2020 * ENS * IRAP * BSI Qualification * WCAG 2.1 AA and Section 508 ## Tax documentation Super Administrators, Billing Administrators, and Administrators can access tax documentation, such W-9 and Tax Certificates, through the Cloudflare dashboard. To access tax documentation: 1. Visit [Tax Documents ↗](https://dash.cloudflare.com/?to=/:account/tax-docs) and select your account where you are a **Super Administrator**, **Billing Administrator** or **Administrator**. 2. Choose the document you need and select **Download**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/policies-compliances/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/policies-compliances/compliance-docs/","name":"Compliance documentation"}}]} ``` --- --- title: Content Security Policies (CSPs) description: A Content Security Policy (CSP) is an added layer of security that helps detect and mitigate certain types of attacks, including: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/policies-compliances/content-security-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Content Security Policies (CSPs) A **Content Security Policy (CSP)** is an added layer of security that helps detect and mitigate certain types of attacks, including: * Content/code injection * Cross-site scripting (XSS) * Embedding malicious resources * Malicious iframes (clickjacking) To learn more about configuring a CSP in general, refer to the [Mozilla documentation ↗](https://developer.mozilla.org/docs/web/http/csp). ## Using a CSP with Cloudflare Cloudflare's [CDN](https://developers.cloudflare.com/cache/) is compatible with CSP. Cloudflare does not: * Modify CSP headers from the origin web server (except when using Zaraz, to ensure the [Zaraz script is always running ↗](https://blog.cloudflare.com/cloudflare-zaraz-supports-csp/)). * Require changes to acceptable sources for first or third-party content. * Modify URLs (besides adding the [/cdn-cgi/ endpoint](https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/) and [Cloudflare Fonts](https://developers.cloudflare.com/speed/optimization/content/fonts/) that rewrites Google Fonts urls). * Interfere with locations specified in your CSP. If you require the CSP headers to be changed or added, you can change them using some Cloudflare products: * If your website is [proxied](https://developers.cloudflare.com/dns/proxy-status/) through Cloudflare, you can use a [response header transform rule](https://developers.cloudflare.com/rules/transform/response-header-modification/) to replace or add CSP headers. * If your website is hosted using [Cloudflare Pages](https://developers.cloudflare.com/pages/), you can set a [\_headers file](https://developers.cloudflare.com/pages/configuration/headers/) to modify or add CSP headers. ### Product requirements To use certain Cloudflare features, however, you may need to update the headers in your CSP: | Feature(s) | Updated headers | | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [Rocket Loader](https://developers.cloudflare.com/speed/optimization/content/rocket-loader/) | script-src 'self' ajax.cloudflare.com; | | [Scrape Shield](https://developers.cloudflare.com/waf/tools/scrape-shield/) | script-src 'self' 'unsafe-inline' | | [Web Analytics](https://developers.cloudflare.com/web-analytics/) | script-src static.cloudflareinsights.com; connect-src cloudflareinsights.com | | [Bot products](https://developers.cloudflare.com/bots/) | Refer to [JavaScript detections and CSPs](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/javascript-detections/#if-you-have-a-content-security-policy-csp). | | [Client-side security](https://developers.cloudflare.com/client-side-security/) (formerly Page Shield) | Refer to [CSP header format](https://developers.cloudflare.com/client-side-security/reference/csp-header/). | | [Zaraz](https://developers.cloudflare.com/zaraz/) | No updates required ([details ↗](https://blog.cloudflare.com/cloudflare-zaraz-supports-csp/)). | | [Turnstile](https://developers.cloudflare.com/turnstile/) | Refer to [Turnstile CSP](https://developers.cloudflare.com/turnstile/reference/content-security-policy/). | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/policies-compliances/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/policies-compliances/content-security-policies/","name":"Content Security Policies (CSPs)"}}]} ``` --- --- title: Project Cybersafe Schools description: Project Cybersafe Schools grants eligible schools with free access to Cloudflare's Email security and Gateway products. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/policies-compliances/cybersafe.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Project Cybersafe Schools Project Cybersafe Schools grants eligible schools with free access to Cloudflare's [Email security](https://developers.cloudflare.com/email-security/) and [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) products. ## School Eligibility This program is only available to eligible school districts. To be eligible, Project Cybersafe School participants must be: * K-12 public school districts located in the United States. * Up to 2,500 students in the district. ## Children’s Internet Protection Act (CIPA) The [Children's Internet Protection Act (CIPA) ↗](https://www.fcc.gov/sites/default/files/childrens%5Finternet%5Fprotection%5Fact%5Fcipa.pdf) is a federal law enacted by the United States Congress to address concerns about children's access to inappropriate or harmful content over the Internet. CIPA requires K-12 schools and libraries that receive certain federal funding to implement Internet safety measures to protect minors from harmful online content. The law aims to prevent students from accessing explicit, obscene, or otherwise harmful material. It also emphasizes the use of technology protection measures, including DNS filtering, to safeguard against Internet threats such as ransomware, phishing sites, and other potentially harmful content. ### CIPA Requirements CIPA mandates that K-12 schools and libraries adopt Internet safety policies that include measures to block or filter access to specific categories of content. These categories encompass a wide range of topics that could be harmful or inappropriate for minors. Compliance with these requirements helps ensure that students' online experiences are safer and more secure. ### Configuration To facilitate compliance with CIPA requirements, administrators can [enable a single filtering policy option](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/common-policies/#turn-on-cipa-filter). This includes applying the required filter categories to block access to unwanted or harmful online content. Note It is important to note that while our recommended CIPA compliance rule covers the essential filter categories, CIPA is designed to be flexible, allowing administrators to adjust filtering policies based on local standards and requirements. Administrators should carefully assess their specific location and userbase to determine if additional categories may need to be added or modified to ensure comprehensive protection. Cloudflare’s recommended CIPA rule blocks the following content subcategories: * Adult Themes * Alcohol * Anonymizer * Brand Embedding * Child Abuse * Command and Control & Botnet * Cryptomining * DGA Domains * DNS Tunneling * Drugs * Gambling * Hacking * Malware * Militancy, Hate & Extremism * Nudity * P2P * Phishing * Pornography * Private IP Address * Profanity * Questionable Activities * School Cheating * Spam * Spyware * Tobacco * Violence * Weapons Review the [domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) for more information. ### Onboarding Guide For a comprehensive guide, refer to the [Project Cybersafe Schools Learning Path](https://developers.cloudflare.com/learning-paths/cybersafe/concepts/), which takes you step by step through the technical concepts, creating an account, onboarding your traffic, and enabling the CIPA filters. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/policies-compliances/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/policies-compliances/cybersafe/","name":"Project Cybersafe Schools"}}]} ``` --- --- title: Delivering Videos with Cloudflare description: Cloudflare launched in 2010 believing everyone deserves a secure, fast, reliable web presence. We did not think you should have to pay more when you came under cyber attack, so we offered free and fixed-rate pricing for websites. That worked because most websites do not consume much bandwidth, and so we could provide our services in an affordable way to everyone. From the beginning, we prohibited streaming video content using our bandwidth. While you could embed a video from another provider, we limited your ability to use our services to deliver video bits from our network to your visitors. This restriction exists because every second of a typical video requires as much bandwidth as loading a full web page. