Cloudflare is rolling out three security improvements targeting non-human identities like API tokens, agents, and third-party integrations. First, new scannable API token formats with a 'cf' prefix and checksum enable credential scanners (including GitHub's Secret Scanning program) to automatically detect and revoke leaked tokens. Second, an OAuth Connected Applications dashboard gives users visibility into which third-party apps have access to their accounts and lets them revoke access. Third, resource-scoped RBAC permissions are now generally available, allowing fine-grained least-privilege policies scoped to specific resources like Access Applications or Gateway policies rather than entire accounts. New roles have also been added at both account and zone levels.
Table of contents
Understanding identity: Principals, Credentials, and PoliciesLeaked token detectionImproving the OAuth consent experienceFine-grained resource-level permissioningNew permission rolesSecure your accountsSort: