Docs Collections Updates & Release Notes

You can now scope Cloudflare permissions to individual Cloudflare Tunnel instances and Cloudflare Mesh nodes. Administrators can delegate access to specific Tunnels or Mesh nodes without granting account-wide control over private networking.

What is new

When you add a member or create a permission policy, the resource picker now lists Cloudflare Tunnel instances and Cloudflare Mesh nodes as scopable resource types. You can:

• Grant a read-only role on a single Cloudflare Tunnel instance to a support operator for log streaming and diagnostics — without exposing other Tunnels or destructive actions.
• Grant a write role on a specific Cloudflare Mesh node to an application team — without giving them access to the rest of your private network.
• Scope a single policy to one or many Tunnels and Mesh nodes at once.

How it works

Granular permissions are a parallel layer to existing account-level roles — they do not replace them.

• Existing account-level roles continue to work. A member with Cloudflare Access or Cloudflare Zero Trust retains write access to every Tunnel and Mesh node in the account. This ensures backward compatibility for existing automation and tokens.
• Granular permissions are additive. For any API request on a specific Tunnel or Mesh node, access is granted if the principal has either the account-level role or a granular permission for that resource.
• Resource enumeration is authorization-aware. Listing endpoints (GET /accounts/{id}/cfd_tunnel, GET /accounts/{id}/warp_connector) return only the resources the principal has at least read access to.

Get started

• Configure granular permissions for Cloudflare Tunnel.
• Configure granular permissions for Cloudflare Tunnel and Cloudflare Mesh in Cloudflare One.
• Review the resource-scoped roles on the Cloudflare role reference.

You can now navigate, switch context, and take common actions in the Cloudflare dashboard without leaving your keyboard. Press ? anywhere to see the full list. Keyboard shortcuts can be disabled by visiting your profile settings ↗ profile settings ↗.

Navigate

Shortcut - Action

g h - Go to Home
g a - Go to account overview
g z - Go to zone overview
g p - Go to your profile
g w - Go to Workers & Pages
g o - Go to Zero Trust
g b - Go to billing
g 1 – g 5 - Go to a recent or pinned item (by position in sidebar)
t → - Move to the next tab
t ← - Move to the previous tab
p → - Move to the next page of a table
p ← - Move to the previous page of a table

Take action

Shortcut - Action

/ - Open quick search
? - Show keyboard shortcuts
s a - Switch account
s z - Switch zone
s . - Star or unstar the current zone
p . - Pin or unpin the current page
t s - Toggle the sidebar open or closed
t m - Expand or collapse all sidebar menus
t a - Toggle Ask AI sidebar
d . - Toggle dark mode
c u - Copy the current URL
c d - Copy a deep link URL

You can now pay for Cloudflare services directly from your bank account using Instant Bank Payments via Link.

What changed

Link now supports bank account payments in addition to cards. If you have a bank account saved in Link, it appears as a payment option at checkout. If not, you can connect one during the checkout flow.

How to use it

1. During checkout, select your bank account from your saved Link payment methods.
2. Confirm the payment.

After your first Link authentication, your bank account is available for future purchases without re-entering details.

Who is eligible

Instant Bank Payments via Link is available to US-based self-serve accounts across all Cloudflare products. Your existing cards remain available at checkout.

Bank-based Link payments appear in your billing history with the payment method shown as link and last four digits as 0000. For details, refer to the Instant Bank Payments via Link documentation.

The Support button in the dashboard global navigation header now takes you directly to the Cloudflare Support Portal ↗, eliminating the previous dropdown menu.

This change ensures that when you need help, you spend less time navigating the UI and more time getting the answers you need.

What changed?

Previous behavior: Selecting ? Support opened a dropdown menu with various links (Help Center, Cloudflare Community, etc.).

New behavior: Selecting Support immediately redirects your current tab to the Support Portal.

To learn more about the resources available to you, refer to the Cloudflare Support documentation ↗.

Resource Tagging is now in public beta and rolling out to all Cloudflare accounts over the coming days. You can attach custom key-value metadata to your Cloudflare resources and query across your entire account to find what you need.