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/policies-compliances/delivering-videos-with-cloudflare.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Delivering Videos with Cloudflare ## Using Cloudflare's Services Cloudflare launched in 2010 believing everyone deserves a secure, fast, reliable web presence. We did not think you should have to pay more when you came under cyber attack, so we offered free and fixed-rate pricing for websites. That worked because most websites do not consume much bandwidth, and so we could provide our services in an affordable way to everyone. From the beginning, we prohibited streaming video content using our bandwidth. While you could embed a video from another provider, we limited your ability to use our services to deliver video bits from our network to your visitors. This restriction exists because every second of a typical video requires as much bandwidth as loading a full web page. Over time we recognized that some of our customers wanted to stream video using our network. To accommodate them, we developed our [Stream ↗](https://www.cloudflare.com/products/cloudflare-stream/) product. Stream delivers great performance at an affordable rate charged based on how much load you place on our network. Unfortunately, while most people respect these limitations and understand they exist to ensure high quality of service for all Cloudflare customers, some users attempt to misconfigure our service to stream video in violation of our [Terms of Service ↗](https://www.cloudflare.com/en-gb/website-terms/). We want to make sure our service is great for everyone, including public service initiatives we run like [Project Galileo ↗](https://www.cloudflare.com/galileo/), [The Athenian Project ↗](https://www.cloudflare.com/athenian/), and [Project Fair Shot ↗](https://www.cloudflare.com/fair-shot/). A handful of people misusing our service limits our ability to run these initiatives. The following are some recommendations for using Cloudflare's services based on what may have brought you to this page. --- ## I'm a website operator and my content was redirected for Terms of Service violations If you are on a Free, Pro, or Business Plan and your application appears to be serving videos or a disproportionate amount of large files without using the appropriate paid service as described below, Cloudflare may redirect your content or take other actions to protect quality of service. When this happens, you will receive an email notification regarding Cloudflare's actions and your options. ## Options for web admins to remove redirects * **Serve redirected content from a grey-clouded sub-domain** * **Serve redirected content from a paid service as outlined below** ## Delivering videos with Cloudflare using paid products Cloudflare permits the delivery of video content with specific paid services. If you are interested in serving video content, there are two recommended options. ### Option 1: Cloudflare Stream [Stream ↗](https://www.cloudflare.com/products/cloudflare-stream/) is a video-on-demand platform for building video applications. Stream encodes, stores, and delivers optimized video formatted for different devices and network connections. To get started with Stream, visit **Stream** from your Dashboard or [sign up ↗](https://dash.cloudflare.com/sign-up/stream). Your Stream videos are not attached to a domain in your Cloudflare account, and you do not need a domain on Cloudflare to use Stream. ### Option 2: Stream Delivery (Enterprise only) [Stream Delivery ↗](https://www.cloudflare.com/products/stream-delivery/) offers caching and delivery of video content through Cloudflare data centers around the globe. This CDN feature is only available on the Cloudflare Enterprise Plan. Please [contact sales ↗](https://www.cloudflare.com/products/stream-delivery/#) if you'd like to explore this option. --- ## Getting information on the content you are delivering If you need more information about the content your zone is serving (for example, content type), you can use the following tools: * Cache Analytics users: Open the **Caching tab** on the Dashboard to filter by content type and identify the type of traffic you are transferring. * Users without Cache Analytics: Open the **Analytics tab** on the Dashboard and select the **Performance** section for information about the content you are serving. ![Cache Analytics - Identify type of traffic being transferred](https://developers.cloudflare.com/_astro/traffic-types.DW2gSjnB_2uhSj3.webp) ## Still have questions? Contact support If you have additional questions about redirection (e.g. if you believe your content was redirected in error and have supporting evidence), file a [support ticket ↗](https://dash.cloudflare.com/redirect?account=support) and include the following information: * Name of your domain * Description of the problem * Description of the content you're serving through Cloudflare's network ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/policies-compliances/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/policies-compliances/delivering-videos-with-cloudflare/","name":"Delivering Videos with Cloudflare"}}]} ``` --- --- title: Licenses description: All documentation in the Cloudflare Workers documentation website, including reference documentation and tutorials, are licensed under the CC-BY-SA 4.0 license. Any contributions to the GitHub repository for this project will be licensed under CC-BY-SA 4.0: thanks for your contributions! image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/policies-compliances/licenses.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Licenses All documentation in the Cloudflare Workers documentation website, including reference documentation and tutorials, are licensed under the [CC-BY-SA 4.0 ↗](https://creativecommons.org/licenses/by-sa/4.0/) license. Any contributions to the [GitHub repository ↗](https://github.com/cloudflare/cloudflare-docs) for this project will be licensed under CC-BY-SA 4.0: thanks for your contributions! Code contributions, such as snippets in the [Template Gallery](https://developers.cloudflare.com/workers/examples/) and the code that serves this website via Cloudflare Workers, are licensed under the [Apache License, Version 2.0 ↗](https://www.apache.org/licenses/LICENSE-2.0) and [The MIT License ↗](https://opensource.org/licenses/MIT). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/policies-compliances/","name":"Policies"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/policies-compliances/licenses/","name":"Licenses"}}]} ``` --- --- title: Redirects description: Cloudflare offers a variety of ways to perform URL redirects, which tell a visitor's browser that the location of a page has been changed. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/redirects.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Redirects Cloudflare offers a variety of ways to perform URL redirects, which tell a visitor's browser that the location of a page has been changed. Use the following table to determine when to use each option. | Option | Use when | | -------------------------------------------------------------------------------------------- | --------------------------------------------------------- | | [Single redirects](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/) | As a default option. | | [Bulk redirects](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) | When you have a large number of static redirects. | | [Pages redirects](https://developers.cloudflare.com/pages/configuration/redirects/) | If you have a Pages project. | | [Workers redirect](https://developers.cloudflare.com/workers/examples/redirect/) | When the other redirects do not meet your needs. | | [Page Rules](https://developers.cloudflare.com/rules/page-rules/how-to/url-forwarding/) | If you already rely on Page Rules for other requirements. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/redirects/","name":"Redirects"}}]} ``` --- --- title: Abuse description: Learn how to report DMCA issues, phishing, trademark infringement, malware sites, child exploitation material, and more to Cloudflare’s Trust and Safety team. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/report-abuse/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Abuse Cloudflare offers security and reliability services to millions of websites, helping prevent online abuse and make the Internet more secure. When it comes to reports of abuse on websites that use our services, our ability to respond depends on the type of Cloudflare service at issue. Most abuse reports we receive pertain to websites that use our pass-through security and content delivery network (CDN) services, while far fewer reports relate to websites using our registrar services or our services to host content at the edge. Because Cloudflare offers a variety of Internet infrastructure services to users, our abuse reporting system is designed with those different services in mind. ## Resources * [Read abuse policy ↗](https://www.cloudflare.com/trust-hub/abuse-approach/) * [Review complaint types](https://developers.cloudflare.com/fundamentals/reference/report-abuse/complaint-types/) * [Providing specific URLs](https://developers.cloudflare.com/fundamentals/reference/report-abuse/provide-specific-urls/) * [Submit abuse report ↗](https://www.cloudflare.com/abuse/form) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/report-abuse/","name":"Abuse"}}]} ``` --- --- title: Customer abuse report obligations description: Cloudflare permits any interested party to submit abuse reports directly to Cloudflare via abuse.cloudflare.com. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/report-abuse/abuse-report-obligations.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Customer abuse report obligations Cloudflare permits any interested party to submit abuse reports directly to Cloudflare via [abuse.cloudflare.com ↗](https://abuse.cloudflare.com/). Abuse reports may be submitted for suspected copyright or trademark infringement, illegal, or harmful content (for example, child sex abuse materials), technical abuse (for example, phishing or malware), or other reasons. You may receive an abuse report from our Trust & Safety team if an abuse report identifies a URL for a domain associated with your Cloudflare account. If you do not provide or monitor an abuse contact, Cloudflare will send abuse reports to your hosting provider. Our Trust & Safety team sends abuse reports to the domain owner or the abuse point of contact on your account. To assist with timely resolution and avoid potential service interruptions: * Confirm that the [abuse contact email address](https://developers.cloudflare.com/fundamentals/account/account-security/abuse-contact/) associated with your account is actively managed and monitored for potential abuse report notifications. * Consider using a mailing list email address that goes to multiple people or teams within your organization instead of the email address for an individual person. * Respond to any abuse report notification within 24 hours. In your response, include any information that you believe will be relevant to Cloudflare in its assessment of the abuse report. Failure to respond in a timely manner or to address the concerns in the abuse report may result in the removal or blocking of reported content, websites, or apps and suspension or termination of Cloudflare services for the associated account. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/report-abuse/","name":"Abuse"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/report-abuse/abuse-report-obligations/","name":"Customer abuse report obligations"}}]} ``` --- --- title: Complaint types description: Use Cloudflare's online abuse form to report different types of abuse. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/report-abuse/complaint-types.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Complaint types Use Cloudflare's [online abuse form ↗](https://abuse.cloudflare.com/) to report different types of abuse. --- ## DMCA complaints Valid [Digital Millennium Copyright Act (DMCA) ↗](https://www.copyright.gov/dmca/) complaints must provide all of the following details: * A physical or electronic signature (typing your full name is valid) of the copyright owner or a person authorized to act on their behalf. * Identification of the infringed copyright (for example, a link to your original work or clear description of the materials allegedly infringed upon). * Identification of the infringing material and information reasonably sufficient to allow Cloudflare to locate the material on the infringing website (for example, a [link to the site](https://developers.cloudflare.com/fundamentals/reference/report-abuse/provide-specific-urls/) where the infringed copyrighted material appears). * Your contact information, including your address, telephone number, and email address. * A statement that you believe, in good faith, that the use of the material in the manner asserted is not authorized by the copyright owner, its agent, or the law. * A statement that the information in the notification is accurate, and, under penalty of perjury, that you are authorized to act on behalf of the copyright owner. --- ## Phishing Valid phishing reports must provide all of the following details: * The domain in question. * The specific link to the phishing page. After Cloudflare confirms existence of the phishing page, Cloudflare provides a warning page to visitors accessing the phishing link. Cloudflare also notifies the site owner to clean the malicious files from their origin web server. --- ## Trademark infringement Cloudflare only acknowledges abuse reports from trademark holders or their legally authorized representatives. For more details about what information is required, refer to [our abuse form ↗](https://abuse.cloudflare.com/). --- ## Malware sites Legitimate reports of malware URLs are blocked from loading via Cloudflare. For more details about what information is required, refer to [our abuse form ↗](https://abuse.cloudflare.com/). --- ## Child exploitation material Cloudflare promptly responds to all valid reports of child exploitation material. When Cloudflare is made aware of a website solely dedicated to the sharing or promotion of child exploitation material, the offending website is immediately removed from our network without notice. For an expedited review, report child exploitation material via our [abuse form ↗](https://abuse.cloudflare.com/). Our Trust & Safety team files a complaint with the [National Center for Missing and Exploited Children ↗](http://www.missingkids.com/gethelpnow#onlinechildexploitation) but suggest that you also file a complaint. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/report-abuse/","name":"Abuse"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/report-abuse/complaint-types/","name":"Complaint types"}}]} ``` --- --- title: Providing specific URLs description: Learn how to provide specific asset URLs when submitting an abuse report. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/report-abuse/provide-specific-urls.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Providing specific URLs If you are [submitting an abuse report ↗](https://abuse.cloudflare.com) to Cloudflare because our IP address appears in the WHOIS and DNS records for a website, it is very likely that the website is one of millions of websites that use our pass-through security and content distribution network (CDN) services. Because assets on the same website may be hosted by different providers, it is important that you submit the URL for that specific asset to enable appropriate action. This guide will teach you how to identify URLs for specific video or images on a webpage. ## Get the URL for specific content To get the URL for a specific piece of content on a webpage: 1. Open your web browser (Google Chrome, Safari, Firefox, Edge). 2. Go to the web page you want to report. 3. Right click on the content you wish to report (often a video or image). 4. Select **Inspect Element**. 5. In the **DevTools** panel, look for the **src** attribute in the selected the image, video, or iFrame.![Look for the URL in the src attribute of the video or image](https://developers.cloudflare.com/_astro/identify-url.o_PP6jZ2_1rmxgw.webp) 6. Copy the URL. Providing the most specific and helpful URL enables Cloudflare to correctly identify any services it may be providing with respect to that content. ## Submitting the abuse report Once you have identified the URL for the specific asset, you can [submit an abuse report ↗](https://abuse.cloudflare.com) through Cloudflare's online abuse reporting process. You can learn more about the process, and what you can expect from Cloudflare in response to such abuse reports, from [our abuse policy ↗](https://www.cloudflare.com/trust-hub/reporting-abuse/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/report-abuse/","name":"Abuse"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/report-abuse/provide-specific-urls/","name":"Providing specific URLs"}}]} ``` --- --- title: Review abuse policies image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/report-abuse/review-policies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Review abuse policies ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/report-abuse/","name":"Abuse"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/report-abuse/review-policies/","name":"Review abuse policies"}}]} ``` --- --- title: View and submit reports description: Cloudflare helps you prevent online abuse and make your website more secure. If abuse is identified on your website, Cloudflare gives you a mechanism to present your grievances to the party best positioned to address them. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/report-abuse/submit-report.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # View and submit reports ## Submit reports Cloudflare helps you prevent online abuse and make your website more secure. If abuse is identified on your website, Cloudflare gives you a mechanism to present your grievances to the party best positioned to address them. Cloudflare offers three ways for you to submit an abuse report: * Public form: Refer to [Submit an Abuse Report ↗](https://abuse.cloudflare.com/) to learn more. * The Cloudflare dashboard, on the **Abuse reports** page. [ Go to **Abuse reports** ](https://dash.cloudflare.com/?to=/:account/abuse-reports) Optionally, filter the reports based on date, report status, report type, and domain. * The Cloudflare API: Use the [Abuse Reports API](https://developers.cloudflare.com/api/resources/abuse%5Freports/) to submit an abuse report. ## View submitted reports Users with Admin, Super Admin, or Trust & Safety roles can view any abuse reports submitted and accepted against the content associated with their account. 1. In the Cloudflare dashboard, go to the **Abuse reports** page. [ Go to **Abuse reports** ](https://dash.cloudflare.com/?to=/:account/abuse-reports) 2. Optionally, filter the reports based on date, report status, report type, and domain. If there was a mitigation against your website due to the abuse allegation, you may have the opportunity to request a review on that mitigation. Cloudflare will then review your request and potentially remove the mitigation. ## Receive notifications You can enable abuse notifications for your account to configure email, webhook, or PagerDuty alerts about new abuse reports against your websites. For help setting up alerts, refer to [Configure Cloudflare notifications](https://developers.cloudflare.com/notifications/get-started/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/report-abuse/","name":"Abuse"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/reference/report-abuse/submit-report/","name":"View and submit reports"}}]} ``` --- --- title: Scans and penetration testing policy description: Customers may conduct scans and penetration tests (with certain restrictions) on application and network-layer aspects of their own assets, such as their zones within their Cloudflare accounts, provided they adhere to Cloudflare's policy. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/scans-penetration.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Scans and penetration testing policy Customers may conduct scans and penetration tests (with certain restrictions) on application and network-layer aspects of their own assets, such as their [zones](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#zones) within their Cloudflare accounts, provided they adhere to Cloudflare's policy. ## Permitted targets All scans or testing must be limited to the following: * Customer-owned IPs * Cloudflare's designated public IPs * The customer's registered DNS entries Targets like `*.cloudflare.com` or other Cloudflare-owned destinations are only allowed as part of Cloudflare's Public Bug Bounty program. Refer to the [Additional resources](#additional-resources) section for more information. ## Scans * **Throttling**: Scans should be throttled to a reasonable rate to prevent disruptions and ensure stable system performance. * **Scope and intent**: Scans should identify the presence of vulnerabilities without attempting to actively exploit any detected weaknesses. * **Exclusions**: It is recommended to exclude [/cdn-cgi/ endpoints](https://developers.cloudflare.com/fundamentals/reference/cdn-cgi-endpoint/) from scans to avoid false positives or irrelevant results. * **Compliance checks**: Customers may conduct [PCI compliance scans](https://developers.cloudflare.com/fundamentals/security/pci-scans/) or verify that [known vulnerabilities](https://developers.cloudflare.com/ssl/reference/compliance-and-vulnerabilities/#known-vulnerabilities-mitigations) have been addressed. ## Penetration tests Before starting a penetration test on your [zones](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#zones), set the following application security configurations for each zone you will run the test on: 1. [Deploy the Cloudflare Managed Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/#deploy-in-the-dashboard) and[enable all rules](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/#ruleset-level-configuration) in the ruleset by setting **Ruleset status** to **Enabled**. 2. [Deploy the Cloudflare OWASP Core Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/owasp-core-ruleset/configure-dashboard/#deploy-in-the-dashboard) and set the following [ruleset configuration](https://developers.cloudflare.com/waf/managed-rules/reference/owasp-core-ruleset/configure-dashboard/#ruleset-level-configuration): * **Paranoia Level**: _PL4_ * **Score threshold**: _High - 25 and higher_ 3. [Create a custom rule](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/) based on the [WAF attack score](https://developers.cloudflare.com/waf/detections/attack-score/) to block requests considered as an attack (WAF attack score between 1 and 20). Refer to the [WAF attack score](https://developers.cloudflare.com/waf/detections/attack-score/#1-create-a-custom-rule) documentation for an example. 4. [Create a custom rule](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/) based on [malicious uploads detection](https://developers.cloudflare.com/waf/detections/malicious-uploads/) to block requests containing content objects considered malicious. Refer to [Example rules](https://developers.cloudflare.com/waf/detections/malicious-uploads/example-rules/#block-requests-to-uri-path-with-a-malicious-content-object) for examples of custom rules used to mitigate this kind of threat. 5. On Pro and Business plans without Bot Management, [enable Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/#enable-super-bot-fight-mode). Customers with access to Bot Management should make sure that [Bot Management is enabled](https://developers.cloudflare.com/bots/get-started/bot-management/#enable-bot-management-for-enterprise) (it is enabled by default on entitled zones). 6. [Create rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/create-zone-dashboard/) to protect key endpoints of the zone being tested. Refer to [Rate limiting rule examples](https://developers.cloudflare.com/waf/rate-limiting-rules/use-cases/) and [Rate limiting best practices](https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/) for example configurations. Be aware that other Cloudflare security and performance features, configurations, and rules active on your account or zone can influence test results. After completing the test, it is recommended that you review your security posture and make any necessary adjustments based on the findings. ### Important remarks * Cloudflare's [anycast network](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/) will report ports other than `80` and `443` as open due to its shared infrastructure and the nature of Cloudflare's proxy. The reporting is expected behavior and does not indicate a vulnerability. * Tools like Netcat may list [non-standard HTTP ports](https://developers.cloudflare.com/fundamentals/reference/network-ports/) as open; however, these ports are open solely for Cloudflare's routing purposes and do not necessarily indicate that a connection can be established with the customer's origin over those ports. * **Known false positives**: Any findings related to the [ROBOT vulnerability](https://developers.cloudflare.com/ssl/reference/compliance-and-vulnerabilities/#return-of-bleichenbachers-oracle-threat-robot) are false positives when the customer's assets are behind Cloudflare. ## Denial-of-Service (DoS) tests For guidelines on required notification and necessary information, refer to [Simulating test DDoS attacks](https://developers.cloudflare.com/ddos-protection/reference/simulate-ddos-attack/). Customers should also familiarize themselves with Cloudflare's [DDoS protection best practices](https://developers.cloudflare.com/ddos-protection/best-practices/). ## Additional resources * Customers can download the latest Penetration Test Report of Cloudflare via the [dashboard](https://developers.cloudflare.com/fundamentals/reference/policies-compliances/compliance-docs/). * For information about Cloudflare's Public Bug Bounty program, visit [HackerOne ↗](https://hackerone.com/cloudflare). