Docs Collections Release Notes

Cloudflare's network now supports real-time content conversion at the source, for enabled zones using content negotiation headers. When AI systems request pages from any website that uses Cloudflare and has Markdown for Agents enabled, they can express the preference for text/markdown in the request: our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly.

Here is a curl example with the Accept negotiation header requesting this page from our developer documentation:

curl \
https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/ \
-H "Accept: text/markdown"

The response to this request is now formatted in markdown:

HTTP/2 200
date : Wed, 11 Feb 2026 11:44:48 GMT
content-type : text/markdown; charset=utf-8
content-length : 2899
vary : accept
x-markdown-tokens : 725
content-signal : ai-train=yes, search=yes, ai-input=yes

---
title : Markdown for Agents  Cloudflare Agents docs
---

What is Markdown for Agents

Markdown has quickly become the lingua franca for agents and AI systems as a whole. The format's explicit structure makes it ideal for AI processing, ultimately resulting in better results while minimizing token waste.

...

Refer to our developer documentation and our blog announcement for more details.

In an effort to improve overall user security, users without 2FA will be prompted upon login to enroll in email 2FA. This will improve user security posture while minimizing friction. Users without email 2FA enabled will see a prompt to secure their account with additional factors upon logging in. Enrolling in 2FA remains optional, but strongly encouraged as it is the best way to prevent account takeovers.

We also made changes to existing 2FA screens to improve the user experience. Now we have distinct experiences for each 2FA factor type, reflective of the way that factor works.

For more information

Configure Email Two Factor Authentication

Disclaimer: Please note that v6.0.0-beta.1 is in Beta and we are still testing it for stability.

Full Changelog: v5.2.0...v6.0.0-beta.1

In this release, you'll see a large number of breaking changes. This is primarily due to a change in OpenAPI definitions, which our libraries are based off of, and codegen updates that we rely on to read those OpenAPI definitions and produce our SDK libraries. As the codegen is always evolving and improving, so are our code bases.

Some breaking changes were introduced due to bug fixes, also listed below.

Please ensure you read through the list of changes below before moving to this version - this will help you understand any down or upstream issues it may cause to your environments.

Breaking Changes

• Addressing - Parameter Requirements Changed

  • BGPPrefixCreateParams.cidr: optional
  • PrefixCreateParams.asn: number | null
  • PrefixCreateParams.loa_document_id: required
  • ServiceBindingCreateParams.cidr: optional
  • ServiceBindingCreateParams.service_id: optional

• API Gateway

  • ConfigurationUpdateResponse removed
  • PublicSchema OldPublicSchema
  • SchemaUpload UserSchemaCreateResponse
  • ConfigurationUpdateParams.properties removed; use normalize

• CloudforceOne - Response Type Changes

  • ThreatEventBulkCreateResponse : number ; complex object with counts and errors

• D1 Database - Query Parameters

  • DatabaseQueryParams : simple interface ; union type (D1SingleQuery | MultipleQueries)
  • DatabaseRawParams : same change
  • Supports batch queries via batch array

• DNS Records - Type Renames (21 types)

  • All record type interfaces renamed from *Record to short names:
  • RecordResponse.ARecord -> RecordResponse.A
  • RecordResponse.AAAARecord -> RecordResponse.AAAA
  • RecordResponse.CNAMERecord -> RecordResponse.CNAME
  • RecordResponse.MXRecord -> RecordResponse.MX
  • RecordResponse.NSRecord -> RecordResponse.NS
  • RecordResponse.PTRRecord -> RecordResponse.PTR
  • RecordResponse.TXTRecord -> RecordResponse.TXT
  • RecordResponse.CAARecord -> RecordResponse.CAA
  • RecordResponse.CERTRecord -> RecordResponse.CERT
  • RecordResponse.DNSKEYRecord -> RecordResponse.DNSKEY
  • RecordResponse.DSRecord -> RecordResponse.DS
  • RecordResponse.HTTPSRecord -> RecordResponse.HTTPS
  • RecordResponse.LOCRecord -> RecordResponse.LOC
  • RecordResponse.NAPTRRecord -> RecordResponse.NAPTR
  • RecordResponse.SMIMEARecord -> RecordResponse.SMIMEA
  • RecordResponse.SRVRecord -> RecordResponse.SRV
  • RecordResponse.SSHFPRecord -> RecordResponse.SSHFP
  • RecordResponse.SVCBRecord -> RecordResponse.SVCB
  • RecordResponse.TLSARecord -> RecordResponse.TLSA
  • RecordResponse.URIRecord -> RecordResponse.URI
  • RecordResponse.OpenpgpkeyRecord -> RecordResponse.Openpgpkey