What's included

• Broad resource type support — Tag zones, custom hostnames, Cloudflare Tunnels, Workers scripts, D1 databases, R2 buckets, KV namespaces, Durable Objects, Queues, Stream videos, Images, Access applications, Gateway rules, AI Gateways, and more. Refer to the full list of supported resource types.
• Powerful filtering — Query tagged resources using AND/OR logic, negation, and key-only matching. Combine up to 20 filters per query to build precise resource views.
• Account and zone-level endpoints — Full CRUD operations across both scopes.
• Token-based authentication — Tagging supports Account Owned Tokens that persist independently of individual users, so your automation keeps running through credential rotations and team changes.
• Flexible role support — Super Administrators, Workers Admins, and Tag Admins can all manage tags.

API-first by design

The API is the primary interface for Resource Tagging and the recommended path for all workflows — scripting tag assignments, building CI/CD pipelines, or integrating with your infrastructure-as-code toolchain.

Dashboard UI

You can also view and manage tagged resources directly in the Cloudflare dashboard. Navigate to Manage Account > Resource Tagging to see all tagged resources across your account, filter by resource name or tag, and add or edit tags inline.

What's coming next

In future releases, expect support for additional resource types across the Cloudflare platform, tag-based access control policies for scoping user permissions to tagged resources, billing and usage attribution by tag for breaking down costs by team, project, or environment, and Terraform provider support for managing tags declaratively.

Current limitations

• PUT replaces all tags on a resource (no partial update). Use the GET, merge, PUT workflow to modify individual tags safely.
• DELETE removes all tags from a resource. To remove a single tag, PUT the remaining tags back.
• Querying tags for a resource that has never been tagged returns 500 instead of 404. This is a known beta limitation.

To get started, refer to the Resource Tagging documentation.

Cloudflare-generated 5xx error responses now return structured JSON and Markdown when agents request them, matching the format already available for 1xxx errors. Responses follow RFC 9457 (Problem Details for HTTP APIs) and include a Retry-After HTTP header on retryable codes.

Changes

5xx coverage

Ten Cloudflare-generated error codes (500, 502, 504, 520-526) now serve structured responses. These are errors Cloudflare itself generates when it cannot reach or understand the origin server. Origin-generated 5xx responses that Cloudflare passes through are not affected.

Fault attribution

The error_category field tells agents where the fault lies:

• origin (502, 504, 520-524) — the origin server is responsible. Transient; retry with the backoff in retry_after.
• cloudflare (500) — Cloudflare's fault, not the website or the request. Short retry.
• ssl (525, 526) — the origin's TLS configuration is broken. Do not retry.

Retry-After header

Retryable codes (500, 502, 504, 520-524) include a Retry-After HTTP header matching the retry_after body field. Non-retryable codes (525, 526) do not include the header.

Negotiation behavior

Request header sent | Response format

Accept: application/json | JSON (application/json content type)

Accept: application/problem+json | JSON (application/problem+json content type)

Accept: application/json, text/markdown;q=0.9 | JSON

Accept: text/markdown | Markdown

Accept: text/markdown, application/json | Markdown (equal q, first-listed wins)

Accept: / | HTML (default)

Availability

Available now for all zones on all plans.

Get started

Get JSON response for error 522:

Check presence of the Retry-After HTTP header associated with the JSON response for error 521:

References

• RFC 9457 — Problem Details for HTTP APIs
• Cloudflare 5xx error documentation

A new Network Overview page in the Cloudflare dashboard gives you a single starting point for network security and connectivity products.

From the Network Overview page, you can:

• Connect resources with Cloudflare Tunnel - Create tunnels to connect your infrastructure to Cloudflare without exposing it to the public Internet.
• Monitor traffic with Network Flow - Get real-time visibility into traffic volume from your routers.
• Configure Address Maps - Map dedicated static IPs or BYOIP prefixes to specific hostnames.
• Explore Magic Transit and Cloudflare WAN - Set up DDoS protection for your networks and connectivity for your branch offices and data centers.

To find it, go to Networking ↗ in the dashboard sidebar.

If you already use Magic Transit, Cloudflare WAN, or other Cloudflare network services products, your existing experience is unchanged.

Pay-as-you-go customers can now monitor usage-based costs and configure spend alerts through two new features: the Billable Usage dashboard and Budget alerts.

Billable Usage dashboard

The Billable Usage dashboard provides daily visibility into usage-based costs across your Cloudflare account. The data comes from the same system that generates your monthly invoice, so the figures match your bill.

