API tokens can be restricted at runtime in two ways:
Client IP address restrictions control which IP addresses can make API requests with this token. By default, if no filtering is applied, all IP addresses can use the token. Once anIs in rule is applied, the token can only be used from the defined IP addresses. Define ranges withCIDR notation ↗. To allow an IP range with exceptions, defineIs not in to exempt specific IPs or smaller ranges.
Client IP address range filtering is not applied to theVerify Token ↗ endpoint.
By default, tokens do not expire and are long lived. Defining a TTL sets when a token starts being valid and when a token is no longer valid. This is often referred to asnotBefore andnotAfter. Setting these timestamps limits the lifetime of the token to the defined period. Not setting the start date ornotBefore means the token is active as soon as it is created. Not setting the end date ornotAfter means the token does not expire.
Dates selected are defined as 00:00 UTC of that day. For finer grained time selection, use theAPI.
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
