From 5a10897b8be7cec7f9429d39de56c0b7681c0d95 Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Wed, 20 May 2026 14:30:51 -0600 Subject: [PATCH 01/21] [Changelog] Public OAuth Clients --- .../2026-05-27-public-oauth-clients.mdx | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx diff --git a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx b/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx new file mode 100644 index 00000000000..799fddacf2a --- /dev/null +++ b/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx @@ -0,0 +1,49 @@ +--- +title: Introducing self-managed OAuth clients +description: Developers can now create self-managed OAuth clients that integrate with Cloudflare. +products: + - fundamentals +date: 2026-05-27 +--- + +import { DashButton } from "~/components"; + +Developers can now create their own applications and integrate with Cloudflare using OAuth. This offers a more secure, user-manageable integration experience than methods such as API tokens. + +OAuth allows third-party applications to access Cloudflare accounts on a user's behalf. For example, Wrangler can deploy Workers after the user provides consent to the application. + +## What's new + +Cloudflare users can create their own OAuth applications to integrate with Cloudflare. + +### Create an application + +To create an application, go to **App Registrations** in your account on the Cloudflare dashboard. + + + +### Select limited scopes + +If you have used an API token to call Cloudflare APIs, OAuth client scopes will look familiar. Select only the scopes your application needs during application creation, and include that scope list when sending users to Cloudflare for consent. + +Users can review the requested scopes before they consent. + +### Apps for both private and public use + +Applications start with `private` visibility. Private applications can only be used by members of the account where the application was created. + +To make an application available to any Cloudflare user, complete the prerequisites for `public` visibility. + +For more information, refer to [application visibility](). + +### Client domain verification + +Before an application can be made public, you must verify the client domain. Domain verification helps users confirm that the application owner controls the domain shown on the consent page. + +After verification, users see a verified badge on the consent page. + +For more information, refer to [domain verification](). + +## Learn more + +For more information, refer to [OAuth clients](). From 71fb76396578499605d842587b61ca41b41146dc Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Wed, 20 May 2026 15:14:44 -0600 Subject: [PATCH 02/21] [Changelog] Add future publish date to oauth clients --- .../changelog/fundamentals/2026-05-27-public-oauth-clients.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx b/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx index 799fddacf2a..5f79a35d38d 100644 --- a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx +++ b/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx @@ -4,6 +4,7 @@ description: Developers can now create self-managed OAuth clients that integrate products: - fundamentals date: 2026-05-27 +publish_future_dated_entry: true --- import { DashButton } from "~/components"; From c5117cb798aa8764aae67d7e02c38b202a96b3f3 Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Thu, 21 May 2026 12:38:28 -0600 Subject: [PATCH 03/21] [OAuth] Add page for oauth client creation and management --- src/content/directory/oauth.yaml | 13 + .../docs/fundamentals/new-features/index.mdx | 6 +- .../oauth/create-an-oauth-client.mdx | 259 ++++++++++++++++++ src/content/docs/fundamentals/oauth/index.mdx | 14 + .../docs/fundamentals/reference/index.mdx | 4 +- .../fundamentals/self-managed-oauth.mdx | 7 + 6 files changed, 298 insertions(+), 5 deletions(-) create mode 100644 src/content/directory/oauth.yaml create mode 100644 src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx create mode 100644 src/content/docs/fundamentals/oauth/index.mdx create mode 100644 src/content/partials/fundamentals/self-managed-oauth.mdx diff --git a/src/content/directory/oauth.yaml b/src/content/directory/oauth.yaml new file mode 100644 index 00000000000..6a0f9cf5053 --- /dev/null +++ b/src/content/directory/oauth.yaml @@ -0,0 +1,13 @@ +id: UtGqsm +name: OAuth documentation + +entry: + title: OAuth documentation + url: /fundamentals/oauth/ + group: Core platform + additional_groups: [Docs collections] + +meta: + title: Cloudflare OAuth docs + description: Create and integrate with Cloudflare using OAuth + author: "@cloudflare" diff --git a/src/content/docs/fundamentals/new-features/index.mdx b/src/content/docs/fundamentals/new-features/index.mdx index 8f052702ba7..e9c49e03436 100644 --- a/src/content/docs/fundamentals/new-features/index.mdx +++ b/src/content/docs/fundamentals/new-features/index.mdx @@ -3,15 +3,15 @@ pcx_content_type: concept title: RSS Feeds description: Subscribe to Cloudflare RSS feeds to stay informed about product updates and new features. sidebar: - order: 10 + order: 11 group: hideIndex: true products: - fundamentals --- -import { DirectoryListing } from "~/components" +import { DirectoryListing } from "~/components"; Cloudflare offers several RSS feeds to help you consume content programmatically. - + diff --git a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx new file mode 100644 index 00000000000..f4e7e390d88 --- /dev/null +++ b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx @@ -0,0 +1,259 @@ +--- +title: Create an OAuth client +pcx_content_type: how-to +description: Cloudflare allows developers to register OAuth applications that access resources via the Cloudflare API on behalf of users. This enables the creation of integrations and tools that function without the need for manual API token sharing. +products: + - fundamentals + - oauth +--- + +import { + DashButton, + FeatureTable, + APIRequest, + GlossaryTooltip, + Tabs, + TabItem, +} from "~/components"; + +## Prerequisites + +To create a new application, you must have one of the following roles for the associated account: Super Administrator, Administrator, OAuth App Registrations Write. + + + + 1. Log in to the Cloudflare dashboard + 2. Select your account + 3. Go to **Manage Account** \> **App Registrations** + 4. Select **Create Application** + 5. Enter the required configuration details: + - App name + - Response type + - Grant type + - Token authentication method + - Redirect URL(s) + 6. Optionally, add non-required fields + 7. Select **Continue** and define the specific scopes required for your application + 8. Click **“Register application”** + 9. Securely save your **Client ID** and **Client Secret** (required for confidential clients). + + + To get started with creating OAuth clients via the Cloudflare API, make an API token with the “OAuth Clients” write permission. + + ```shell + curl -X POST "https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/oauth_clients" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${API_TOKEN}" \ + -d '{"client_name": "Cloudflare OAuth Client", "grant_types": ["authorization_code"], "redirect_uris": ["https://cloudflare.com/oauth/callback"], "scopes": ["workers-platform.read"], "post_logout_redirect_uris": ["https://cloudflare.com/logout"], "response_types": ["code"], "token_endpoint_auth_method": "client_secret_basic", "logo_uri": "https://imagedelivery.net/KDu.../928fc.../public", "policy_uri": "https://cloudflare.com/policy", "tos_uri": "https://cloudflare.com/tos", "client_uri": "https://cloudflare.com", "allowed_cors_origins": ["https://cloudflare.com"]}' + ``` + + ### Example return value + + ```json + { + "errors": null, + "success": true, + "result": { + "allowed_cors_origins": ["https://cloudflare.com"], + "client_id": "2514b...", + "client_name": "Cloudflare OAuth Client", + "client_uri": "https://cloudflare.com", + "client_uri_verification": { + "status": "pending", + "text": "cloudflare_oauth_client_publisher=6fc02..." + }, + "created_at": "2026-01-01 12:31:20.005301 +0000 UTC", + "grant_types": ["authorization_code"], + "has_rotated_secret": false, + "logo_uri": "https://cloudflare.com/logo.png", + "policy_uri": "https://cloudflare.com/policy", + "post_logout_redirect_uris": ["https://cloudflare.com/logout"], + "redirect_uris": ["https://cloudflare.com/oauth/callback"], + "response_types": ["code"], + "scopes": ["user-details.read"], + "token_endpoint_auth_method": "client_secret_basic", + "tos_uri": "https://cloudflare.com/tos", + "updated_at": "2026-01-01 12:31:20.005301 +0000 UTC", + "visibility": "private", + "client_secret": "cfoc_NocEfa346sI..." + }, + "result_info": {}, + "messages": null + } + ``` + + + +:::note +After creating an application, the client secret will be displayed, if needed. Copy it to a safe location now, as you will not be able to view that secret again. If the secret is lost, you may rotate the secret to get a new one. +::: + +## Selecting scopes + +OAuth scopes correspond to Cloudflare API token permissions. Refer to the Cloudflare API documentation to identify the exact permissions required for your application's operations. + + + + When creating or editing an OAuth client, a full set of scopes will be available to select from. Search for, and select the scopes required for your application. + + + Scopes can be fetched from the API. The scope label should be used when creating a new application via the API. + + ```shell + curl "https://api.cloudflare.com/client/v4/oauth/scopes" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${API_TOKEN}" + ``` + + #### Example Return Value + + ```json + { + "results": [ + ... + { + "name": "User Details Read", + "id": "user-details.read", + "category": "account_and_billing", + "scopes": [] + }, + ... + ], + "success": true, + "errors": [], + "messages": [] + } + ``` + + + +## Supported