The dashboard displays:

• A bar chart showing daily usage charges for your billing period
• A sortable table breaking down usage by product, including total usage, billable usage, and cumulative costs
• Ability to view previous billing periods

Usage data aligns to your billing cycle, not the calendar month. The total usage cost shown at the end of a completed billing period matches the usage overage charges on your corresponding invoice.

To access the dashboard, go to Manage Account > Billing > Billable Usage.

Budget alerts

Budget alerts allow you to set dollar-based thresholds for your account-level usage spend. You receive an email notification when your projected monthly spend reaches your configured threshold, giving you proactive visibility into your bill before month-end.

To configure a budget alert:

1. Go to Manage Account > Billing > Billable Usage.
2. Select Set Budget Alert.
3. Enter a budget threshold amount greater than $0.
4. Select Create.

Alternatively, configure alerts via Notifications > Add > Budget Alert.

You can create multiple budget alerts at different dollar amounts. The notifications system automatically deduplicates alerts if multiple thresholds trigger at the same time. Budget alerts are calculated daily based on your usage trends and fire once per billing cycle when your projected spend first crosses your threshold.

Both features are available to Pay-as-you-go accounts with usage-based products (Workers, R2, Images, etc.). Enterprise contract accounts are not supported.

For more information, refer to the Usage based billing documentation.

OAuth allows third-party applications to access your Cloudflare account on your behalf — like when Wrangler deploys Workers or when monitoring tools read your analytics. You now have granular control over which accounts these applications can access, plus the ability to revoke access anytime.

What's new

Choose which accounts to authorize

When authorizing an OAuth application, you can now select specific accounts instead of granting access to all your accounts:

• Account-by-account selection — Choose exactly which accounts the application can access
• "All accounts" option — Still available for trusted tools like Wrangler

This gives you precise control who can access your data.

Clear consent screens

The OAuth consent screen now shows:

• What the application can access — Explicit list of permissions being requested
• Who created the application — Application owner and contact information
• Which accounts you're authorizing — Checkboxes for account selection

Revoke access anytime

Manage authorized OAuth applications from your profile:

• See all connected apps — View every OAuth application with access to your accounts
• Review permissions and scope — Check what each application can do and which accounts it can access
• Revoke instantly — Remove access with one click when you no longer need it

To manage your OAuth applications, navigate to Profile > Access Management > Connected Applications ↗.

Why this matters

These updates give you:

• Granular control — Authorize apps per-account instead of all-or-nothing
• Transparency — Know exactly what you're authorizing before you consent
• Security — Limit blast radius by restricting access to only necessary accounts
• Easy cleanup — Revoke access when applications are no longer needed

Learn more

Read more about these improvements in our blog post: Improving the OAuth consent experience ↗ .

Cloudflare API tokens now include identifiable patterns that enable secret scanning tools to automatically detect them when leaked in code repositories, configuration files, or other public locations.

What changed

API tokens generated by Cloudflare now follow a standardized format that secret scanning tools can recognize. When a Cloudflare token is accidentally committed to GitHub, GitLab, or another platform with secret scanning enabled, the tool will flag it and alert you.

Why this matters

Leaked credentials are a common security risk. By making Cloudflare tokens detectable by scanning tools, you can:

• Detect leaks faster — Get notified immediately when a token is exposed.
• Reduce risk window — Exposed tokens are deactivated immediately, before they can be exploited.
• Automate security — Leverage existing secret scanning infrastructure without additional configuration.

What happens when a leak is detected

When a third-party secret scanning tool detects a leaked Cloudflare API token:

1. Cloudflare immediately deactivates the token to prevent unauthorized access.
2. The token creator receives an email notification alerting them to the leak.
3. The token is marked as "Exposed" in the Cloudflare dashboard.
4. You can then roll or delete the token from the token management pages.

Supported platforms

• GitHub Secret Scanning — Automatically enabled for public repositories

For more information on token formats and secret scanning, refer to API token formats.

Cloudflare has officially launched a redesigned "Get Help" Support Portal to eliminate friction and get you to a resolution faster. Previously, navigating support meant clicking through multiple tiles, categorizing your own technical issues across 50+ conditional fields, and translating your problem into Cloudflare's internal taxonomy.

The new experience replaces that complexity with a personalized front door built around your specific account plan. Whether you are under a DDoS attack or have a simple billing question, the portal now presents a single, clean page that surfaces the direct paths available to you — such as "Ask AI", "Chat with a human", or "Community" — without the manual triage.