• IAM Resource Groups

  • ResourceGroupCreateResponse.scope : optional single ; required array
  • ResourceGroupCreateResponse.id : optional ; required

• Origin CA Certificates - Parameter Requirements Changed

  • OriginCACertificateCreateParams.csr : optional ; required
  • OriginCACertificateCreateParams.hostnames : optional ; required
  • OriginCACertificateCreateParams.request_type : optional ; required

• Pages

  • Renamed: DeploymentsSinglePage ; DeploymentListResponsesV4PagePaginationArray
  • Domain response fields: many optional ; required

• Pipelines - v0 to v1 Migration

  • Entire v0 API deprecated; use v1 methods (createV1, listV1, etc.)
  • New sub-resources: Sinks, Streams

• R2

  • EventNotificationUpdateParams.rules : optional ; required
  • Super Slurper: bucket, secret now required in source params

• Radar

  • dataSource : string ; typed enum (23 values)
  • eventType : string ; typed enum (6 values)
  • V2 methods require dimension parameter (breaking signature change)

• Resource Sharing

  • Removed: status_message field from all recipient response types

• Schema Validation

  • Consolidated SchemaCreateResponse, SchemaListResponse, SchemaEditResponse, SchemaGetResponse ; PublicSchema
  • Renamed: SchemaListResponsesV4PagePaginationArray ; PublicSchemasV4PagePaginationArray

• Spectrum

  • Renamed union members: AppListResponse.UnionMember0 ; SpectrumConfigAppConfig
  • Renamed union members: AppListResponse.UnionMember1 ; SpectrumConfigPaygoAppConfig

• Workers

  • Removed: WorkersBindingKindTailConsumer type (all occurrences)
  • Renamed: ScriptsSinglePage ; ScriptListResponsesSinglePage
  • Removed: DeploymentsSinglePage

• Zero-Trust DLP

  • datasets.create(), update(), get() return types changed
  • PredefinedGetResponse union members renamed to UnionMember0-5

• Zero-Trust Tunnels

  • Removed: CloudflaredCreateResponse, CloudflaredListResponse, CloudflaredDeleteResponse, CloudflaredEditResponse, CloudflaredGetResponse
  • Removed: CloudflaredListResponsesV4PagePaginationArray

• Features

  • Abuse Reports (client.abuseReports)

    • Reports: create, list, get
    • Mitigations: sub-resource for abuse mitigations

  • AI Search (client.aisearch)

    • Instances: create, update, list, delete, read, stats
    • Items: list, get
    • Jobs: create, list, get, logs
    • Tokens: create, update, list, delete, read

  • Connectivity (client.connectivity)

    • Directory Services: create, update, list, delete, get
    • Supports IPv4, IPv6, dual-stack, and hostname configurations

  • Organizations (client.organizations)

    • Organizations: create, update, list, delete, get
    • OrganizationProfile: update, get
    • Hierarchical organization support with parent/child relationships

  • R2 Data Catalog (client.r2DataCatalog)

    • Catalog: list, enable, disable, get
    • Credentials: create
    • MaintenanceConfigs: update, get
    • Namespaces: list
    • Tables: list, maintenance config management
    • Apache Iceberg integration

  • Realtime Kit (client.realtimeKit)

    • Apps: get, post
    • Meetings: create, get, participant management
    • Livestreams: 10+ methods for streaming
    • Recordings: start, pause, stop, get
    • Sessions: transcripts, summaries, chat
    • Webhooks: full CRUD
    • ActiveSession: polls, kick participants
    • Analytics: organization analytics

  • Token Validation (client.tokenValidation)

    • Configuration: create, list, delete, edit, get
    • Credentials: update
    • Rules: create, list, delete, bulkCreate, bulkEdit, edit, get
    • JWT validation with RS256/384/512, PS256/384/512, ES256, ES384

  • Alerting Silences (client.alerting.silences)

    • create, update, list, delete, get

  • IAM SSO (client.iam.sso)

    • create, update, list, delete, get, beginVerification

  • Pipelines v1 (client.pipelines)

    • Sinks: create, list, delete, get
    • Streams: create, update, list, delete, get

  • Zero-Trust AI Controls / MCP (client.zeroTrust.access.aiControls.mcp)

    • Portals: create, update, list, delete, read
    • Servers: create, update, list, delete, read, sync

  • Accounts

    • managed_by field with parent_org_id, parent_org_name

  • Addressing LOA Documents

    • auto_generated field on LOADocumentCreateResponse

  • Addressing Prefixes

    • delegate_loa_creation, irr_validation_state, ownership_validation_state, ownership_validation_token, rpki_validation_state