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/scans-penetration/","name":"Scans and penetration testing policy"}}]} ``` --- --- title: SDK ecosystem support policy description: Unless otherwise stated in the code repository, Cloudflare only provides active support for the latest major version of a library or tool. The exception to this policy is for critical security fixes, which will be reviewed on a case-by-case basis and take the vulnerability, impact, and mitigation required into consideration. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/sdk-ecosystem-support-policy.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SDK ecosystem support policy ## Lifecycle Unless otherwise stated in the code repository, Cloudflare only provides active support for the latest major version of a library or tool. The exception to this policy is for critical security fixes, which will be reviewed on a case-by-case basis and take the vulnerability, impact, and mitigation required into consideration. We provide three primary stages of development: early access, active support, and end of life. Note These lifecycle stages may be referred to in different terms across Cloudflare products, but the underlying principles are the same. ### Early access During this stage, Cloudflare makes SDK changes available that we are seeking feedback on prior to releasing for general usage. Early access will often include warning labels or caveats on functionality that is subject to change without notice. In general, early access SDKs are not suitable for production systems unless explicitly mentioned. ### Active support During the active support stage, planned changes and support are offered for the library or tool. ### End of life During the end of life stage, a new major version of the library or tool is released and Cloudflare marks the previous major version as no longer receiving improvements or bug fixes. If you continue to run end of life versions, support will be very limited. ![All lifecycle stages and their relation to one another](https://developers.cloudflare.com/_astro/support-policy.ClhHS_PO_2n4aVN.webp "All lifecycle stages and their relation to one another") All lifecycle stages and their relation to one another ## Previous or end of life versions While Cloudflare cannot provide support for all older versions of our libraries or tools, we do not remove those versions so they can continued to be used without direct support. ## Versioning The SDK ecosystem follows semantic versioning, which defines versions as follows: * MAJOR version when there are backward-incompatible changes made. * MINOR version when functionality is added in a backward compatible-manner. * PATCH version for backward-compatible bug fixes (without any improvements). Warning As Cloudflare has recently swapped to [automatically generating our libraries using OpenAPI ↗](https://blog.cloudflare.com/lessons-from-building-an-automated-sdk-pipeline), we have relaxed the strict versioning requirements on the libraries (Terraform is not changing). Minor releases _may_ contain breaking changes in the forms of method, structure, or type renames as the service owners stabilize their schemas and iterate on usability improvements. If this is not suitable for your use case, pin to a known good version or use the previous major version of the library. Depending on your needs, you should ensure your application's package manager versioning is configured correctly. At a minimum, restrict installation to the current major version of the library or tool you are using to prevent any major version upgrades occurring automatically. ## Migration Where possible, Cloudflare provides an automated approach to performing major version upgrades to limit the disruption using codemods. Review the library or tool-specific release notes for how to use these migration tools. Alongside the automatic migration approach, we provide documentation on the changes that have taken place in case you need to make the changes manually. ## Related resources * [Semantic versioning definitions ↗](https://semver.org/) * [Cloudflare's Terraform documentation](https://developers.cloudflare.com/terraform/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/sdk-ecosystem-support-policy/","name":"SDK ecosystem support policy"}}]} ``` --- --- title: TCP connections description: The following section explains how Cloudflare directs traffic efficiently with anycast routing and serves as an intermediary between users and origin servers. The second part covers TCP connections and keep-alives for performance optimization, and lastly, TCP Fast Open (TFO), a protocol extension that enhances the speed of TCP connections. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/tcp-connections.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # TCP connections The following section explains how Cloudflare directs traffic efficiently with anycast routing and serves as an intermediary between users and origin servers. The second part covers TCP connections and keep-alives for performance optimization, and lastly, TCP Fast Open (TFO), a protocol extension that enhances the speed of TCP connections. ## How Cloudflare connects user to origin Users connect to Cloudflare by sending requests from their devices to Cloudflare's global network. Cloudflare connects to the origin server by acting as an intermediary between the user and the origin. flowchart LR accTitle: Connections with Cloudflare A[Visitor] <-- Connection --> B[Cloudflare global network] <-- Connection --> C[Origin server] User traffic is routed to the nearest Cloudflare data center based on the shortest [Border Gateway Protocol ↗](https://www.cloudflare.com/learning/security/glossary/what-is-bgp/) (BGP) path, thanks to [anycast ↗](https://www.cloudflare.com/learning/cdn/glossary/anycast-network/) routing. Cloudflare then processes the request. In case a request is not served from Cloudflare’s data centers, Cloudflare will open a connection to the origin server to forward the request. ## TCP connections and keep-alives HTTP (Hypertext Transfer Protocol) is a [Layer 7 ↗](https://en.wikipedia.org/wiki/OSI%5Fmodel) application protocol that operates over TCP. By default, HTTP opens a new TCP connection for each request-response cycle, which can lead to performance overhead due to the repeated connection establishment and teardown. Keep-Alives are a mechanism that bridges TCP and HTTP, and allow a single TCP connection to remain open for multiple HTTP requests and responses. This minimizes the connection overhead and latency associated with establishing new TCP connections for each web resource. Keep-Alives improve the efficiency and responsiveness of web applications by facilitating the reuse of existing connections, reducing network traffic, and enhancing user experience. TCP connections can persist even after HTTP requests have concluded. However, to manage resources efficiently, idle connections are typically terminated after a certain period of inactivity. To enhance connection reuse and minimize connection overhead, keep-alives are employed. These mechanisms collectively optimize the performance and reliability of web applications while conserving network resources. If either a user or an origin does not respond to two keep-alives, Cloudflare will sever the connection by sending a TCP Reset (RST) packet. For connections to users, Cloudflare has a default idle timeout of 400 seconds. After the 400 seconds, Cloudflare will start sending keep-alive probes every 75 seconds. If nine consecutive probes are unanswered, Cloudflare will sever the connection by sending an RST packet. Note Be aware that even if there are keep-alives, Cloudflare cannot guarantee to keep a connection, since besides idleness, there are other reasons, like capacity balancing, data center maintenance or node restarts that can cause disconnections. Having this in mind, applications should be structured to handle disconnections gracefully. TCP connection settings between the user and Cloudflare, and between Cloudflare and Origin can be customized for Enterprise customers. Reach out to your account team for more details. ## TCP Fast Open (TFO) [TCP Fast Open ↗](https://en.wikipedia.org/wiki/TCP%5FFast%5FOpen) (TFO) is a protocol extension that can significantly improve the speed of establishing TCP connections by allowing data to be sent in the initial SYN packet, rather than requiring a separate handshake before data transmission begins. TFO can reduce latency and improve website and application performance, particularly on high-latency networks. Cloudflare supports TFO on user connections. When a client initiates a connection to a web server protected by Cloudflare, it sends a TCP SYN packet to request a connection. Cloudflare, acting as a reverse proxy, intercepts the SYN packet and responds with a SYN-ACK packet to establish the connection. With TFO enabled, Cloudflare can also send initial data (such as HTTP request data) in the SYN-ACK packet, eliminating the need for an additional round-trip for data transmission. The client receives the SYN-ACK packet with data and acknowledges it with an ACK packet. This fast tracks the connection setup. