Movatterモバイル変換

[0]ホーム
URL:

Skip to content
Cloudflare Docs
Log in

Generate new API tokens on the fly via the API. Before you can do this, you must create an API token in the Cloudflare dashboard that can create subsequent tokens.

Before you can create tokens via the API, you need togenerate the initial token via the Cloudflare dashboard.

The token secret isonly shown once. Do not store the secret in plaintext where others can access it. Anyone with this token can perform the authorized actions against the resources that the token has access to.

Cloudflare highly recommends that you do not grant other permissions to the token when using this template. Make sure you safeguard the new token because it can create tokens with access to any of a user's resources.

Cloudflare also recommends limiting the use of the token via client IP address filtering or TTL to reduce the potential for abuse in the event that the token is compromised. Refer toRestrict token use for more information.

Creating API tokens with the API

You can create a user owned token or account owned token to use with the API. Refer to theuser owned token or theaccount owned token API schema docs for more information.

To create a token:

  1. Define the policy.
  2. Define the restrictions.
  3. Create the token.

1. Define the Access Policy

An Access Policy defines what resources the token can act on and what permissions the token has to those resources. This process is similar to how youcreate tokens in the Cloudflare dashboard.

Each token can contain multiple policies.

[
{
"id":"f267e341f3dd4697bd3b9f71dd96247f",
"effect":"allow",
"resources":{
"com.cloudflare.api.account.zone.eb78d65290b24279ba6f44721b3ea3c4":"*",
"com.cloudflare.api.account.zone.22b1de5f1c0e4b3ea97bb1e963b06a43":"*"
},
"permission_groups":[
{
"id":"c8fed203ed3043cba015a93ad1616f1f",
"name":"Zone Read"
},
{
"id":"82e64a83756745bbbb1c9c2701bf816b",
"name":"DNS Read"
}
]
}
]
FieldDescription
idUnique read-only identifier for the policy generated after creation.
effectDefines whether this policy is allowing or denying access. If only creating one policy, useallow. The evaluation order for policies is as follows: 1. ExplicitDENY Policies; 2. ExplicitALLOW Policies; 3. ImplicitDENY ALL.
resourcesDefines what resources are allowed to be configured.
permission_groupsDefines what permissions the policy grants to the included resources.

Resources

API token policies support three resource types:User,Account, andZone.

Account

Include a single account or all accounts in a token policy.

  • Asingle account is denoted as:"com.cloudflare.api.account.<ACCOUNT_ID>": "*".
  • All accounts is denoted as:"com.cloudflare.api.account.*": "*"
Zone

Include asingle zone,all zones in an account, orall zones in all accounts in a token policy.

  • Asingle zone is denoted as:"com.cloudflare.api.account.zone.<ZONE_ID>": "*"
  • All Zones in an account are denoted as:"com.cloudflare.api.account.<ACCOUNT_ID>": {"com.cloudflare.api.account.zone.*": "*"}
  • All zones in all accounts is denoted as:"com.cloudflare.api.account.zone.*": "*"
User

For user resources, you can only reference yourself, which is denoted as:"com.cloudflare.api.user.<USER_TAG>": "*"

Permission groups

Determine what permission groups should be applied. Refer to the full list of permission groups either inthe documentation or fetch the permission groupsvia the API. It is only required to pass theid of the permission group in the policy. Permission groups are scoped to specific resources, so a permission group in a policy will only apply to the resource type it is scoped for.

2. Define the restrictions

Set up any limitations on how the token can be used. API tokens allow restrictions for client IP address filtering and TTLs. Refer toRestrict token use for more information.

When defining TTLs, you can set the time at which a token becomes active withnot_before and the time when it expires withexpires_on. Both of these fields take UTC timestamps in the following format:"2018-07-01T05:20:00Z".

Limit usage of a token by client IP address filters with the following object:

{
"request.ip":{
"in":[
"199.27.128.0/21",
"2400:cb00::/32"
],
"not_in":[
"199.27.128.0/21",
"2400:cb00::/32"
]
}
}

Each parameter in thein andnot_in objects must be in CIDR notation. For example, use192.168.0.1/32 to specify a single IP address.

3. Create the token

Combine the previous information to create a token as in the following example:

Terminal window
curl"https://api.cloudflare.com/client/v4/accounts/{account_id}/tokens"\
--header"Authorization: Bearer <API_TOKEN>"\
--header"Content-Type: application/json"\
--data'{
"name": "readonly token",
"policies": [
{
"effect": "allow",
"resources": {
"com.cloudflare.api.account.zone.eb78d65290b24279ba6f44721b3ea3c4": "*",
"com.cloudflare.api.account.zone.22b1de5f1c0e4b3ea97bb1e963b06a43": "*"
},
"permission_groups": [
{
"id": "c8fed203ed3043cba015a93ad1616f1f",
"name": "Zone Read"
},
{
"id": "82e64a83756745bbbb1c9c2701bf816b",
"name": "DNS Read"
}
]
}
],
"not_before": "2020-04-01T05:20:00Z",
"expires_on": "2020-04-10T00:00:00Z",
"condition": {
"request.ip": {
"in": [
"199.27.128.0/21",
"2400:cb00::/32"
],
"not_in": [
"199.27.128.1/32"
]
}
}
}'
Terminal window
curl"https://api.cloudflare.com/client/v4/user/tokens"\
--header"Authorization: Bearer <API_TOKEN>"\
--header"Content-Type: application/json"\
--data'{
"name": "readonly token",
"policies": [
{
"effect": "allow",
"resources": {
"com.cloudflare.api.account.zone.eb78d65290b24279ba6f44721b3ea3c4": "*",
"com.cloudflare.api.account.zone.22b1de5f1c0e4b3ea97bb1e963b06a43": "*"
},
"permission_groups": [
{
"id": "c8fed203ed3043cba015a93ad1616f1f",
"name": "Zone Read"
},
{
"id": "82e64a83756745bbbb1c9c2701bf816b",
"name": "DNS Read"
}
]
}
],
"not_before": "2020-04-01T05:20:00Z",
"expires_on": "2020-04-10T00:00:00Z",
"condition": {
"request.ip": {
"in": [
"199.27.128.0/21",
"2400:cb00::/32"
],
"not_in": [
"199.27.128.1/32"
]
}
}
}'
[8]ページ先頭
©2009-2025 Movatter.jp