  • AI

    • Added toMarkdown.supported() method to get all supported conversion formats

  • AI Gateway

    • zdr field added to all responses and params

  • Alerting

    • New alert type: abuse_report_alert
    • type field added to PolicyFilter

  • Browser Rendering

    • ContentCreateParams: refined to discriminated union (Variant0 | Variant1)
    • Split into URL-based and HTML-based parameter variants for better type safety

  • Client Certificates

    • reactivate parameter in edit

  • CloudforceOne

    • ThreatEventCreateParams.indicatorType: required
    • hasChildren field added to all threat event response types
    • datasetIds query parameter on AttackerListParams, CategoryListParams, TargetIndustryListParams
    • categoryUuid field on TagCreateResponse
    • indicators array for multi-indicator support per event
    • uuid and preserveUuid fields for UUID preservation in bulk create
    • format query parameter ('json' | 'stix2') on ThreatEventListParams
    • createdAt, datasetId fields on ThreatEventEditParams

  • Content Scanning

    • Added create(), update(), get() methods

  • Custom Pages

    • New page types: basic_challenge, under_attack, waf_challenge

  • D1

    • served_by_colo - colo that handled query
    • jurisdiction - 'eu' | 'fedramp'
    • Time Travel (client.d1.database.timeTravel): getBookmark(), restore() - point-in-time recovery

  • Email Security

    • New fields on InvestigateListResponse / InvestigateGetResponse: envelope_from, envelope_to, postfix_id_outbound, replyto
    • New detection classification: 'outbound_ndr'
    • Enhanced Finding interface with attachment, detection, field, portion, reason, score
    • Added cursor query parameter to InvestigateListParams

  • Gateway Lists

    • New list types: CATEGORY, LOCATION, DEVICE

  • Intel

    • New issue type: 'configuration_suggestion'
    • payload field: unknown ; typed Payload interface with detection_method, zone_tag

  • Leaked Credential Checks

    • Added detections.get() method

  • Logpush

    • New datasets: dex_application_tests, dex_device_state_events, ipsec_logs, warp_config_changes, warp_toggle_changes

  • Load Balancers

    • Monitor.port : number ; number | null
    • Pool.load_shedding : LoadShedding ; LoadShedding | null
    • Pool.origin_steering : OriginSteering ; OriginSteering | null

  • Magic Transit

    • license_key field on connectors
    • provision_license parameter for auto-provisioning
    • IPSec: custom_remote_identities with FQDN support
    • Snapshots: Bond interface, probed_mtu field

  • Pages

    • New response types: ProjectCreateResponse, ProjectListResponse, ProjectEditResponse, ProjectGetResponse
    • Deployment methods return specific response types instead of generic Deployment

  • Queues

    • Added subscriptions.get() method
    • Enhanced SubscriptionGetResponse with typed event source interfaces
    • New event source types: Images, KV, R2, Vectorize, Workers AI, Workers Builds, Workflows

  • R2

    • Sippy: new provider s3 (S3-compatible endpoints)
    • Sippy: bucketUrl field for S3-compatible sources
    • Super Slurper: keys field on source response schemas (specify specific keys to migrate)
    • Super Slurper: pathPrefix field on source schemas
    • Super Slurper: region field on S3 source params

  • Radar

    • Added geolocations.list(), geolocations.get() methods
    • Added V2 dimension-based methods (summaryV2, timeseriesGroupsV2) to radar sub-resources

  • Resource Sharing

    • Added terminal boolean field to Resource Error interfaces

  • Rules

    • Added id field to ItemDeleteParams.Item

  • Rulesets

    • New buffering fields on SetConfigRule: request_body_buffering, response_body_buffering

  • Secrets Store

    • New scopes: 'dex', 'access' (in addition to 'workers', 'ai_gateway')

  • SSL Certificate Packs

    • Response types now proper interfaces (was unknown)
    • Fields now required: id, certificates, hosts, status, type

  • Security Center

    • payload field: unknown ; typed Payload interface with detection_method, zone_tag

  • Shared Types

    • Added: CloudflareTunnelsV4PagePaginationArray pagination class

  • Workers

    • Added subdomains.delete() method
    • Worker.references - track external dependencies (domains, Durable Objects, queues)
    • Worker.startup_time_ms - startup timing
    • Script.observability - observability settings with logging
    • Script.tag, Script.tags - immutable ID and tags
    • Placement: support for region, hostname, host-based placement
    • tags, tail_consumers now accept | null
    • Telemetry: traces field, $containers event info, durableObjectId, transactionName, abr_level fields