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/tcp-connections/","name":"TCP connections"}}]} ``` --- --- title: Troubleshooting description: When you set up Cloudflare, you may experience the following issues or error messages. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting When you [set up Cloudflare](https://developers.cloudflare.com/fundamentals/account/), you may experience the following issues or error messages. ## Error messages * [ERR\_TOO\_MANY\_REDIRECTS](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/) * [525 or 526 errors](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/) * [Cannot add DNS records with the same name](https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/records-with-same-name/) * [ERR\_SSL\_VERSION\_OR\_CIPHER\_MISMATCH or SSL\_ERROR\_NO\_CYPHER\_OVERLAP](https://developers.cloudflare.com/ssl/troubleshooting/version-cipher-mismatch/) * [DNS\_PROBE\_FINISHED\_NXDOMAIN](https://developers.cloudflare.com/dns/troubleshooting/dns-probe-finished-nxdomain/) * [Record exposing origin server IP address](https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/exposed-ip-address/) * [Mixed content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/) * [SSL errors in appear in my browser](https://developers.cloudflare.com/ssl/troubleshooting/general-ssl-errors/) ## Behavior * [Why are Cloudflare's IPs in my origin web server logs?](https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/) * [Is Cloudflare attacking me?](#is-cloudflare-attacking-me) * [Cannot add domain to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/troubleshooting/cannot-add-domain/) * [My domain’s email stopped working](https://developers.cloudflare.com/dns/troubleshooting/email-issues/) * [Why is my site served over HTTP instead of HTTPS?](https://developers.cloudflare.com/ssl/edge-certificates/encrypt-visitor-traffic/) * [SSL is not working for my second-level subdomain, such as dev.www.example.com](https://developers.cloudflare.com/ssl/troubleshooting/general-ssl-errors/#only-some-of-your-subdomains-return-ssl-errors) * [Why was my domain deleted from Cloudflare?](https://developers.cloudflare.com/dns/zone-setups/troubleshooting/domain-deleted/) ## Cloudflare * [Gather information to troubleshoot site issues](https://developers.cloudflare.com/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/) * [Contact Cloudflare support](https://developers.cloudflare.com/support/contacting-cloudflare-support/) * [Manage email notifications](https://developers.cloudflare.com/fundamentals/user-profiles/customize-account/#notifications) ## General resources * [DNS FAQ](https://developers.cloudflare.com/dns/faq/) * [SSL/TLS FAQ](https://developers.cloudflare.com/ssl/faq/) ## Is Cloudflare attacking me Two common scenarios falsely lead to the perception that Cloudflare is attacking your site: * Unless you [restore the original visitor IP addresses](https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/), Cloudflare IP addresses appear in your server logs for all proxied requests. * The attacker is spoofing Cloudflare's IPs. Cloudflare only [sends traffic to your origin web server over a few specific ports](https://developers.cloudflare.com/fundamentals/reference/network-ports/) unless you use [Cloudflare Spectrum](https://developers.cloudflare.com/spectrum/). Ideally, because Cloudflare is a reverse proxy, your hosting provider observes attack traffic connecting from [Cloudflare IP addresses ↗](https://www.cloudflare.com/ips/). In contrast, if you notice connections from IP addresses that do not belong to Cloudflare, the attack is direct to your origin web server. Cloudflare cannot stop attacks directly to your origin IP address because the traffic bypasses Cloudflare's network. Note If an attacker is directly targeting your origin web server, refer to [Proactive DDoS defense best practices](https://developers.cloudflare.com/ddos-protection/best-practices/proactive-defense/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Under Attack mode description: Cloudflare's Under Attack mode performs additional security checks to help mitigate layer 7 DDoS attacks. Validated users access your website and suspicious traffic is blocked. It is designed to be used as one of the last resorts when a zone is under attack (and will temporarily pause access to your site and impact your site analytics). image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/reference/under-attack-mode.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Under Attack mode Cloudflare's Under Attack mode performs additional security checks to help mitigate layer 7 DDoS attacks. Validated users access your website and suspicious traffic is blocked. It is designed to be used as one of the last resorts when a zone is under attack (and will temporarily pause access to your site and impact your site analytics). When enabled, visitors receive an interstitial page. ## Turn on Under Attack mode Under Attack mode is turned off by default for your zone. ### Globally To put your entire zone in Under Attack mode: 1. In the Cloudflare dashboard, select your account and zone from the **Account home** page. [ Go to **Account home** ](https://dash.cloudflare.com/?to=/:account/home) 2. In the zone overview page, turn on **Under Attack Mode** in the **Quick Actions** sidebar. ### Selectively To enable Under Attack mode for specific pages or sections of your site, use a [configuration rule](https://developers.cloudflare.com/rules/configuration-rules/) to adjust the **Security Level**. **When incoming requests match** * **Field:** _URI Path_ * **Operator:** _starts with_ * **Value:** `/admin` If you are using the Expression Editor, enter the following expression: `(starts_with(http.request.uri.path, "/admin"))` **Then the settings are** 1. For **I'm Under Attack**, select **Add**. 2. Switch the toggle to **On**. To turn it on for specific ASNs (hosts/ISPs that own IP addresses), countries, or IP ranges, use [IP Access Rules](https://developers.cloudflare.com/waf/tools/ip-access-rules/). --- ## Preview Under Attack mode To preview what Under Attack mode looks like for your visitors: 1. In the Cloudflare dashboard, go to the **Configurations** page. [ Go to **Configurations** ](https://dash.cloudflare.com/?to=/:account/configurations) 2. Go to **Custom Pages**. 3. For **Managed Challenge / I'm Under Attack Mode™**, select **Custom Pages** \> **View default**. The `Checking your browser before accessing...` challenge determines whether to block or allow a visitor within five seconds. After passing the challenge, the visitor does not observe another challenge until the duration configured in [Challenge Passage](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage/). --- ## Potential issues Since the Under Attack mode requires your browser to support JavaScript to display and pass the interstitial page, it is expected to observe impact on third party analytics tools. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/reference/under-attack-mode/","name":"Under Attack mode"}}]} ``` --- --- title: Scan for PCI compliance description: PCI scanners are tools used to identify security weaknesses. When a business undergoes a compliance audit, PCI scan results are used for compliance verification. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/security/pci-scans.