Key Takeaways

- Developers can now create their own OAuth clients instead of relying on pre-approved partner integrations
- The update replaces API tokens with scoped, user-controlled access for third-party applications
- Cloudflare rebuilt its OAuth engine on Hydra 2.X to support the scale of 20% of web traffic
Cloudflare has opened self-managed OAuth to all customers, letting developers create and manage their own OAuth clients for delegated API access. The change, announced June 24, 2026, replaces the previous system where only a handful of manually onboarded partners could offer OAuth integrations. Everyone else had to use API tokens.
Disclosure
Some links in this post are affiliate links — Logicity earns a commission if you sign up, at no extra cost to you. We only link products we have used or actively recommend.
API tokens work, but they're clunky for delegated flows. They don't expire predictably, revocation is manual, and there's no standard consent screen telling users exactly what permissions they're granting. OAuth solves all three problems. With self-managed clients, developers building SaaS integrations, internal platforms, or AI agent tools can now offer users a familiar "Authorize this app" flow with scoped permissions and one-click revocation.
Why did Cloudflare restrict OAuth access until now?
Scale. Cloudflare's services handle roughly 20% of global web traffic. Opening OAuth to anyone meant hardening the consent experience, improving abuse detection, and upgrading the underlying OAuth engine to handle millions of authorization flows.
The company spent the past year onboarding early partners while stress-testing the system. Three specific weaknesses needed fixing before a public launch: the permissions model wasn't granular enough, the consent screen didn't clearly show which app was requesting what, and OAuth phishing attacks were too easy to pull off.

Cloudflare addressed each. The updated consent experience now displays the requesting application prominently, lists exact permissions, and shows app ownership to prevent spoofing. Users can revoke access directly from the dashboard.
The Hydra upgrade that made this possible
Under the hood, Cloudflare runs Hydra, an open-source OAuth engine. The deployment predates the company's current scale, and the team knew a major upgrade was unavoidable. They chose to do it in two steps: first upgrade to the latest 1.X release, then move to 2.X.
Even the 1.X migration posed problems. Schema changes required exclusive locks on critical database tables, which would block active users from completing OAuth flows. The SDK also used SELECT * queries that broke when columns moved between tables.
The team rewrote SQL migrations to use CREATE INDEX CONCURRENTLY and built a custom Hydra version that selected explicit columns. For the larger 2.X upgrade, they ruled out in-place migration entirely. The schema changes were too extensive.
Instead, Cloudflare used a blue-green deployment strategy. The tricky part: the migration took multiple hours, and the system had to keep working throughout. Simply disabling writes would have blocked new authorizations, so they engineered a process that maintained read/write access during the transition.
What developers can build now
Three use cases stand out. First, SaaS integrations. If you're building a service that needs access to a customer's Cloudflare configuration, DNS records, or Workers, you can now request scoped access through a standard OAuth flow. No more asking customers to generate API tokens and paste them into your dashboard.
Second, internal developer platforms. Companies running Cloudflare at scale can build internal tools that request only the permissions they need, with clear audit trails and easy revocation when employees leave.
Third, AI agents. As LLM-based tools increasingly need to call APIs on behalf of users, OAuth provides the consent and scoping model those tools require. An agent can request permission to modify CDN settings without getting access to billing information.
How this compares to competitors
AWS has long supported OAuth and IAM roles for delegated access, though the learning curve is steep. Fastly offers API tokens but not self-managed OAuth clients. Akamai has its own identity solutions but targets enterprise buyers more than developers.
Cloudflare's move reflects its broader strategy: make developer experience a competitive advantage. The same thinking drives Workers, Pages, and D1. Lower the barrier, grow the ecosystem, win through adoption.
Logicity's Take
This is less about OAuth than about Cloudflare's platform ambitions. Opening delegated access means more third-party integrations, which means more reasons to stay on Cloudflare. The technical work was substantial. Rewriting Hydra migrations and running a multi-hour blue-green deployment on infrastructure handling 20% of web traffic is not trivial. For teams building automation with [Zapier](https://logicity.in/r/zapier), [Make](https://logicity.in/r/make), or [n8n](https://logicity.in/r/n8n), self-managed OAuth clients eliminate the clunky API token step. Expect tighter integrations soon.
Frequently Asked Questions
What is Cloudflare self-managed OAuth?
It lets developers create their own OAuth clients to request scoped, revocable access to Cloudflare APIs on behalf of users, replacing the need for manual API tokens.
Who can use Cloudflare's self-managed OAuth?
All Cloudflare customers can now create OAuth clients. Previously, this was limited to manually onboarded partners.
How does Cloudflare OAuth prevent phishing attacks?
The updated consent screen clearly displays which application is requesting access, shows app ownership, and lists exact permissions before users authorize.
What OAuth engine does Cloudflare use?
Cloudflare runs Hydra, an open-source OAuth server. They recently upgraded to version 2.X to support the feature expansion.
Can I revoke OAuth access after granting it?
Yes. Cloudflare added revocation controls to the dashboard so users can see which apps have access and remove permissions with one click.
Need Help Implementing This?
If you're building integrations with Cloudflare's API and want guidance on OAuth implementation, workflow automation, or infrastructure strategy, reach out to Logicity's consulting team for a technical review.
Source: Hacker News: Best
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
Browse all
AI Revolution: How Tech is Transforming the World, One Industry at a Time
From desalination plants in Iran to AI-powered manufacturing, the tech world is abuzz with innovation. Discover how AI is changing the game for small entrepreneurs and what it means for the future of industry. Explore the latest developments in cybersecurity, robotics, and more.

Revolutionizing AI: The Game-Changing Tech That's Making Agents Smarter
A new technology is set to revolutionize the way AI agents learn and adapt, enabling them to accumulate wisdom and apply it to new situations. This innovation has the potential to significantly boost the reliability of AI agents, especially in complex tasks. By converting raw agent trajectories into reusable guidelines, this tech is poised to transform the AI landscape.

The Dark Side of AI: How Bots Are Fueling a Monetized Abuse Ecosystem
A recent analysis of 2.8 million Telegram messages reveals a shocking truth: AI-powered bots are being used to create and sell non-consensual intimate images. These bots can turn ordinary photos into synthetic nude images, and the abuse is being monetized through affiliate programs and subscription-based archives. The researchers behind the study are calling for stricter regulations to combat this growing problem.

AI's Secret Sauce: How Journalism Became the Unlikely Ingredient
A recent study reveals that AI chatbots rely heavily on journalistic sources for their quotes, with one in four coming from news outlets. This shocking discovery has significant implications for the media industry and our understanding of AI's information gathering processes. As AI technology continues to evolve, it's essential to consider the role of journalism in shaping its responses.