  • Workers for Platforms

    • ScriptUpdateResponse: new fields entry_point, observability, tag, tags
    • placement field now union of 4 variants (smart mode, region, hostname, host)
    • tags, tail_consumers now nullable
    • TagUpdateParams.body now accepts null

  • Workflows

    • instance_retention : unknown ; typed InstanceRetention interface with error_retention, success_retention
    • New status option: 'restart' added to StatusEditParams.status

  • Zero-Trust Devices

    • External emergency disconnect settings (4 new fields)
    • antivirus device posture check type
    • os_version_extra documentation improvements

  • Zones

    • New response types: SubscriptionCreateResponse, SubscriptionUpdateResponse, SubscriptionGetResponse

  • Zero-Trust Access Applications

    • New ApplicationType values: 'mcp', 'mcp_portal', 'proxy_endpoint'
    • New destination type: ViaMcpServerPortalDestination for MCP server access

  • Zero-Trust Gateway

    • Added rules.listTenant() method

  • Zero-Trust Gateway - Proxy Endpoints

    • ProxyEndpoint : interface ; discriminated union (ZeroTrustGatewayProxyEndpointIP | ZeroTrustGatewayProxyEndpointIdentity)
    • ProxyEndpointCreateParams : interface ; union type
    • Added kind field: 'ip' | 'identity'

  • Zero-Trust Tunnels

    • WARPConnector*Response : union type ; interface

Cloudflare now provides more accurate visibility into HTTP/3 client request cancellations, giving you better insight into real client behavior and reducing unnecessary load on your origins.

Previously, when an HTTP/3 client cancelled a request, the cancellation was not always actioned immediately. This meant requests could continue through the CDN 12 potentially all the way to your origin 12 even after the client had abandoned them. In these cases, logs would show the upstream response status (such as 200 or a timeout-related code) rather than reflecting the client cancellation.

Now, Cloudflare terminates cancelled HTTP/3 requests immediately and accurately logs them with a 499 status code.

Better observability for client behavior

When HTTP/3 clients cancel requests, Cloudflare now immediately reflects this in your logs with a 499 status code. This gives you:

• More accurate traffic analysis: Understand exactly when and how often clients cancel requests.
• Clearer debugging: Distinguish between true errors and intentional client cancellations.
• Better availability metrics: Separate client-initiated cancellations from server-side issues.

Reduced origin load

Cloudflare now terminates cancelled requests faster, which means:

• Less wasted compute: Your origin no longer processes requests that clients have already abandoned.
• Lower bandwidth usage: Responses are no longer generated and transmitted for cancelled requests.
• Improved efficiency: Resources are freed up to handle active requests.

What to expect in your logs

You may notice an increase in 499 status codes for HTTP/3 traffic. For HTTP/3, a 499 indicates the client cancelled the request stream before receiving a complete response; the underlying connection may remain open. This is a normal part of web traffic.

Tip: If you use 499 codes in availability calculations, consider whether client-initiated cancellations should be excluded from error rates. These typically represent normal user behavior, such as closing a browser, navigating away from a page, mobile network drops, or cancelling a download rather than service issues.

For more information, refer to Error 499.

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.15 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes bug fixes, the stabilization of even more popular resources, and more.

Features

• ai_search: Add AI Search endpoints (6f02adb)
• certificate_pack: Ensure proper Terraform resource ID handling for path parameters in API calls (081f32a)
• worker_version: Support startup_time_ms (286ab55)
• zero_trust_dlp_custom_entry: Support upload_status (7dc0fe3)
• zero_trust_dlp_entry: Support upload_status (7dc0fe3)
• zero_trust_dlp_integration_entry: Support upload_status (7dc0fe3)
• zero_trust_dlp_predefined_entry: Support upload_status (7dc0fe3)
• zero_trust_gateway_policy: Support forensic_copy (5741fd0)
• zero_trust_list: Support additional types (category, location, device) (5741fd0)

Bug fixes

• access_rules: Add validation to prevent state drift. Ideally, we'd use Semantic Equality but since that isn't an option, this will remove a foot-gun. (4457791)
• cloudflare_pages_project: Addressing drift issues (6edffcf) (3db318e)
• cloudflare_worker: Can be cleanly imported (4859b52)
• cloudflare_worker: Ensure clean imports (5b525bc)
• list_items: Add validation for IP List items to avoid inconsistent state (b6733dc)
• zero_trust_access_application: Remove all conditions from sweeper (3197f1a)
• spectrum_application: Map missing fields during spectrum resource import (#6495) (ddb4e72)

Upgrade to newer version

We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources.