OAuth flows + +Cloudflare OAuth applications support the OAuth 2.0 Authorization Code flow. + +Cloudflare does not currently support Client Credentials, Implicit, Resource Owner Password Credentials, Device Authorization, or other OAuth grant types for third-party applications. + +### Which flow should I choose? + +| Application type | Use | Token endpoint authentication | PKCE | +| -------------------------------------- | --------------------------------------- | --------------------------------------------- | --------------------- | +| Server-side web app or backend service | Authorization Code with a client secret | `client_secret_basic` or `client_secret_post` | Optional/not required | +| SPA, mobile app, desktop app, or CLI | Authorization Code with PKCE | `none` | Required, `S256` | + +#### Client Secret + +The Authorization Code flow is intended for secure server-side applications that can protect a Client Secret from exposure. + +- **Best for:** Server-side web applications and backend services. +- **How it works:** Your application redirects the user to our authorization page. Once authorized, we return an authorization code to your backend. Your backend then exchanges this code and your Client Secret for an Access Token (optionally refresh and ID token). +- **Security Note:** Never expose your Client Secret in client-side code (like JavaScript in a browser) or embed it in mobile application binaries. + +#### PKCE (Proof Key for Code Exchange) + +PKCE is an extension of the Authorization Code flow designed for public clients, such as mobile or single-page apps, where a Client Secret cannot be securely stored. + +- **Best for:** Single Page Applications (SPAs), mobile applications, desktop apps, and CLI tools. +- **How it works:** Instead of a static Client Secret, your application generates a unique cryptographic pair (a Code Verifier and a Code Challenge) for every single login request. +- **Security Note:** Clients which choose PKCE can not see the client secret (as it is not needed). + +## Private and Public Applications + +New applications default to private visibility, meaning they can only be authorized by members of the parent Cloudflare account. Public applications allow authorization from any Cloudflare user. + +Before an application can be made public, the required actions must be completed and fields populated. + +### Required fields + +- Client name + - Logo + - Client URL + - Scopes + +### Required actions + +OAuth clients must complete [domain verification](#client-url-domain-ownership-verification) for the client URL before it can be made public. + +### How to promote a client to public (make this a swap section between dash/api) + +**API** + +**Dashboard** + + + + Navigate to **Manage Account** \> **OAuth Applications** then open the action menu for your application and select **Change Visibility**. + + + ```shell + curl -X PATCH "https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/oauth_clients/${CLIENT_ID}" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${API_TOKEN}" \ + -d '{ "visibility": "public" }' + ``` + + + +:::caution +Setting a client’s visibility to public is a permanent action. It is not possible to revert the visibility to private. +::: + +## Client URL Domain Ownership Verification + +Part of the process Cloudflare enforces to make an application publicly visible is ownership verification of the Client URL domain for the application. If your application is only for private use (members of the account) verifying domain ownership is not required. + +:::caution +Once domain ownership has been verified, it is no longer possible to change the domain of the Client URL. The route of the domain may still be updated. +::: + +Copy the verification code and create a TXT record in your DNS configuration with that value. The record must include all of the text including the cloudflare_oauth_client_publisher= prefix. + +Cloudflare will automatically poll this DNS record until it is found or a timeout is reached within two days. + +If the verification process fails due to timeout, you can manually reinitiate the polling by selecting **Restart verification** in the actions menu for that application in the list. + +**Note for API users** +To restart a failed or timed out verification, send an update patch request with the existing `client_uri` unchanged. + +## Rotate client secrets + +Every client may have two secrets, allowing for graceful secret rotations. Once the old secret has been replaced in your secure location with the new secret, you can delete the old secret. + + + + From **Manage Account** \> **OAuth Applications** open the action menu for your application and select **Rotate client secret**. If your client only has a single secret, the button to create a new secret will be available. If the application already has two secrets, there will be a button to delete the old secret, which must be done before another new secret can be created. + + + To know whether or not a client is in the middle of a secret rotation, look for `"has_rotated_secret”` in the `GET` response. If true, you must delete the old secret before attempting to create a new one. + + ### Create new secret + + ```shell + curl -X POST "https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/oauth_clients/${CLIENT_ID}/rotate_secret" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${API_TOKEN}" + ``` + + ### Delete old secret + + ```shell + curl -X DELETE "https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/oauth_clients/${CLIENT_ID}/rotate_secret" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${API_TOKEN}" + ``` + + + +## Manage your application + +To manage created applications, open the account the application belongs to, followed by **Manage Account** \> **OAuth Applications.** Open the action menu for your application and select one of the following options: + +- Edit application details +- Copy Client ID +- Rotate client secret + - Save the new secret immediately. Once the new secret is in use, open the **Manage Secrets** setting again and delete the old secret + - This is not available for clients with **None** as the token auth method (PKCE clients) +- Client URL domain verification +- Change Visibility + - See [Private and public applications](#client-url-domain-ownership-verification) for more information +- Delete application + - Type the name of the application to confirm deletion. **Warning:** Deleting an application immediately revokes all existing user authorizations. diff --git a/src/content/docs/fundamentals/oauth/index.mdx b/src/content/docs/fundamentals/oauth/index.mdx new file mode 100644 index 00000000000..57325c857bc --- /dev/null +++ b/src/content/docs/fundamentals/oauth/index.mdx @@ -0,0 +1,14 @@ +--- +title: OAuth Applications on Cloudflare +description: Create and integrate with Cloudflare using OAuth +pcx_content_type: navigation +sidebar: + order: 9 +products: + - fundamentals + - oauth +--- + +import { Render } from "~/components"; + + diff --git a/src/content/docs/fundamentals/reference/index.mdx b/src/content/docs/fundamentals/reference/index.mdx index edf24d7ad79..80dd568e5f8 100644 --- a/src/content/docs/fundamentals/reference/index.mdx +++ b/src/content/docs/fundamentals/reference/index.mdx @@ -3,7 +3,7 @@ pcx_content_type: navigation title: Reference description: Find Cloudflare reference material including network details, HTTP headers, policies, and troubleshooting resources. sidebar: - order: 9 + order: 10 group: hideIndex: true head: @@ -13,6 +13,6 @@ products: - fundamentals --- -import { DirectoryListing } from "~/components" +import { DirectoryListing } from "~/components"; diff --git a/src/content/partials/fundamentals/self-managed-oauth.mdx b/src/content/partials/fundamentals/self-managed-oauth.mdx new file mode 100644 index 00000000000..b2f5aef5c40 --- /dev/null +++ b/src/content/partials/fundamentals/self-managed-oauth.mdx @@ -0,0 +1,7 @@ +--- +{} +--- + +OAuth allows third-party applications to securely access Cloudflare resources without requiring users to share long-lived API tokens. As an industry-standard protocol for authorization, OAuth 2.0 enables applications to obtain limited access to user accounts on an HTTP service. + +https://www.cloudflare.com/learning/access-management/what-is-oauth/ From 26727035e22bcc48bd1bec6969395a11315854c3 Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Thu, 21 May 2026 13:24:23 -0600 Subject: [PATCH 04/21] [OAuth] Adding link buttons --- src/content/dash-routes/core.json | 5 ++ .../oauth/create-an-oauth-client.mdx | 63 +++++-------------- src/content/docs/fundamentals/oauth/index.mdx | 6 +- src/content/plans/index.json | 14 +++++ 4 files changed, 39 insertions(+), 49 deletions(-) diff --git a/src/content/dash-routes/core.json b/src/content/dash-routes/core.json index a22af19066f..96e581d59f2 100644 --- a/src/content/dash-routes/core.json +++ b/src/content/dash-routes/core.json @@ -421,6 +421,11 @@ "deeplink": "/?to=/:account/api-tokens", "parent": ["Manage account"] }, + { + "name": "App registrations", + "deeplink": "/?to=/:account/app-registrations", + "parent": ["Manage account"] + }, { "name": "Audit logs", "deeplink": "/?to=/:account/audit-log", diff --git a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx index f4e7e390d88..0b760bd9502 100644 --- a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx +++ b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx @@ -2,19 +2,14 @@ title: Create an OAuth client pcx_content_type: how-to description: Cloudflare allows developers to register OAuth applications that access resources via the Cloudflare API on behalf of users. This enables the creation of integrations and tools that function without the need for manual API token sharing. +sidebar: + order: 1 products: - fundamentals - oauth --- -import { - DashButton, - FeatureTable, - APIRequest, - GlossaryTooltip, - Tabs, - TabItem, -} from "~/components"; +import { DashButton, Tabs, TabItem } from "~/components"; ## Prerequisites @@ -24,7 +19,7 @@ To create a new application, you must have one of the following roles for the as 1. Log in to the Cloudflare dashboard 2. Select your account - 3. Go to **Manage Account** \> **App Registrations** + 3. 