Cloudflare tightens dev security

A developer login is a digital key, and Cloudflare is changing how those keys are issued, spotted and shut off when they leak. (blog.cloudflare.com) Cloudflare said on April 14 that newly created application programming interface tokens now use a scannable format with a prefix and checksum, so secret-scanning tools can recognize them in code repositories and other public places. The company said detected leaks can trigger automatic revocation and an email to the token owner. (blog.cloudflare.com) (developers.cloudflare.com) The company also added a dashboard view for OAuth grants, which are delegated permissions that let one service act for a user without sharing a password. Cloudflare said the page shows which applications have access, what scopes they hold and when they were authorized. (blog.cloudflare.com) Cloudflare said resource-scoped permissions are now generally available, letting administrators limit a token or role to a narrower set of accounts, zones or products instead of broader account-wide access. Its permissions model already splits access into zone, account and user categories, and the new controls narrow that access further. (blog.cloudflare.com) (developers.cloudflare.com) These changes target non-human identities, the service accounts, bots and agents that call application programming interfaces in the background. Cloudflare said those identities now outnumber human users in many environments and often accumulate broad permissions that are hard to audit. (blog.cloudflare.com) The underlying problem is simple: developers automate work by handing software a credential, and that credential often gets copied into scripts, build systems and repositories. Secret-scanning support is meant to catch that exposure early, before a leaked token can be reused. (developers.cloudflare.com 1) (developers.cloudflare.com 2) Cloudflare has been moving in this direction for several years by steering customers away from broad account credentials and toward smaller, task-specific tokens. In 2022, the company said application programming interface tokens should delegate only a subset of a user’s permissions instead of full account access. (blog.cloudflare.com) It added account-owned tokens in November 2024, giving organizations credentials tied to the account rather than an individual employee. The new April 2026 controls build on that shift by adding leak detection, grant visibility and narrower authorization boundaries. (blog.cloudflare.com 1) (blog.cloudflare.com 2) Cloudflare framed the release around autonomous agents, which are software systems that request access and perform tasks with limited human oversight. The company said the goal is to make those agents use short, visible and tightly scoped credentials instead of long-lived shared secrets. (blog.cloudflare.com) The practical effect is less mystery around which machine can touch which Cloudflare resource, and a faster kill switch when a token shows up where it should not. Cloudflare is betting that developer security will look more like inventory control than password management. (blog.cloudflare.com)