For more information

• Terraform Provider
• Documentation on using Terraform with Cloudflare

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.14 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes bug fixes, the stabilization of even more popular resources, and more.

Deprecation notice

Resource affected

api_shield_discovery_operation

Cloudflare continuously discovers and updates API endpoints and web assets of your web applications. To improve the maintainability of these dynamic resources, we are working on reducing the need to actively engage with discovered operations.

The corresponding public API endpoint of discovered operations is not affected and will continue to be supported.

Features

• pages_project: Add v4 -> v5 migration tests (#6506)

Bug fixes

• account_members: Makes member policies a set (#6488)
• pages_project: Ensures non empty refresh plans (#6515)
• R2: Improves sweeper (#6512)
• workers_kv: Ignores value import state for verify (#6521)
• workers_script: No longer treats the migrations attribute as WriteOnly (#6489)
• workers_script: Resolves resource drift when worker has unmanaged secret (#6504)
• zero_trust_device_posture_rule: Preserves input.version and other fields (#6500) and (#6503)
• zero_trust_dlp_custom_profile: Adds sweepers for dlp_custom_profile
• zone_subscription|account_subscription: Adds partners_ent as valid enum for rate_plan.id (#6505)
• zone: Ensures datasource model schema parity (#6487)
• subscription: Updates import signature to accept account_id/subscription_id to import account subscription (#6510)

Upgrade to newer version

We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources.

For more information

• Terraform Provider
• Documentation on using Terraform with Cloudflare

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.13 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes new features, new resources and data sources, bug fixes, updates to our Developer Documentation, and more.

Breaking Change

Please be aware that there are breaking changes for the cloudflare_api_token and cloudflare_account_token resources. These changes eliminate configuration drift caused by policy ordering differences in the Cloudflare API.

For more specific information about the changes or the actions required, please see the detailed Repository changelog.

Features

• New resources and data sources added
  • cloudflare_connectivity_directory
  • cloudflare_sso_connector
  • cloudflare_universal_ssl_setting
• api_token+account_tokens: state upgrader and schema bump (#6472)
• docs: make docs explicit when a resource does not have import support
• magic_transit_connector: support self-serve license key (#6398)
• worker_version: add content_base64 support
• worker_version: boolean support for run_worker_first (#6407)
• workers_script_subdomains: add import support (#6375)
• zero_trust_access_application: add proxy_endpoint for ZT Access Application (#6453)
• zero_trust_dlp_predefined_profile: Switch DLP Predefined Profile endpoints, introduce enabled_entries attribut

Bug Fixes

• account_token: token policy order and nested resources (#6440)
• allow r2_bucket_event_notification to be applied twice without failing (#6419)
• cloudflare_worker+cloudflare_worker_version: import for the resources (#6357)
• dns_record: inconsistent apply error (#6452)
• pages_domain: resource tests (#6338)
• pages_project: unintended resource state drift (#6377)
• queue_consumer: id population (#6181)
• workers_kv: multipart request (#6367)
• workers_kv: updating workers metadata attribute to be read from endpoint (#6386)
• workers_script_subdomain: add note to cloudflare_workers_script_subdomain about redundancy with cloudflare_worker (#6383)
• workers_script: allow config.run_worker_first to accept list input
• zero_trust_device_custom_profile_local_domain_fallback: drift issues (#6365)
• zero_trust_device_custom_profile: resolve drift issues (#6364)
• zero_trust_dex_test: correct configurability for 'targeted' attribute to fix drift
• zero_trust_tunnel_cloudflared_config: remove warp_routing from cloudflared_config (#6471)

Upgrading

We suggest holding off on migration to v5 while we work on stabilization. This help will you avoid any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources.

For more info

• Terraform Provider
• Documentation on using Terraform with Cloudflare

Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover.

Cloudflare has offered phishing resistant 2FA options including hardware based keys (for example, a Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support.

Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already.

You can now enable email 2FA on the Cloudflare dashboard:

• Go to Profile at the top right corner.
• Select Authentication.
• Under Two-Factor Authentication, select Set up.

Sign-in security best practices

Cloudflare is critical infrastructure, and you should protect it as such. Review the following best practices and make sure you are doing your part to secure your account:

• Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords.
• Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked.
• Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home.
• If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone.
• If you use a custom email domain to sign in, configure SSO.
• If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in.
• If you manage a Cloudflare account for work:
  • Have at least two administrators in case one of them unexpectedly leaves your company.
  • Use SCIM to automate permissions management for members in your Cloudflare account.