API keys (legacy)
API Keys are the legacy authorization scheme for talking to Cloudflare’s APIs.
Limitations
When possible, you should use API tokens instead of API Keys.
API Keys have multiple limitations when compared to API Tokens:
Access to all Cloudflare Resources - API Keys have access to all the resources of the user. This makes it impossible to safely use API Keys for access to non-production resources when a user also has access to production resources.
Full permissions - Similar to (1), API Keys have the exact same permissions as the user which means if the user can delete zones, or change DNS records so can the key.
Limited to 1 per user - Only one API Key can be provisioned per user. This complicates using Cloudflare’s API in production systems where maintaining two secrets for accessing the API is important in the case 1 needs to be rolled.
Lack of advanced limits on usage - API Tokens can be limited to use in specific time windows and expire or be limited to use from specific IP ranges.
For these reasons, API Keys are not recommended for new customers. Current customers using API Keys are encouraged to migrate and use API Tokens instead. You can find information about using API Keys in the API schema docs.
View your API key
To retrieve your API key:
Log in to the Cloudflare dashboard.
Go to User Profile > API Tokens.
In the API Keys section, view or change either of your API keys:
- Global API Key: Serves as your main API key.
- Origin CA Key: Only used when creating origin certificates using the API.
Change your API key
If you believe your API key might be compromised, you should change your API key:
- Log in to the Cloudflare dashboard.
- Go to Profile.
- Go to API Tokens.
- In the API Keys section, find your key.
- Click Change.