4. Select **Create Application** 5. Enter the required configuration details: - App name @@ -35,7 +30,7 @@ To create a new application, you must have one of the following roles for the as 6. Optionally, add non-required fields 7. Select **Continue** and define the specific scopes required for your application 8. Click **“Register application”** - 9. Securely save your **Client ID** and **Client Secret** (required for confidential clients). + 9. Securely save your **Client ID** and **Client Secret** (required for confidential clients). To get started with creating OAuth clients via the Cloudflare API, make an API token with the “OAuth Clients” write permission. @@ -46,41 +41,6 @@ To create a new application, you must have one of the following roles for the as -H "Authorization: Bearer ${API_TOKEN}" \ -d '{"client_name": "Cloudflare OAuth Client", "grant_types": ["authorization_code"], "redirect_uris": ["https://cloudflare.com/oauth/callback"], "scopes": ["workers-platform.read"], "post_logout_redirect_uris": ["https://cloudflare.com/logout"], "response_types": ["code"], "token_endpoint_auth_method": "client_secret_basic", "logo_uri": "https://imagedelivery.net/KDu.../928fc.../public", "policy_uri": "https://cloudflare.com/policy", "tos_uri": "https://cloudflare.com/tos", "client_uri": "https://cloudflare.com", "allowed_cors_origins": ["https://cloudflare.com"]}' ``` - - ### Example return value - - ```json - { - "errors": null, - "success": true, - "result": { - "allowed_cors_origins": ["https://cloudflare.com"], - "client_id": "2514b...", - "client_name": "Cloudflare OAuth Client", - "client_uri": "https://cloudflare.com", - "client_uri_verification": { - "status": "pending", - "text": "cloudflare_oauth_client_publisher=6fc02..." - }, - "created_at": "2026-01-01 12:31:20.005301 +0000 UTC", - "grant_types": ["authorization_code"], - "has_rotated_secret": false, - "logo_uri": "https://cloudflare.com/logo.png", - "policy_uri": "https://cloudflare.com/policy", - "post_logout_redirect_uris": ["https://cloudflare.com/logout"], - "redirect_uris": ["https://cloudflare.com/oauth/callback"], - "response_types": ["code"], - "scopes": ["user-details.read"], - "token_endpoint_auth_method": "client_secret_basic", - "tos_uri": "https://cloudflare.com/tos", - "updated_at": "2026-01-01 12:31:20.005301 +0000 UTC", - "visibility": "private", - "client_secret": "cfoc_NocEfa346sI..." - }, - "result_info": {}, - "messages": null - } - ``` @@ -181,7 +141,9 @@ OAuth clients must complete [domain verification](#client-url-domain-ownership-v - Navigate to **Manage Account** \> **OAuth Applications** then open the action menu for your application and select **Change Visibility**. + Navigate to **Manage Account** \> **App Registrations** then open the action menu for your application and select **Change Visibility**. + + ```shell @@ -220,7 +182,10 @@ Every client may have two secrets, allowing for graceful secret rotations. Once - From **Manage Account** \> **OAuth Applications** open the action menu for your application and select **Rotate client secret**. If your client only has a single secret, the button to create a new secret will be available. If the application already has two secrets, there will be a button to delete the old secret, which must be done before another new secret can be created. + + + From **Manage Account** \> **App Registrations** open the action menu for your application and select **Rotate client secret**. If your client only has a single secret, the button to create a new secret will be available. If the application already has two secrets, there will be a button to delete the old secret, which must be done before another new secret can be created. + To know whether or not a client is in the middle of a secret rotation, look for `"has_rotated_secret”` in the `GET` response. If true, you must delete the old secret before attempting to create a new one. @@ -245,7 +210,9 @@ Every client may have two secrets, allowing for graceful secret rotations. Once ## Manage your application -To manage created applications, open the account the application belongs to, followed by **Manage Account** \> **OAuth Applications.** Open the action menu for your application and select one of the following options: +To manage created applications, open the account the application belongs to, followed by **Manage Account** \> **App Registrations.** Open the action menu for your application and select one of the following options: + + - Edit application details - Copy Client ID diff --git a/src/content/docs/fundamentals/oauth/index.mdx b/src/content/docs/fundamentals/oauth/index.mdx index 57325c857bc..ebf526b2989 100644 --- a/src/content/docs/fundamentals/oauth/index.mdx +++ b/src/content/docs/fundamentals/oauth/index.mdx @@ -9,6 +9,10 @@ products: - oauth --- -import { Render } from "~/components"; +import { FeatureTable, Render } from "~/components"; + +## Availability + + diff --git a/src/content/plans/index.json b/src/content/plans/index.json index 39621d8cdcd..dcae5fbff76 100644 --- a/src/content/plans/index.json +++ b/src/content/plans/index.json @@ -15,6 +15,20 @@ } } }, + "self_managed_oauth": { + "title": "Self-managed OAuth Apps", + "link": "/fundamentals/oauth/", + "properties": { + "availability": { + "title": "Availability", + "summary": "Available on all plans", + "free": "Yes", + "pro": "Yes", + "biz": "Yes", + "ent": "Yes" + } + } + }, "version_management": { "title": "Version Management", "link": "/version-management/", From 844b40d7b36eb914da63d2056de210d4a6a9cafe Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Thu, 21 May 2026 13:47:27 -0600 Subject: [PATCH 05/21] [OAuth] Add supporting pages --- .../oauth/authorizing-an-application.mdx | 44 +++++++++++++++++++ .../oauth/create-an-oauth-client.mdx | 4 +- .../oauth/integrate-with-cloudflare.mdx | 20 +++++++++ 3 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 src/content/docs/fundamentals/oauth/authorizing-an-application.mdx create mode 100644 src/content/docs/fundamentals/oauth/integrate-with-cloudflare.mdx diff --git a/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx b/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx new file mode 100644 index 00000000000..c13794213a4 --- /dev/null +++ b/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx @@ -0,0 +1,44 @@ +--- +title: Authorizing an Application +pcx_content_type: reference +description: Learn more about what it means to authorize a third-party application on Cloudflare +sidebar: + order: 10 +products: + - fundamentals + - oauth +--- + +import { DashButton } from "~/components"; + +## Overview + +When you authorize a third-party OAuth application, you grant it permission to access specific Cloudflare resources on your behalf. Cloudflare provides tools to view, manage, and revoke these authorizations at any time. + +## Authorize a third-party application + +When a third-party application requests access to your Cloudflare account, you will see a consent screen that displays: + +- **Application name and logo**: The name and branding of the requesting application +- **Publisher domain**: The verified domain of the application publisher +- **Account selection**: Choose which Cloudflare account(s) the application can access +- **Requested permissions**: After selecting the account(s) the application may access, the specific scopes the application is requesting will be displayed before consent is complete. To finish the authorization process, review the permissions the application is requesting and click “**Authorize**” + +## View and Revoke Authorized Applications + +Application authorizations may be viewed and revoked at any time from the profile page on the Cloudflare dashboard. + +1. Log in to the Cloudflare dashboard. +2. +3. View the list of applications you have authorized. + - If you wish to revoke access to an application, click the “Revoke” button for that row + +## Account Administrator Controls + +If an account is not available for selection during the consent flow, it may be due to an administrator of that account disabling access to account resources via OAuth. + +Account administrators can restrict OAuth applications from accessing account resources via **Manage Account** \> **Members \> Settings \> Public OAuth App access**. + +:::caution +This will not prevent existing authorizations account members may already have in place, and will only prevent new authorizations from accessing account resources. +::: diff --git a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx index 0b760bd9502..98d8122c481 100644 --- a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx +++ b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx @@ -1,5 +1,5 @@ --- -title: Create an OAuth client +title: Register your application pcx_content_type: how-to description: Cloudflare allows developers to register OAuth applications that access resources via the Cloudflare API on behalf of users. This enables the creation of integrations and tools that function without the need for manual API token sharing. sidebar: @@ -183,7 +183,7 @@ Every client may have two secrets, allowing for graceful secret rotations. Once - + From **Manage Account** \> **App Registrations** open the action menu for your application and select **Rotate client secret**. If your client only has a single secret, the button to create a new secret will be available. If the application already has two secrets, there will be a button to delete the old secret, which must be done before another new secret can be created. diff --git a/src/content/docs/fundamentals/oauth/integrate-with-cloudflare.mdx b/src/content/docs/fundamentals/oauth/integrate-with-cloudflare.mdx new file mode 100644 index 00000000000..50b33f56f48 --- /dev/null +++ b/src/content/docs/fundamentals/oauth/integrate-with-cloudflare.mdx @@ -0,0 +1,20 @@ +--- +title: Integrate your OAuth client with Cloudflare +pcx_content_type: how-to +description: After registering an application, use these endpoints to integrate your OAuth client with Cloudflare. +sidebar: + order: 5 +products: + - fundamentals + - oauth +--- + +After [registering an application](/fundamentals/oauth/create-an-oauth-client/), use these endpoints to integrate your OAuth client with Cloudflare. + +- Jwks: `https://dash.cloudflare.com/.well-known/jwks.json` +- Open ID config: `https://dash.cloudflare.com/.well-known/openid-configuration` +- Authorization: `https://dash.cloudflare.com/oauth2/auth` +- Token: `https://dash.cloudflare.com/oauth2/token` +- Revoke: `https://dash.cloudflare.com/oauth2/revoke` +- Session logout: `https://dash.cloudflare.com/oauth2/logout` +- User info: `https://dash.cloudflare.com/oauth2/userinfo` From 813ff6c6713dafc5a5bab3bced14ee764c7511ee Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Fri, 22 May 2026 08:25:59 -0600 Subject: [PATCH 06/21] [OAuth] Populate docs links from changelog --- .../fundamentals/2026-05-27-public-oauth-clients.