What's New

• One Page, Clear Choices: No more navigating a grid of overlapping categories. The portal now uses action cards tailored to your plan (Free, Pro, Business, or Enterprise), ensuring you only see the support channels you can actually use.
• A Radically Simpler Support Form: We've reduced the ticket submission process from four+ screens and 50+ fields to a single screen with five critical inputs. You describe the issue in your own words, and our backend handles the categorization.
• AI-Driven Triage: Using Cloudflare Workers AI and Vectorize, the portal now automatically generates case subjects and predicts product categories.

Moving complexity to the backend

Behind the scenes, we've moved the complexity from the user to our own developer stack. When you describe an issue, we use semantic embeddings to capture intent rather than just keywords.

By leveraging case-based reasoning, our system compares your request against millions of resolved cases to route your inquiry to the specialist best equipped to help. This ensures that while the front-end experience is simpler for you, the back-end routing is more accurate than ever.

To learn more, refer to the Support documentation or select Get Help directly in the Cloudflare Dashboard.

We're announcing the public beta of Organizations for enterprise customers, a new top-level Cloudflare container that lets Cloudflare customers manage multiple accounts, members, analytics, and shared policies from one centralized location.

What's New

Organizations [BETA]

are a new top-level container for centrally managing multiple accounts. Each Organization supports up to 500 accounts and 500 zones, giving larger teams a single place to administer resources at scale.

Self-serve onboarding

Enterprise customers can create an Organization in the dashboard and assign accounts where they are already Super Administrators.

Centralized Account Management

At launch, every Organization member has the Organization Super Admin role. Organization Super Admins can invite other users and manage any child account under the Organization implicitly.

Shared policies

Share WAF or Gateway policies across multiple accounts within your Organization to simplify centralized policy management.

Implicit access

Members of an Organization automatically receive Super Administrator permissions across child accounts, removing the need for explicit membership on each account. Additional Org-level roles will be available over the course of the year.

Unified analytics

View, filter, and download aggregate HTTP analytics across all Organization child accounts from a single dashboard for centralized visibility into traffic patterns and security events.

Terraform provider support

Manage Organizations with infrastructure as code from day one. Provision organizations, assign accounts, and configure settings programmatically with the Cloudflare Terraform provider.

Shared policies

Share WAF or Gateway policies across multiple accounts within your Organization to simplify centralized policy management.

Note

Organizations is in Public Beta. You must have an Enterprise account to create an organization, but once created, you can add accounts of any plan type where you are a Super Administrator.

For more info:

• Get started with Organizations
• Set up your Organization
• Review limitations

Service Key authentication for the Cloudflare API is deprecated. Service Keys will stop working on September 30, 2026.

replace Service Keys with fine-grained permissions, expiration, and revocation.

What you need to do

Replace any use of the

X-Auth-User-Service-Key

header with an

API Token

scoped to the permissions your integration requires.

If you use

cloudflared

, update to a version from November 2022 or later. These versions already use API Tokens.

If you use

origin-ca-issuer ↗
origin-ca-issuer
↗

, update to a version that supports API Token authentication.

For more information, refer to

API deprecations
.

Cloudflare dashboard SCIM provisioning now supports Authentik ↗

Authentik

↗

as an identity provider, joining Okta and Microsoft Entra ID as explicitly supported providers.

Customers can now sync users and group information from Authentik to Cloudflare, apply Permission Policies to those groups, and manage the lifecycle of users & groups directly from your Authentik Identity Provider.

Note

SCIM provisioning for the Cloudflare dashboard is available to Enterprise customers. You must be a Super Administrator to complete the initial setup.

For more information:

• SCIM provisioning overview
• Provision with Authentik

Cloudflare dashboard SCIM provisioning operations are now captured in Audit Logs v2

Cloudflare dashboard SCIM provisioning operations are now captured in Audit Logs v2, giving you visibility into user and group changes made by your identity provider.

Logged actions

• Create SCIM User | User provisioned from IdP
• Replace SCIM User | User fully replaced (PUT)
• Update SCIM User | User attributes modified (PATCH)
• Delete SCIM User | Member deprovisioned
• Create SCIM Group | Group provisioned from IdP
• Update SCIM Group | Group membership or attributes modified
• Delete SCIM Group | Group deprovisioned

For more details, refer to the Audit Logs v2 documentation.