Skip to Content

How to Get a Cloudflare Access Key

Cloudflare provides a set of security and networking tools that help protect and control access to websites and applications.

One common requirement when working with its API or Zero Trust platform is generating an “access key” (often in the form of an API token or service token depending on the use case).

Below is a clear walkthrough of how to obtain one safely and correctly.

1. Understand What You Actually Need

Cloudflare doesn’t always use a single “access key” in the traditional sense. Instead, you may encounter:

  • API Tokens (recommended for most users)
  • Global API Key (legacy, broader access)
  • Service Tokens (used with Cloudflare Access / Zero Trust)
  • Access credentials for applications

Most modern integrations should use API Tokens, as they are more secure and granular.

2. Log in to Cloudflare

  1. Go to the Cloudflare dashboard
  2. Sign in or create an account
  3. Select your account from the dashboard home page

3. Navigate to API Tokens

Once logged in:

  1. Click your profile icon (top right)
  2. Select “My Profile”
  3. Open the “API Tokens” tab

Here you’ll see existing tokens and the option to create new ones.

4. Create a New Access Key (API Token)

Click “Create Token”, and choose either:

  • Use template (recommended for beginners)
  • Create custom token (for advanced control)

Common templates include:

  • Zone DNS Editor
  • Cloudflare Access: Application Management
  • Read-only access

You define:

  • Permissions (what the token can do)
  • Resources (which domains or accounts it applies to)
  • Expiration date (optional but recommended)

Then click “Continue to summary” and “Create Token”.

5. Copy and Store Your Token Securely

After creation, Cloudflare will show your token once.

It will look something like this (example only):

CF_API_TOKEN_EXAMPLE_1234567890abcdef

⚠️ Important: This is only a placeholder example. Real tokens should never be shared publicly or hardcoded into applications.

Store it securely using a secrets manager or environment variable system.

6. Using the Access Key in Requests

Typically, you include your token in an HTTP header:

Authorization: Bearer CF_API_TOKEN_EXAMPLE_1234567890abcdef

This allows your application to authenticate with Cloudflare’s API securely.

7. Best Practices

  • Use API Tokens instead of Global API Keys
  • Restrict permissions as much as possible
  • Set expiration dates for temporary access
  • Rotate keys regularly
  • Never commit keys to public repositories

These practices are similar to how you would manage credentials in other cloud ecosystems such as AWS, where IAM roles and scoped permissions are used to reduce risk.

Conclusion

Getting a Cloudflare access key is straightforward, but the important part is choosing the right type of credential and securing it properly. API tokens are the modern standard and provide safer, more controlled access to Cloudflare services.

If managed correctly, they integrate smoothly into CI/CD pipelines, backend services, and cloud architectures without compromising security.