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx b/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx index 5f79a35d38d..1a567cb24ab 100644 --- a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx +++ b/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx @@ -35,7 +35,7 @@ Applications start with `private` visibility. Private applications can only be u To make an application available to any Cloudflare user, complete the prerequisites for `public` visibility. -For more information, refer to [application visibility](). +For more information, refer to [application visibility](/fundamentals/oauth/create-an-oauth-client/#private-and-public-applications). ### Client domain verification @@ -43,8 +43,8 @@ Before an application can be made public, you must verify the client domain. Dom After verification, users see a verified badge on the consent page. -For more information, refer to [domain verification](). +For more information, refer to [domain verification](/fundamentals/oauth/create-an-oauth-client/#client-url-domain-ownership-verification). ## Learn more -For more information, refer to [OAuth clients](). +For more information, refer to [OAuth clients](/fundamentals/oauth). From 473b7f241aade5500b4d07616538d5db4de8dbfb Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Fri, 22 May 2026 08:49:12 -0600 Subject: [PATCH 07/21] [OAuth] Add trailing slash in changelog page --- .../changelog/fundamentals/2026-05-27-public-oauth-clients.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx b/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx index 1a567cb24ab..0cea546e91d 100644 --- a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx +++ b/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx @@ -47,4 +47,4 @@ For more information, refer to [domain verification](/fundamentals/oauth/create- ## Learn more -For more information, refer to [OAuth clients](/fundamentals/oauth). +For more information, refer to [OAuth clients](/fundamentals/oauth/). From a9234b1f324671d6871dc5590925c8d6ccb03a14 Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Fri, 22 May 2026 09:03:44 -0600 Subject: [PATCH 08/21] [OAuth] Remove extra text from create docs --- src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx index 98d8122c481..89dcc846257 100644 --- a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx +++ b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx @@ -133,7 +133,7 @@ Before an application can be made public, the required actions must be completed OAuth clients must complete [domain verification](#client-url-domain-ownership-verification) for the client URL before it can be made public. -### How to promote a client to public (make this a swap section between dash/api) +### How to promote a client to public **API** From d5af44ef3afaa1357ad82f20a2173ae3de6fffa8 Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Fri, 22 May 2026 09:42:19 -0600 Subject: [PATCH 09/21] [OAuth] Create doc cleanup --- .../fundamentals/oauth/create-an-oauth-client.mdx | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx index 89dcc846257..818d21759e1 100644 --- a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx +++ b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx @@ -82,7 +82,7 @@ OAuth scopes correspond to Cloudflare API token permissions. Refer to the Cloudf "success": true, "errors": [], "messages": [] - } + } ``` @@ -135,9 +135,9 @@ OAuth clients must complete [domain verification](#client-url-domain-ownership-v ### How to promote a client to public -**API** - -**Dashboard** +:::caution +Setting a client’s visibility to public is a permanent action. It is not possible to revert the visibility to private. +::: @@ -155,10 +155,6 @@ OAuth clients must complete [domain verification](#client-url-domain-ownership-v -:::caution -Setting a client’s visibility to public is a permanent action. It is not possible to revert the visibility to private. -::: - ## Client URL Domain Ownership Verification Part of the process Cloudflare enforces to make an application publicly visible is ownership verification of the Client URL domain for the application. If your application is only for private use (members of the account) verifying domain ownership is not required. @@ -173,7 +169,8 @@ Cloudflare will automatically poll this DNS record until it is found or a timeou If the verification process fails due to timeout, you can manually reinitiate the polling by selecting **Restart verification** in the actions menu for that application in the list. -**Note for API users** +#### Note for API users + To restart a failed or timed out verification, send an update patch request with the existing `client_uri` unchanged. ## Rotate client secrets From a16492459607bc313b1c025dab1e9a65588ee6d1 Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Fri, 22 May 2026 10:08:59 -0600 Subject: [PATCH 10/21] [OAuth] Client create doc revision --- .../oauth/create-an-oauth-client.mdx | 311 +++++++++--------- 1 file changed, 157 insertions(+), 154 deletions(-) diff --git a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx index 818d21759e1..23c910e5559 100644 --- a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx +++ b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx @@ -1,7 +1,7 @@ --- title: Register your application pcx_content_type: how-to -description: Cloudflare allows developers to register OAuth applications that access resources via the Cloudflare API on behalf of users. This enables the creation of integrations and tools that function without the need for manual API token sharing. +description: Register an OAuth application that can access Cloudflare API resources on behalf of users. sidebar: order: 1 products: @@ -9,215 +9,218 @@ products: - oauth --- -import { DashButton, Tabs, TabItem } from "~/components"; +import { DashButton, Steps, Tabs, TabItem } from "~/components"; ## Prerequisites -To create a new application, you must have one of the following roles for the associated account: Super Administrator, Administrator, OAuth App Registrations Write. +To create an application, you must have one of these roles for the associated account: Super Administrator, Administrator, or OAuth App Registrations Write. - - 1. Log in to the Cloudflare dashboard - 2. Select your account - 3. - 4. Select **Create Application** - 5. Enter the required configuration details: - - App name - - Response type - - Grant type - - Token authentication method - - Redirect URL(s) - 6. Optionally, add non-required fields - 7. Select **Continue** and define the specific scopes required for your application - 8. Click **“Register application”** - 9. Securely save your **Client ID** and **Client Secret** (required for confidential clients). - - - To get started with creating OAuth clients via the Cloudflare API, make an API token with the “OAuth Clients” write permission. - - ```shell - curl -X POST "https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/oauth_clients" \ - -H "Content-Type: application/json" \ - -H "Authorization: Bearer ${API_TOKEN}" \ - -d '{"client_name": "Cloudflare OAuth Client", "grant_types": ["authorization_code"], "redirect_uris": ["https://cloudflare.com/oauth/callback"], "scopes": ["workers-platform.read"], "post_logout_redirect_uris": ["https://cloudflare.com/logout"], "response_types": ["code"], "token_endpoint_auth_method": "client_secret_basic", "logo_uri": "https://imagedelivery.net/KDu.../928fc.../public", "policy_uri": "https://cloudflare.com/policy", "tos_uri": "https://cloudflare.com/tos", "client_uri": "https://cloudflare.com", "allowed_cors_origins": ["https://cloudflare.com"]}' - ``` - + + + 1. Log in to the Cloudflare dashboard. + 2. Select your account. + 3. Go to **Manage Account** > **App Registrations**. + 4. Select **Create Application**. + 5. Enter the required configuration details: + - App name + - Response type + - Grant type + - Token authentication method + - Redirect URLs + 6. Optional: Add non-required fields. + 7. Select **Continue** and define the scopes required for your application. + 8. Select **Register application**. + 9. Save your **Client ID** and **Client Secret** in a secure location. + + + + + + To create OAuth clients with the Cloudflare API, create an API token with the `OAuth Clients Write` permission. + + ```bash + curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $API_TOKEN" \ + -d '{ + "client_name": "Cloudflare OAuth