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Scan for PCI compliance Note Cloudflare is PCI certified as a Data Processor. Refer to [PCI compliance and vulnerabilities mitigation](https://developers.cloudflare.com/ssl/reference/compliance-and-vulnerabilities) and Cloudflare's PCI DSS Responsibility Matrix for more information. PCI scanners are tools used to identify security weaknesses. When a business undergoes a compliance audit, PCI scan results are used for compliance verification. ## Initiate a scan 1. Identify which server your scan should target. Are you scanning against your origin server, where your applications are hosted, or at a proxy server sitting in front of your origin, such as Cloudflare? 2. On your scanner tool, enter a public URL or an IP address. If you enter a public website URL, the scanner will resolve the hostname and scan the resulting the IP address. To scan your origin server, be sure to enter your origin server's IP address or a hostname that resolves to the origin server's IP, not a proxy server. 3. Start the scan and analyze the results. 4. (Optional) Run another scan for a different origin server. ### Open ports versus blocked traffic Cloudflare's anycast network operates in a way that keeps ports other than 80 and 443 open, allowing it to serve traffic for other customers on these ports. However, customers can easily block all unwanted traffic to these ports by using Cloudflare [WAF Managed Rules](https://developers.cloudflare.com/fundamentals/reference/network-ports/#how-to-block-traffic-on-additional-ports) or [custom rules](https://developers.cloudflare.com/waf/custom-rules/). The PCI scan will show the ports being open, but the traffic will not reach your origin server. This concern is often misunderstood. ## Additional resources You can find all our public compliance resources in the following pages: * [Certifications and compliance resources ↗](https://www.cloudflare.com/trust-hub/compliance-resources/) * [Compliance documentation](https://developers.cloudflare.com/fundamentals/reference/policies-compliances/compliance-docs/) You can access Compliance documents in the Cloudflare dashboard by selecting your account where you are a Super Administrator and then navigating to **Support** \> **Compliance Documents**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/security/","name":"Security"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/security/pci-scans/","name":"Scan for PCI compliance"}}]} ``` --- --- title: Prevent DDoS attacks image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/security/prevent-ddos-attacks-external.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Prevent DDoS attacks ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/security/","name":"Security"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/security/prevent-ddos-attacks-external/","name":"Prevent DDoS attacks"}}]} ``` --- --- title: Protect your origin server description: Your origin server is a physical or virtual machine that is not owned by Cloudflare and hosts your application content (data, webpages, etc.). image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/security/protect-your-origin-server.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Protect your origin server Your [origin server ↗](https://www.cloudflare.com/learning/cdn/glossary/origin-server) is a physical or virtual machine that is not owned by Cloudflare and hosts your application content (data, webpages, etc.). Receiving too many requests can be bad for your origin. These requests might increase latency for visitors, incur higher costs — particularly for cloud-based machines — and could knock your application offline. ## Secure origin connections When you secure origin connections, it prevents attackers from discovering and overloading your origin server with requests. * **DNS**: 1. **Proxy records** (when possible): Set up [proxied (orange-clouded) DNS records](https://developers.cloudflare.com/dns/proxy-status/) to hide your origin IP addresses and provide DDoS protection. As part of this, you should [allow Cloudflare IP addresses](https://developers.cloudflare.com/fundamentals/concepts/cloudflare-ip-addresses/) at your origin to prevent requests from being blocked. 2. **Review DNS-only records**: Audit existing **DNS-only** records (`SPF`, `TXT`, and more) to make sure they do not contain origin IP information. 3. **Evaluate mail infrastructure**: If possible, do not host a mail service on the same server as the web resource you want to protect, since emails sent to non-existent addresses get bounced back to the attacker and reveal the mail server IP. 4. **Rotate origin IPs**: Once [onboarded](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/#verify-changes), rotate your origin IPs, as DNS records are in the public domain. Historical records are kept and would contain IP addresses prior to joining Cloudflare ### Application layer Cloudflare Tunnel (HTTP / WebSockets) [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connects your resources to Cloudflare without a publicly routable IP address, by creating an outbound-only connections to Cloudflare’s global network. * **Security**: Very secure. * **Availability**: All customers. * **Challenges**: Requires installing the `cloudflared` daemon on origin server or virtual machine. HTTP Header Validation Only allow traffic with specific (and secret) HTTP headers. * **Security**: Moderately secure. * **Availability**: All customers. * **Challenges**: * Requires more configuration efforts on application- and server-side to accept those headers. * Basic authentication is vulnerable to replay attacks. Because basic authentication does not encrypt user credentials, it is important that traffic always be sent over an encrypted SSL session. * There might be valid use cases for a mismatch in SNI / Host headers such as through [Origin or Page Rules](https://developers.cloudflare.com/rules/origin-rules/features/), [Load Balancing](https://developers.cloudflare.com/load-balancing/additional-options/override-http-host-headers/), or [Workers](https://developers.cloudflare.com/workers/runtime-apis/request/), which all offer HTTP Host Header overrides. * **Process**: 1. Use [Transform rules](https://developers.cloudflare.com/rules/transform/request-header-modification/) or [Workers](https://developers.cloudflare.com/workers/examples/alter-headers/) to add an HTTP Auth Header. 2. Configure your origin server to restrict access based on the [HTTP Auth Header](https://developers.cloudflare.com/workers/examples/auth-with-headers/) (or perform [HTTP Basic Authentication](https://developers.cloudflare.com/workers/examples/basic-auth/)). 3. Configure your origin server to restrict access based on the [HTTP Host Header ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Host). Specifically, only allow requests which contain expected HTTP Host Header values, and reject all other requests. JSON Web Tokens (JWT) Validation Only allow traffic with the appropriate JWT. * **Security**: Very secure. * **Availability**: Some customers. * **Challenges**: * Requires either installing incremental software or modifying application code. * Lots of manual work. * **Resources**: * [Validate JWTs for an Access application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) * [Validate JWTs for an API](https://developers.cloudflare.com/api-shield/security/jwt-validation/) ### Transport Layer Authenticated Origin Pulls [Authenticated Origin Pulls](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/) helps ensure requests to your origin server come from the Cloudflare network. * **Security**: Very secure. * **Availability**: All customers. * **Challenges**: * Requires [Full](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/) or [Full (strict)](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/) encryption modes. * Requires more configuration efforts for application and server, such as uploading a certificate and configuring the server to use it. * For more strict security, you should upload your own certificate. Although Cloudflare provides you a certificate for easy configuration, this certificate only guarantees that a request is coming from the Cloudflare network. * Not scalable for large numbers of origin servers. Cloudflare Tunnel (SSH / RDP) [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) connects your resources to Cloudflare without a publicly routable IP address, by creating an outbound-only connections to Cloudflare’s global network. * **Security**: Very secure. * **Availability**: All customers. * **Challenges**: Requires installing