20. Cloudflare API Permissions Guide#
FlareInspect requires specific Cloudflare API token permissions to assess your account and zones.
20.1. Minimum Permissions#
These permissions provide basic coverage:
Permission |
Scope |
Access |
|---|---|---|
Zone |
Zone |
Read |
DNS |
Zone |
Read |
SSL and Certificates |
Zone |
Read |
Firewall Services |
Zone |
Read |
Account Settings |
Account |
Read |
20.2. Recommended Permissions#
For broader coverage including Zero Trust, Workers, and audit logs:
Permission |
Scope |
Access |
|---|---|---|
Zone |
Zone |
Read |
DNS |
Zone |
Read |
SSL and Certificates |
Zone |
Read |
Firewall Services |
Zone |
Read |
Account Settings |
Account |
Read |
Access: Zero Trust |
Account |
Read |
Workers Scripts |
Account |
Read |
Audit Logs |
Account |
Read |
Security Center |
Account |
Read |
Logpush |
Account |
Read |
API Gateway |
Account |
Read |
20.3. Creating the Token#
Log in to Cloudflare Dashboard
Go to My Profile → API Tokens
Click Create Token
Select Custom token
Add permissions from the table above
Set Zone Resources to All zones (or specific zones)
Click Continue to summary → Create Token
20.4. Token Troubleshooting#
Error |
Likely Cause |
|---|---|
|
Token missing required product scopes or entitlements |
|
Zone filter excludes all zones or token cannot see them |
|
|
Fewer zones than expected |
Token scoped to a single account or organization |
20.5. Security Best Practices#
Store tokens in environment variables, not in code or config files
Use the minimum permissions needed for your assessment scope
Set token expiration dates when possible
Rotate tokens regularly
Never share tokens in chat, email, or commit them to git