Client", + "grant_types": ["authorization_code"], + "redirect_uris": ["https://example.com/oauth/callback"], + "scopes": ["workers-platform.read"], + "post_logout_redirect_uris": ["https://example.com/logout"], + "response_types": ["code"], + "token_endpoint_auth_method": "client_secret_basic", + "logo_uri": "https://example.com/logo.png", + "policy_uri": "https://example.com/policy", + "tos_uri": "https://example.com/tos", + "client_uri": "https://example.com", + "allowed_cors_origins": ["https://example.com"] + }' + ``` + :::note -After creating an application, the client secret will be displayed, if needed. Copy it to a safe location now, as you will not be able to view that secret again. If the secret is lost, you may rotate the secret to get a new one. +After you create an application, Cloudflare displays the client secret if the application requires one. Copy it to a secure location. You cannot view the secret again after you leave the page. If you lose the secret, rotate it to get a new one. ::: -## Selecting scopes +## Select scopes -OAuth scopes correspond to Cloudflare API token permissions. Refer to the Cloudflare API documentation to identify the exact permissions required for your application's operations. +OAuth scope names correspond to Cloudflare API token permission names. Use the Cloudflare API documentation to identify the permissions your application needs. - - When creating or editing an OAuth client, a full set of scopes will be available to select from. Search for, and select the scopes required for your application. - - - Scopes can be fetched from the API. The scope label should be used when creating a new application via the API. - - ```shell - curl "https://api.cloudflare.com/client/v4/oauth/scopes" \ - -H "Content-Type: application/json" \ - -H "Authorization: Bearer ${API_TOKEN}" - ``` - - #### Example Return Value - - ```json - { - "results": [ - ... - { - "name": "User Details Read", - "id": "user-details.read", - "category": "account_and_billing", - "scopes": [] - }, - ... - ], - "success": true, - "errors": [], - "messages": [] - } - ``` - + + When you create or edit an OAuth client, all available scopes are displayed. Search for and select the scopes required for your application. + + + Fetch the available scopes from the API. Use the scope ID when you create an application through the API. + + ```bash + curl "https://api.cloudflare.com/client/v4/oauth/scopes" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $API_TOKEN" + ``` + ## Supported OAuth flows Cloudflare OAuth applications support the OAuth 2.0 Authorization Code flow. -Cloudflare does not currently support Client Credentials, Implicit, Resource Owner Password Credentials, Device Authorization, or other OAuth grant types for third-party applications. +Cloudflare does not support Client Credentials, Implicit, Resource Owner Password Credentials, Device Authorization, or other OAuth grant types for third-party applications. -### Which flow should I choose? +### Choose a flow -| Application type | Use | Token endpoint authentication | PKCE | -| -------------------------------------- | --------------------------------------- | --------------------------------------------- | --------------------- | -| Server-side web app or backend service | Authorization Code with a client secret | `client_secret_basic` or `client_secret_post` | Optional/not required | -| SPA, mobile app, desktop app, or CLI | Authorization Code with PKCE | `none` | Required, `S256` | +Use the following guidance to choose an OAuth flow: -#### Client Secret +| Application type | Flow | Token endpoint authentication | PKCE | +| ------------------------------------------------ | --------------------------------------- | --------------------------------------------- | --------------------- | +| Server-side web app or backend service | Authorization Code with a client secret | `client_secret_basic` or `client_secret_post` | Optional/not required | +| Single-page app, mobile app, desktop app, or CLI | Authorization Code with PKCE | `none` | Required, `S256` | -The Authorization Code flow is intended for secure server-side applications that can protect a Client Secret from exposure. +### Client secret -- **Best for:** Server-side web applications and backend services. -- **How it works:** Your application redirects the user to our authorization page. Once authorized, we return an authorization code to your backend. Your backend then exchanges this code and your Client Secret for an Access Token (optionally refresh and ID token). -- **Security Note:** Never expose your Client Secret in client-side code (like JavaScript in a browser) or embed it in mobile application binaries. +The Authorization Code flow is intended for secure server-side applications that can protect a client secret from exposure. -#### PKCE (Proof Key for Code Exchange) +- **Use when:** Your application is a server-side web application or backend service. +- **How it works:** Your application redirects the user to the authorization page. After authorization, Cloudflare returns an authorization code to your backend. Your backend exchanges the code and client secret for an access token. +- **Security note:** Never expose your client secret in client-side code or embed it in mobile application binaries. -PKCE is an extension of the Authorization Code flow designed for public clients, such as mobile or single-page apps, where a Client Secret cannot be securely stored. +### PKCE -- **Best for:** Single Page Applications (SPAs), mobile applications, desktop apps, and CLI tools. -- **How it works:** Instead of a static Client Secret, your application generates a unique cryptographic pair (a Code Verifier and a Code Challenge) for every single login request. -- **Security Note:** Clients which choose PKCE can not see the client secret (as it is not needed). +Proof Key for Code Exchange (PKCE) extends the Authorization Code flow for public clients, such as mobile or single-page apps, where a client secret cannot be securely stored. -## Private and Public Applications +- **Use when:** Your application is a single-page application, mobile application, desktop app, or CLI tool. +- **How it works:** Your application generates a unique code verifier and code challenge for every login request instead of using a static client secret. +- **Security note:** Clients that use PKCE do not need a client secret. -New applications default to private visibility, meaning they can only be authorized by members of the parent Cloudflare account. Public applications allow authorization from any Cloudflare user. +## Private and public applications -Before an application can be made public, the required actions must be completed and fields populated. +New applications default to private visibility. Private applications can only be authorized by members of the parent Cloudflare account. Public applications allow authorization from any Cloudflare user. + +Before you make an application public, complete the required actions and populate the required fields. ### Required fields - Client name - - Logo - - Client URL - - Scopes +- Logo +- Client URL +- Scopes ### Required actions -OAuth clients must complete [domain verification](#client-url-domain-ownership-verification) for the client URL before it can be made public. +OAuth clients must complete [domain verification](#client-url-domain-ownership-verification) for the client URL before they can be made public. -### How to promote a client to public +### Promote a client to public :::caution -Setting a client’s visibility to public is a permanent action. It is not possible to revert the visibility to private. +Setting a client's visibility to public is permanent. You cannot change the visibility back to private. ::: - - Navigate to **Manage Account** \> **App Registrations** then open the action menu for your application and select **Change Visibility**. - - - - - ```shell - curl -X PATCH "https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/oauth_clients/${CLIENT_ID}" \ - -H "Content-Type: application/json" \ - -H "Authorization: Bearer ${API_TOKEN}" \ - -d '{ "visibility": "public" }' - ``` - + + + 1. Go to **Manage Account** > **App Registrations**. + 2. Open the action menu for your application. + 3. Select **Change Visibility**. + + + + + + ```bash + curl -X PATCH "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients/$CLIENT_ID" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $API_TOKEN" \ + -d '{ "visibility": "public" }' + ``` + -## Client URL Domain Ownership Verification +## Client URL domain ownership verification -Part of the process Cloudflare enforces to make an application publicly visible is ownership verification of the Client URL domain for the application. If your application is only for private use (members of the account) verifying domain ownership is not required. +Cloudflare requires client URL domain ownership verification before an application can become public. If your application is only for private use by members of the account, domain ownership verification is not required. :::caution -Once domain ownership has been verified, it is no longer possible to change the domain of the Client URL. The route of the domain may still be updated. +After Cloudflare verifies domain ownership, you cannot change the domain of the client URL. You can still update the route for that domain. ::: -Copy the verification code and create a TXT record in your DNS configuration with that value. The record must include all of the text including the cloudflare_oauth_client_publisher= prefix. - -Cloudflare will automatically poll this DNS record until it is found or a timeout is reached within two days. +Copy the verification code and create a `TXT` record in your DNS configuration with that value. The record must include all text, including the `cloudflare_oauth_client_publisher=` prefix. -If the verification process fails due to timeout, you can manually reinitiate the polling by selecting **Restart verification** in the actions menu for that application in the list. +Cloudflare polls this DNS record until it is found or until the request times out after two days. -#### Note for API users +### Restart verification -To restart a failed or timed out verification, send an update patch request with the existing `client_uri` unchanged. + + + If the verification process times out, select **Restart verification** in the application action menu. + + + To restart a failed or timed out verification, send a `PATCH` request with the existing `client_uri` unchanged. + + ```bash + curl -X PATCH "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients/$CLIENT_ID" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $API_TOKEN" \ + -d '{ "client_uri": "https://example.com" }' + ``` + + ## Rotate client secrets -Every client may have two secrets, allowing for graceful secret rotations. Once the old secret has been replaced in your secure location with the new secret, you can delete the old secret. +Each client can have two secrets. This lets you create a new secret, update your application to use the new secret, and delete the old secret. - - - - From **Manage Account** \> **App Registrations** open the action menu for your application and select **Rotate client secret**. If your client only has a single secret, the button to create a new secret will be available. If the application already has two secrets, there will be a button to delete the old secret, which must be done before another new secret can be created. - - - - To know whether or not a client is in the middle of a secret rotation, look for `"has_rotated_secret”` in the `GET` response. If true, you must delete the old secret before attempting to create a new one. - - ### Create new secret - - ```shell - curl -X POST "https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/oauth_clients/${CLIENT_ID}/rotate_secret" \ - -H "Content-Type: application/json" \ - -H "Authorization: Bearer ${API_TOKEN}" - ``` - - ### Delete old secret - - ```shell - curl -X DELETE "https://api.cloudflare.com/client/v4/accounts/${ACCOUNT_ID}/oauth_clients/${CLIENT_ID}/rotate_secret" \ - -H "Content-Type: application/json" \ - -H "Authorization: Bearer ${API_TOKEN}" - ``` - + + + 1. Go to **Manage Account** > **App Registrations**. + 2. Open the action menu for your application. + 3. Select **Rotate client secret**. + 4. Save the new secret in a secure location. + 5. After your application uses the new secret, delete the old secret. + + + + + + To check whether a client is in the middle of a secret rotation, look for `has_rotated_secret` in the `GET` response. If the value is `true`, delete the old secret before you create another secret. + + #### Create a new secret + + ```bash + curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients/$CLIENT_ID/rotate_secret" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $API_TOKEN" + ``` + + #### Delete the old secret + + ```bash + curl -X DELETE "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients/$CLIENT_ID/rotate_secret" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer $API_TOKEN" + ``` + - -## Manage your application - -To manage created applications, open the account the application belongs to, followed by **Manage Account** \> **App Registrations.** Open the action menu for your application and select one of the following options: - - - -- Edit application details -- Copy Client ID -- Rotate client secret - - Save the new secret immediately. Once the new secret is in use, open the **Manage Secrets** setting again and delete the old secret - - This is not available for clients with **None** as the token auth method (PKCE clients) -- Client URL domain verification -- Change Visibility - - See [Private and public applications](#client-url-domain-ownership-verification) for more information -- Delete application - - Type the name of the application to confirm deletion. **Warning:** Deleting an application immediately revokes all existing user authorizations. From f00473553bfb81e8f11dc497c7ac465933cf3f37 Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Fri, 22 May 2026 15:17:02 -0600 Subject: [PATCH 11/21] [Oauth] Rename app to client --- .../2026-05-27-public-oauth-clients.mdx | 6 +- src/content/dash-routes/core.json | 4 +- .../oauth/authorizing-an-application.mdx | 2 +- .../oauth/create-an-oauth-client.mdx | 74 +++++++++---------- 4 files changed, 43 insertions(+), 43 deletions(-) diff --git a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx b/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx index 0cea546e91d..9d953e04112 100644 --- a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx +++ b/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx @@ -19,9 +19,9 @@ Cloudflare users can create their own OAuth applications to integrate with Cloud ### Create an application -To create an application, go to **App Registrations** in your account on the Cloudflare dashboard. +To create an application, go to **Manage account** > **OAuth clients** in your account on the Cloudflare dashboard. - + ### Select limited scopes @@ -35,7 +35,7 @@ Applications start with `private` visibility. Private applications can only be u To make an application available to any Cloudflare user, complete the prerequisites for `public` visibility. -For more information, refer to [application visibility](/fundamentals/oauth/create-an-oauth-client/#private-and-public-applications). +For more information, refer to [client visibility](/fundamentals/oauth/create-an-oauth-client/#private-and-public-clients). ### Client domain verification diff --git a/src/content/dash-routes/core.json b/src/content/dash-routes/core.json index 96e581d59f2..eb6ff9acbf1 100644 --- a/src/content/dash-routes/core.json +++ b/src/content/dash-routes/core.json @@ -422,8 +422,8 @@ "parent": ["Manage account"] }, { - "name": "App registrations", - "deeplink": "/?to=/:account/app-registrations", + "name": "OAuth clients", + "deeplink": "/?to=/:account/oauth-clients", "parent": ["Manage account"] }, { diff --git a/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx b/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx index c13794213a4..51e2792ce71 100644 --- a/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx +++ b/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx @@ -29,7 +29,7 @@ When a third-party application requests access to your Cloudflare account, you w Application authorizations may be viewed and revoked at any time from the profile page on the Cloudflare dashboard. 1. Log in to the Cloudflare dashboard. -2. +2. 3. View the list of applications you have authorized. - If you wish to revoke access to an application, click the “Revoke” button for that row diff --git a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx index 23c910e5559..f20df18e236 100644 --- a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx +++ b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx @@ -1,7 +1,7 @@ --- -title: Register your application +title: Create your OAuth client pcx_content_type: how-to -description: Register an OAuth application that can access Cloudflare API resources on behalf of users. +description: Create an OAuth client that can access Cloudflare API resources on behalf of users. sidebar: order: 1 products: @@ -13,28 +13,28 @@ import { DashButton, Steps, Tabs, TabItem } from "~/components"; ## Prerequisites -To create an application, you must have one of these roles for the associated account: Super Administrator, Administrator, or OAuth App Registrations Write. +To create an OAuth client, you must have one of these roles for the associated account: Super Administrator, Administrator, or OAuth client Write. 1. Log in to the Cloudflare dashboard. 2. Select your account. - 3. Go to **Manage Account** > **App Registrations**. - 4. Select **Create Application**. + 3. Go to **Manage Account** > **OAuth clients**. + 4. Select **Create client**. 5. Enter the required configuration details: - - App name + - Client name - Response type - Grant type - Token authentication method - Redirect URLs 6. Optional: Add non-required fields. - 7. Select **Continue** and define the scopes required for your application. - 8. Select **Register application**. + 7. Select **Continue** and define the scopes required for your client. + 8. Select **Create client**. 9. Save your **Client ID** and **Client Secret** in a secure location. - + To create OAuth clients with the Cloudflare API, create an API token with the `OAuth Clients Write` permission. @@ -62,19 +62,19 @@ To create an application, you must have one of these roles for the associated ac :::note -After you create an application, Cloudflare displays the client secret if the application requires one. Copy it to a secure location. You cannot view the secret again after you leave the page. If you lose the secret, rotate it to get a new one. +After you create an OAuth client, Cloudflare displays the client secret if the client requires one. Copy it to a secure location. You cannot view the secret again after you leave the page. If you lose the secret, rotate it to get a new one. ::: ## Select scopes -OAuth scope names correspond to Cloudflare API token permission names. Use the Cloudflare API documentation to identify the permissions your application needs. +OAuth scope names correspond to Cloudflare API token permission names. Use the Cloudflare API documentation to identify the permissions your client needs. - When you create or edit an OAuth client, all available scopes are displayed. Search for and select the scopes required for your application. + When you create or edit an OAuth client, all available scopes are displayed. Search for and select the scopes required for your client. - Fetch the available scopes from the API. Use the scope ID when you create an application through