the `cloudflared` daemon on origin server or virtual machine. ### Network Layer Allowlist Cloudflare IP addresses Explicitly block all traffic that does not come from [Cloudflare IP addresses](https://developers.cloudflare.com/fundamentals/concepts/cloudflare-ip-addresses/) (or the IP addresses of your trusted partners, vendors, or applications). * **Security**: Moderately secure. * **Availability**: All customers. * **Challenges**: * Requires allowlisting Cloudflare IP ranges at your origin server. * Vulnerable to IP spoofing. Cloudflare Magic Transit [Cloudflare Magic Transit](https://developers.cloudflare.com/magic-transit/) is a network security and performance solution that offers DDoS protection, traffic acceleration, and more for on-premise, cloud-hosted, and hybrid networks. * **Security**: Very secure. * **Availability**: Enterprise-only. * **Challenges** * Client's routers must: * Support anycast tunneling. * Allow configuration of at least one tunnel per Internet service provider (ISP). * Support maximum segment size (MSS) clamping. Cloudflare Network Interconnect [Cloudflare Network Interconnect](https://developers.cloudflare.com/network-interconnect/) allows you to connect your network infrastructure directly with Cloudflare – rather than using the public Internet – for a more reliable and secure experience. * **Security**: Very secure. * **Availability**: Enterprise-only. * **Challenges** * Requires some networking knowledge. * Only applies to some customer use cases. Dedicated CDN Egress IPs [Smart Shield Advanced](https://developers.cloudflare.com/smart-shield/get-started/#packages-and-availability) provides dedicated egress IPs (from Cloudflare to your origin) for your layer 7 [WAF](https://developers.cloudflare.com/waf/) and CDN services, as well as [Spectrum](https://developers.cloudflare.com/spectrum/). The egress IPs are reserved exclusively for your account so that you can increase your origin security by only allowing a small list of IP addresses through your layer 3 firewall. * **Security**: Very secure. * **Availability**: Enterprise-only. * **Challenges**: Requires network-level firewall policies. ## Monitor origin health For passive monitoring, [create notifications](https://developers.cloudflare.com/notifications/get-started/#create-a-notification) for **Origin Error Rate Alerts** to receive alerts when your origin returns 5xx codes above a configurable threshold and **Passive Origin Monitoring** to see when Cloudflare is unable to reach your origin for a few minutes. For more active monitoring, set up [standalone health checks](https://developers.cloudflare.com/health-checks/) for your origin. Note If you have multiple servers and want to proactively prevent origin problems, [set up load balancing](https://developers.cloudflare.com/load-balancing/) as an add-on service. ### Zero Downtime Failover If you have another _A_ or _AAAA_ record in your Cloudflare **DNS** or your Cloudflare **Load Balancer** provides another [endpoint](https://developers.cloudflare.com/load-balancing/understand-basics/load-balancing-components/) in the same pool, **Zero-Downtime Failover** automatically retries requests to your origin even before a Load Balancing decision is made. Zero-downtime failover will trigger a single retry only if there is another healthy endpoint in the pool and a [521, 522, 523, 525 or 526 error code](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-521/) is occurring. No other error codes will trigger a zero-downtime failover operation. ## Reduce origin traffic ### Block traffic For more details, refer to [Secure your website](https://developers.cloudflare.com/learning-paths/application-security/account-security/). ### Increase caching The [cache](https://developers.cloudflare.com/cache/) stores data from your application (webpages, etc.) at Cloudflare data centers around the world, which reduces the number of requests sent to your origin server. ### Distribute traffic To randomly distribute traffic across multiple servers, [set up multiple DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/round-robin-dns/). For more fine-grained control over traffic distribution — including automatic failover, intelligent routing, and more — set up our [add-on load balancing service](https://developers.cloudflare.com/load-balancing/). To protect specific endpoints from being overwhelmed by traffic spikes, [set up a waiting room](https://developers.cloudflare.com/waiting-room/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/security/","name":"Security"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/security/protect-your-origin-server/","name":"Protect your origin server"}}]} ``` --- --- title: Recovering from a hacked site description: If your website has been hacked recently, review the recommended steps below to recover a hacked website and prevent future hacks. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/security/recovering-from-hacked-site.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Recovering from a hacked site If your website has been hacked recently, review the recommended steps below to recover a hacked website and prevent future hacks. ## Recovering from an attack To recover from an attack, reach out to your hosting provider to request: * Details about the hack, including how they believe the site was hacked. * That your hosting provider remove any malicious content placed on your website. Once the hack has been resolved, you should resolve site warnings in [Google Webmaster Tools ↗](https://www.google.com/webmasters/tools) and resubmit your site for Google's review. --- ## Preventing and mitigating the risks of a future hack To prevent the risk of a hacked site: * Activate Cloudflare's [WAF managed rules](https://developers.cloudflare.com/waf/managed-rules/) so they can challenge or block known malicious behavior. * If you use a Content Management System (CMS), make sure you have the most recent version installed (CMS platforms push out updates to address known vulnerabilities). * If you use plugins, make sure they are updated. * If you have an admin login page, protect it with Cloudflare's [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) or a [Cloudflare Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). * Use a backup service so you can avoid losing valid content. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/security/","name":"Security"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/security/recovering-from-hacked-site/","name":"Recovering from a hacked site"}}]} ``` --- --- title: Secure your website image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/security/secure-your-website.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Secure your website ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/security/","name":"Security"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/security/secure-your-website/","name":"Secure your website"}}]} ``` --- --- title: Under a DDoS attack? description: Learn a few ways to tell if your application is under a DDoS attack. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/fundamentals/security/under-ddos-attack.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Under a DDoS attack? A distributed denial-of-service (DDoS) attack is where a large number of computers or devices, usually controlled by a single attacker, attempt to access a website or online service all at once. This flood of traffic can overwhelm the website's origin servers, causing the site to slow down or even crash. sequenceDiagram; participant User; participant Website; participant Server; participant Botnet; User->>Website: Requests to access site Website->>Origin Server: Processes user requests Botnet->>Origin Server: Sends a flood of traffic Origin Server-->>Website: Slows down due to traffic overload Origin Server-->>User: Unable to respond to user requests ## Common signs of an attack Common signs that you are under DDoS attack include: * Your site is offline or slow to respond to requests. * Unexpected spikes appear in the graph of **Requests Through Cloudflare** or **Bandwidth** in your Cloudflare **Analytics** app. * Strange requests appear in your origin web server logs that do not match normal visitor behavior. Note If you are currently under DDoS attack, refer to [Proactive DDoS defense best practices](https://developers.cloudflare.com/ddos-protection/best-practices/proactive-defense/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/security/","name":"Security"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/security/under-ddos-attack/","name":"Under a DDoS attack?"}}]} ```