All posts

Cloudflare opens self-managed OAuth to all developers

Huma ShaziaJuly 5, 2026 at 2:32 AM5 min read
Cloudflare opens self-managed OAuth to all developers

Key Takeaways

Cloudflare opens self-managed OAuth to all developers
Source: Hacker News: Best
  • Developers can now create their own OAuth clients instead of relying on pre-approved partner integrations
  • The update replaces API tokens with scoped, user-controlled access for third-party applications
  • Cloudflare rebuilt its OAuth engine on Hydra 2.X to support the scale of 20% of web traffic

Cloudflare has opened self-managed OAuth to all customers, letting developers create and manage their own OAuth clients for delegated API access. The change, announced June 24, 2026, replaces the previous system where only a handful of manually onboarded partners could offer OAuth integrations. Everyone else had to use API tokens.

ℹ️

Disclosure

Some links in this post are affiliate links — Logicity earns a commission if you sign up, at no extra cost to you. We only link products we have used or actively recommend.

API tokens work, but they're clunky for delegated flows. They don't expire predictably, revocation is manual, and there's no standard consent screen telling users exactly what permissions they're granting. OAuth solves all three problems. With self-managed clients, developers building SaaS integrations, internal platforms, or AI agent tools can now offer users a familiar "Authorize this app" flow with scoped permissions and one-click revocation.

Advertisement

Why did Cloudflare restrict OAuth access until now?

Scale. Cloudflare's services handle roughly 20% of global web traffic. Opening OAuth to anyone meant hardening the consent experience, improving abuse detection, and upgrading the underlying OAuth engine to handle millions of authorization flows.

The company spent the past year onboarding early partners while stress-testing the system. Three specific weaknesses needed fixing before a public launch: the permissions model wasn't granular enough, the consent screen didn't clearly show which app was requesting what, and OAuth phishing attacks were too easy to pull off.

Image (Source: Hacker News: Best)
Image (Source: Hacker News: Best)

Cloudflare addressed each. The updated consent experience now displays the requesting application prominently, lists exact permissions, and shows app ownership to prevent spoofing. Users can revoke access directly from the dashboard.

The Hydra upgrade that made this possible

Under the hood, Cloudflare runs Hydra, an open-source OAuth engine. The deployment predates the company's current scale, and the team knew a major upgrade was unavoidable. They chose to do it in two steps: first upgrade to the latest 1.X release, then move to 2.X.

Even the 1.X migration posed problems. Schema changes required exclusive locks on critical database tables, which would block active users from completing OAuth flows. The SDK also used SELECT * queries that broke when columns moved between tables.

The team rewrote SQL migrations to use CREATE INDEX CONCURRENTLY and built a custom Hydra version that selected explicit columns. For the larger 2.X upgrade, they ruled out in-place migration entirely. The schema changes were too extensive.

Instead, Cloudflare used a blue-green deployment strategy. The tricky part: the migration took multiple hours, and the system had to keep working throughout. Simply disabling writes would have blocked new authorizations, so they engineered a process that maintained read/write access during the transition.

Advertisement

What developers can build now

Three use cases stand out. First, SaaS integrations. If you're building a service that needs access to a customer's Cloudflare configuration, DNS records, or Workers, you can now request scoped access through a standard OAuth flow. No more asking customers to generate API tokens and paste them into your dashboard.

Second, internal developer platforms. Companies running Cloudflare at scale can build internal tools that request only the permissions they need, with clear audit trails and easy revocation when employees leave.

Third, AI agents. As LLM-based tools increasingly need to call APIs on behalf of users, OAuth provides the consent and scoping model those tools require. An agent can request permission to modify CDN settings without getting access to billing information.

How this compares to competitors

AWS has long supported OAuth and IAM roles for delegated access, though the learning curve is steep. Fastly offers API tokens but not self-managed OAuth clients. Akamai has its own identity solutions but targets enterprise buyers more than developers.

Cloudflare's move reflects its broader strategy: make developer experience a competitive advantage. The same thinking drives Workers, Pages, and D1. Lower the barrier, grow the ecosystem, win through adoption.

ℹ️

Logicity's Take

This is less about OAuth than about Cloudflare's platform ambitions. Opening delegated access means more third-party integrations, which means more reasons to stay on Cloudflare. The technical work was substantial. Rewriting Hydra migrations and running a multi-hour blue-green deployment on infrastructure handling 20% of web traffic is not trivial. For teams building automation with [Zapier](https://logicity.in/r/zapier), [Make](https://logicity.in/r/make), or [n8n](https://logicity.in/r/n8n), self-managed OAuth clients eliminate the clunky API token step. Expect tighter integrations soon.

Frequently Asked Questions

What is Cloudflare self-managed OAuth?

It lets developers create their own OAuth clients to request scoped, revocable access to Cloudflare APIs on behalf of users, replacing the need for manual API tokens.

Who can use Cloudflare's self-managed OAuth?

All Cloudflare customers can now create OAuth clients. Previously, this was limited to manually onboarded partners.

How does Cloudflare OAuth prevent phishing attacks?

The updated consent screen clearly displays which application is requesting access, shows app ownership, and lists exact permissions before users authorize.

What OAuth engine does Cloudflare use?

Cloudflare runs Hydra, an open-source OAuth server. They recently upgraded to version 2.X to support the feature expansion.

Can I revoke OAuth access after granting it?

Yes. Cloudflare added revocation controls to the dashboard so users can see which apps have access and remove permissions with one click.

ℹ️

Need Help Implementing This?

If you're building integrations with Cloudflare's API and want guidance on OAuth implementation, workflow automation, or infrastructure strategy, reach out to Logicity's consulting team for a technical review.

Source: Hacker News: Best

Advertisement
H

Huma Shazia

Senior AI & Tech Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.

Related Articles