the API. + Fetch the available scopes from the API. Use the scope ID when you create a client through the API. ```bash curl "https://api.cloudflare.com/client/v4/oauth/scopes" \ @@ -86,40 +86,40 @@ OAuth scope names correspond to Cloudflare API token permission names. Use the C ## Supported OAuth flows -Cloudflare OAuth applications support the OAuth 2.0 Authorization Code flow. +Cloudflare OAuth clients support the OAuth 2.0 Authorization Code flow. -Cloudflare does not support Client Credentials, Implicit, Resource Owner Password Credentials, Device Authorization, or other OAuth grant types for third-party applications. +Cloudflare does not support Client Credentials, Implicit, Resource Owner Password Credentials, Device Authorization, or other OAuth grant types for third-party clients. ### Choose a flow Use the following guidance to choose an OAuth flow: -| Application type | Flow | Token endpoint authentication | PKCE | -| ------------------------------------------------ | --------------------------------------- | --------------------------------------------- | --------------------- | -| Server-side web app or backend service | Authorization Code with a client secret | `client_secret_basic` or `client_secret_post` | Optional/not required | -| Single-page app, mobile app, desktop app, or CLI | Authorization Code with PKCE | `none` | Required, `S256` | +| Client type | Flow | Token endpoint authentication | PKCE | +| ------------------------------------------ | --------------------------------------- | --------------------------------------------- | --------------------- | +| Server-side web app or backend service | Authorization Code with a client secret | `client_secret_basic` or `client_secret_post` | Optional/not required | +| Browser-based, mobile, desktop, or CLI app | Authorization Code with PKCE | `none` | Required, `S256` | ### Client secret The Authorization Code flow is intended for secure server-side applications that can protect a client secret from exposure. -- **Use when:** Your application is a server-side web application or backend service. -- **How it works:** Your application redirects the user to the authorization page. After authorization, Cloudflare returns an authorization code to your backend. Your backend exchanges the code and client secret for an access token. -- **Security note:** Never expose your client secret in client-side code or embed it in mobile application binaries. +- **Use when:** Your OAuth client is a server-side web application or backend service. +- **How it works:** Your client redirects the user to the authorization page. After authorization, Cloudflare returns an authorization code to your backend. Your backend exchanges the code and client secret for an access token. +- **Security note:** Never expose your client secret in client-side code or embed it in mobile client binaries. ### PKCE Proof Key for Code Exchange (PKCE) extends the Authorization Code flow for public clients, such as mobile or single-page apps, where a client secret cannot be securely stored. -- **Use when:** Your application is a single-page application, mobile application, desktop app, or CLI tool. +- **Use when:** Your OAuth client is a single-page, mobile, desktop, or CLI application. - **How it works:** Your application generates a unique code verifier and code challenge for every login request instead of using a static client secret. - **Security note:** Clients that use PKCE do not need a client secret. -## Private and public applications +## Private and public clients -New applications default to private visibility. Private applications can only be authorized by members of the parent Cloudflare account. Public applications allow authorization from any Cloudflare user. +New OAuth clients default to private visibility. Private clients can only be authorized by members of the parent Cloudflare account. Public clients allow authorization from any Cloudflare user. -Before you make an application public, complete the required actions and populate the required fields. +Before you make a client public, complete the required actions and populate the required fields. ### Required fields @@ -141,12 +141,12 @@ Setting a client's visibility to public is permanent. You cannot change the visi - 1. Go to **Manage Account** > **App Registrations**. - 2. Open the action menu for your application. + 1. Go to **Manage Account** > **OAuth clients**. + 2. Open the action menu for your client. 3. Select **Change Visibility**. - + ```bash @@ -160,7 +160,7 @@ Setting a client's visibility to public is permanent. You cannot change the visi ## Client URL domain ownership verification -Cloudflare requires client URL domain ownership verification before an application can become public. If your application is only for private use by members of the account, domain ownership verification is not required. +Cloudflare requires client URL domain ownership verification before a client can become public. If your client is only for private use by members of the account, domain ownership verification is not required. :::caution After Cloudflare verifies domain ownership, you cannot change the domain of the client URL. You can still update the route for that domain. @@ -174,10 +174,10 @@ Cloudflare polls this DNS record until it is found or until the request times ou - If the verification process times out, select **Restart verification** in the application action menu. + If the verification process times out, select **Restart verification** in the client action menu. - To restart a failed or timed out verification, send a `PATCH` request with the existing `client_uri` unchanged. + To restart a failed or timed out verification, send a `PATCH` request with the existing `client_uri` unchanged. ```bash curl -X PATCH "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/oauth_clients/$CLIENT_ID" \ @@ -190,19 +190,19 @@ Cloudflare polls this DNS record until it is found or until the request times ou ## Rotate client secrets -Each client can have two secrets. This lets you create a new secret, update your application to use the new secret, and delete the old secret. +Each client can have two secrets. This lets you create a new secret, update your client to use the new secret, and delete the old secret. - 1. Go to **Manage Account** > **App Registrations**. - 2. Open the action menu for your application. + 1. Go to **Manage Account** > **OAuth clients**. + 2. Open the action menu for your client. 3. Select **Rotate client secret**. 4. Save the new secret in a secure location. - 5. After your application uses the new secret, delete the old secret. + 5. After your client uses the new secret, delete the old secret. - + To check whether a client is in the middle of a secret rotation, look for `has_rotated_secret` in the `GET` response. If the value is `true`, delete the old secret before you create another secret. From 7ca0ab3d7c2651e57d46dabe0768f6704cae5be3 Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Thu, 28 May 2026 11:37:23 -0600 Subject: [PATCH 12/21] Update changelog publish date --- ...ic-oauth-clients.mdx => 2026-06-03-public-oauth-clients.mdx} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename src/content/changelog/fundamentals/{2026-05-27-public-oauth-clients.mdx => 2026-06-03-public-oauth-clients.mdx} (99%) diff --git a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx b/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx similarity index 99% rename from src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx rename to src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx index 9d953e04112..f444323506c 100644 --- a/src/content/changelog/fundamentals/2026-05-27-public-oauth-clients.mdx +++ b/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx @@ -3,7 +3,7 @@ title: Introducing self-managed OAuth clients description: Developers can now create self-managed OAuth clients that integrate with Cloudflare. products: - fundamentals -date: 2026-05-27 +date: 2026-06-03 publish_future_dated_entry: true --- From f4de523308b13e7c106fe1b787de3a3293ceffe6 Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Wed, 3 Jun 2026 09:51:07 -0600 Subject: [PATCH 13/21] fix(Oauth): fixing title casing --- .../docs/fundamentals/oauth/authorizing-an-application.mdx | 6 +++--- .../docs/fundamentals/oauth/create-an-oauth-client.mdx | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx b/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx index 51e2792ce71..5f656b97914 100644 --- a/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx +++ b/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx @@ -1,5 +1,5 @@ --- -title: Authorizing an Application +title: Authorizing an application pcx_content_type: reference description: Learn more about what it means to authorize a third-party application on Cloudflare sidebar: @@ -24,7 +24,7 @@ When a third-party application requests access to your Cloudflare account, you w - **Account selection**: Choose which Cloudflare account(s) the application can access - **Requested permissions**: After selecting the account(s) the application may access, the specific scopes the application is requesting will be displayed before consent is complete. To finish the authorization process, review the permissions the application is requesting and click “**Authorize**” -## View and Revoke Authorized Applications +## View and revoke authorized applications Application authorizations may be viewed and revoked at any time from the profile page on the Cloudflare dashboard. @@ -33,7 +33,7 @@ Application authorizations may be viewed and revoked at any time from the profil 3. View the list of applications you have authorized. - If you wish to revoke access to an application, click the “Revoke” button for that row -## Account Administrator Controls +## Account administrator controls If an account is not available for selection during the consent flow, it may be due to an administrator of that account disabling access to account resources via OAuth. diff --git a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx index f20df18e236..c61a249cb90 100644 --- a/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx +++ b/src/content/docs/fundamentals/oauth/create-an-oauth-client.mdx @@ -13,7 +13,7 @@ import { DashButton, Steps, Tabs, TabItem } from "~/components"; ## Prerequisites -To create an OAuth client, you must have one of these roles for the associated account: Super Administrator, Administrator, or OAuth client Write. +To create an OAuth client, you must have one of these roles for the associated account: Super Administrator, Administrator, or OAuth Client Write. From 9a7238b194af9391f967f2e20a89d8a2bd54921a Mon Sep 17 00:00:00 2001 From: Samuel <6132869+SamuelDev@users.noreply.github.com> Date: Wed, 3 Jun 2026 09:57:43 -0600 Subject: [PATCH 14/21] fix(oauth): Apply changelog suggestions Co-authored-by: Adam Bouhmad --- .../changelog/fundamentals/2026-06-03-public-oauth-clients.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx b/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx index f444323506c..2fbec68f41b 100644 --- a/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx +++ b/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx @@ -9,7 +9,7 @@ publish_future_dated_entry: true import { DashButton } from "~/components"; -Developers can now create their own applications and integrate with Cloudflare using OAuth. This offers a more secure, user-manageable integration experience than methods such as API tokens. +Today we're launching self-managed OAuth, enabling developers to build third-party applications that integrate with Cloudflare via OAuth. This provides a more secure, user-friendly, and manageable alternative to API tokens. OAuth allows third-party applications to access Cloudflare accounts on a user's behalf. For example, Wrangler can deploy Workers after the user provides consent to the application. From c97d53b312458680ea0f0a3c5ccb9b45e1a8ac21 Mon Sep 17 00:00:00 2001 From: Samuel <6132869+SamuelDev@users.noreply.github.com> Date: Wed, 3 Jun 2026 10:05:26 -0600 Subject: [PATCH 15/21] fix(oauth): Apply changelog suggestions 2 Co-authored-by: Adam Bouhmad --- .../changelog/fundamentals/2026-06-03-public-oauth-clients.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx b/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx index 2fbec68f41b..fcf3f6131e7 100644 --- a/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx +++ b/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx @@ -11,7 +11,7 @@ import { DashButton } from "~/components"; Today we're launching self-managed OAuth, enabling developers to build third-party applications that integrate with Cloudflare via OAuth. This provides a more secure, user-friendly, and manageable alternative to API tokens. -OAuth allows third-party applications to access Cloudflare accounts on a user's behalf. For example, Wrangler can deploy Workers after the user provides consent to the application. +OAuth lets third-party applications act on behalf of a user to access their Cloudflare account. For example, after a user grants consent, Wrangler can deploy Workers into that account. ## What's new From 4f6eaa81db840af32569addea992cfb0154353b3 Mon Sep 17 00:00:00 2001 From: Samuel <6132869+SamuelDev@users.noreply.github.com> Date: Wed, 3 Jun 2026 10:05:47 -0600 Subject: [PATCH 16/21] fix(oauth): Apply changelog suggestions 3 Co-authored-by: Adam Bouhmad --- .../changelog/fundamentals/2026-06-03-public-oauth-clients.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx b/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx index fcf3f6131e7..5fa0f71b5ff 100644 --- a/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx +++ b/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx @@ -15,7 +15,7 @@ OAuth lets third-party applications act on behalf of a user to access their Clou ## What's new -Cloudflare users can create their own OAuth applications to integrate with Cloudflare. +Cloudflare Developers can now create and manage their own OAuth applications to integrate with Cloudflare. ### Create an application From 9e11b2ed50fdf2390b2ccdf3521e406b53f019dd Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Wed, 3 Jun 2026 10:06:53 -0600 Subject: [PATCH 17/21] fix(oauth): removing contractions --- .../fundamentals/2026-06-03-public-oauth-clients.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx b/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx index 5fa0f71b5ff..3067a68ccd7 100644 --- a/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx +++ b/src/content/changelog/fundamentals/2026-06-03-public-oauth-clients.mdx @@ -9,13 +9,13 @@ publish_future_dated_entry: true import { DashButton } from "~/components"; -Today we're launching self-managed OAuth, enabling developers to build third-party applications that integrate with Cloudflare via OAuth. This provides a more secure, user-friendly, and manageable alternative to API tokens. +Today we are launching self-managed OAuth, enabling developers to build third-party applications that integrate with Cloudflare via OAuth. This provides a more secure, user-friendly, and manageable alternative to API tokens. OAuth lets third-party applications act on behalf of a user to access their Cloudflare account. For example, after a user grants consent, Wrangler can deploy Workers into that account. -## What's new +## What is new -Cloudflare Developers can now create and manage their own OAuth applications to integrate with Cloudflare. +Cloudflare Developers can now create and manage their own OAuth applications to integrate with Cloudflare. ### Create an application From 8912d27b3fa7dae8565f426b1e1c29a39a1dad32 Mon Sep 17 00:00:00 2001 From: "ask-bonk[bot]" Date: Wed, 3 Jun 2026 18:03:54 +0000 Subject: [PATCH 18/21] PR #31213: 4 issues flagged in review. Co-authored-by: irvinebroque --- src/content/directory/cloudflare-one-appliance.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/directory/cloudflare-one-appliance.yaml b/src/content/directory/cloudflare-one-appliance.yaml index f26efd8f6dc..67bad726bf6 100644 --- a/src/content/directory/cloudflare-one-appliance.yaml +++ b/src/content/directory/cloudflare-one-appliance.yaml @@ -1,4 +1,4 @@ -id: SmaYeH +id: tsJEfe name: Cloudflare One Appliance entry: From 1a7e02bf1de11bb60e195529d8f8b3d83c099121 Mon Sep 17 00:00:00 2001 From: Samuel <6132869+SamuelDev@users.noreply.github.com> Date: Wed, 3 Jun 2026 12:55:34 -0600 Subject: [PATCH 19/21] Update src/content/docs/fundamentals/oauth/index.mdx Co-authored-by: ask-bonk[bot] <249159057+ask-bonk[bot]@users.noreply.github.com> --- src/content/docs/fundamentals/oauth/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/fundamentals/oauth/index.mdx b/src/content/docs/fundamentals/oauth/index.mdx index ebf526b2989..be5ec46925d 100644 --- a/src/content/docs/fundamentals/oauth/index.mdx +++ b/src/content/docs/fundamentals/oauth/index.mdx @@ -13,6 +13,6 @@ import { FeatureTable, Render } from "~/components"; ## Availability - + From 8382126fda7d05ef4f3fcf81b8651749ac4a5bd0 Mon Sep 17 00:00:00 2001 From: Samuel <6132869+SamuelDev@users.noreply.github.com> Date: Wed, 3 Jun 2026 12:55:52 -0600 Subject: [PATCH 20/21] Update src/content/partials/fundamentals/self-managed-oauth.mdx Co-authored-by: ask-bonk[bot] <249159057+ask-bonk[bot]@users.noreply.github.com> --- src/content/partials/fundamentals/self-managed-oauth.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/partials/fundamentals/self-managed-oauth.mdx b/src/content/partials/fundamentals/self-managed-oauth.mdx index b2f5aef5c40..5b0aade75ac 100644 --- a/src/content/partials/fundamentals/self-managed-oauth.mdx +++ b/src/content/partials/fundamentals/self-managed-oauth.mdx @@ -4,4 +4,4 @@ OAuth allows third-party applications to securely access Cloudflare resources without requiring users to share long-lived API tokens. As an industry-standard protocol for authorization, OAuth 2.0 enables applications to obtain limited access to user accounts on an HTTP service. -https://www.cloudflare.com/learning/access-management/what-is-oauth/ +[Learn more about OAuth](https://www.cloudflare.com/learning/access-management/what-is-oauth/) From aa54eb45157f92cc4024106635fd05b96265dcec Mon Sep 17 00:00:00 2001 From: scabell <6132869+SamuelDev@users.noreply.github.com> Date: Wed, 3 Jun 2026 13:01:11 -0600 Subject: [PATCH 21/21] fix(oauth): updating link to profile authorizations --- src/content/dash-routes/core.json | 5 +++++ .../docs/fundamentals/oauth/authorizing-an-application.mdx | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/content/dash-routes/core.json b/src/content/dash-routes/core.json index eb6ff9acbf1..f864ddbd178 100644 --- a/src/content/dash-routes/core.json +++ b/src/content/dash-routes/core.json @@ -426,6 +426,11 @@ "deeplink": "/?to=/:account/oauth-clients", "parent": ["Manage account"] }, + { + "name": "Manage OAuth authorizations", + "deeplink": "/?to=/profile/access-management/authorization", + "parent": ["Manage account"] + }, { "name": "Audit logs", "deeplink": "/?to=/:account/audit-log", diff --git a/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx b/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx index 5f656b97914..99382892cc7 100644 --- a/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx +++ b/src/content/docs/fundamentals/oauth/authorizing-an-application.mdx @@ -29,7 +29,7 @@ When a third-party application requests access to your Cloudflare account, you w Application authorizations may be viewed and revoked at any time from the profile page on the Cloudflare dashboard. 1. Log in to the Cloudflare dashboard. -2. +2. 3. View the list of applications you have authorized. - If you wish to revoke access to an application, click the “Revoke” button for that row