Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update account owned tokens #18684

Open
wants to merge 7 commits into
base: production
Choose a base branch
from
138 changes: 68 additions & 70 deletions src/content/partials/fundamentals/account-owned-tokens.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -4,82 +4,80 @@

---

Account owned tokens are the first step that Cloudflare is taking to represent service principals in our service.

Cloudflare is working to ensure that all features eventually become compatible with account owned tokens.

If you are working with a service that is not currently supported by account owned tokens, it is recommended that you continue to use the existing user tokens.
While user tokens act on behalf of a particular user, and inherit a subset of that user's permissions, account owned tokens allow you to set up durable integrations that can act as service principals, effectively acting as themselves with their own specific set of permissions. This approach is ideal for scenarios like CI/CD, or building integrations with external services like SEIMs where it's important that the integration keeps working, even long after the user who configured the integration may have left your organization altogether. User tokens are better for ad hoc tasks like scripting, where acting as the user is ideal, and durability is less of a concern.
jhutchings1 marked this conversation as resolved.
Show resolved Hide resolved

## Creating an account owned token
jhutchings1 marked this conversation as resolved.
Show resolved Hide resolved
:::note
User tokens will continue to work and we do not have plans to deprecate them.
Creating an account owned token requires Super Administrator permission on the account
patriciasantaana marked this conversation as resolved.
Show resolved Hide resolved
:::

Account owned tokens are available to all customers. Super Administrators of accounts on the [Cloudflare dashboard](https://dash.cloudflare.com/) can find them via **Manage Account** > **API Tokens**.

You can still create tokens using the Cloudflare dashboard, and it can also be accessed via the API at `/accounts/<accountID>/tokens`.
1. Log into the [Cloudflare dashboard](https://dash.cloudflare.com)
2. In the sidebar, choose **Manage Account**
3. Choose **Account API Tokens**
4. Click **Create Token**
5. Navigate through the subsequent pages to set the name, permissions, and the (optional) expiration date for the token. Click **Continue to Summary**
6. Review the details, and finally click **Create Token**
patriciasantaana marked this conversation as resolved.
Show resolved Hide resolved

Try using account owned tokens specifically in these scenarios:

- You require business continuity when managing tokens as a team of super administrators.
- You need to restrict API access on your account and want to centralize visibility and management of these tokens.
You can alternatively create a token using the [account owned token creation API](https://developers.cloudflare.com/api-next/resources/accounts/subresources/tokens/methods/create/).
jhutchings1 marked this conversation as resolved.
Show resolved Hide resolved

## Compatibility matrix

Account owned tokens are a new credential type that is currently in open beta. Refer to the table below for products currently supported and their compatibility status.
Account owned tokens are generally available in all accounts. Some services may not support account owned tokens yet. Please see the compatibility matrix below for the latest status.
jhutchings1 marked this conversation as resolved.
Show resolved Hide resolved

| Product | Compatibility |
| :---- | :---- |
jhutchings1 marked this conversation as resolved.
Show resolved Hide resolved
| Access | ❌ |
| Account Analytics | ❌ |
| Account Management | ✅ |
| AI Gateway | ✅ |
| AMP | ✅ |
| API Shield | ✅ |
| Billing | ❌ |
| Cache | ✅ |
| Cloud Connector | ✅ |
| Configuration Rules | ✅ |
| Custom Pages | ✅ |
| Data Loss Prevention | ✅ |
| Digital Experience Monitoring | ✅ |
| Distributed Web | ❌ |
| DNS | Partial (Non-analytics) |
| Durable Objects | ❌ |
| Email Relay | ❌ |
| Gateway Filtering | ❌ |
| Healthchecks | ✅ |
| Hyperdrive | ❌ |
| Images | ✅ |
| Intel Data Platform | ❌ |
| Load Balancing | ❌ |
| Log Explorer | ❌ |
| Magic Network Monitoring | ✅ |
| Magic Transit | ❌ |
| Magic WAN | ❌ |
| Managed Rules | ❌ |
| Network Error Logging | ❌ |
| Page Shield | ✅ |
| Pages | ✅ |
| Pub/Sub | ❌ |
| R2 | ✅ |
| Radar | ✅ |
| Registrar | ❌ |
| Rulesets | ✅ |
| Spectrum | ❌ |
| Speed | ✅ |
| Stream | ✅ |
| Super Bot Fight Mode | ❌ |
| Trace | ✅ |
| Tunnels | ✅ |
| Turnstile | ❌ |
| Vectorize | ❌ |
| Waiting Room | ✅ |
| Workers | ✅ |
| Workers AI | ❌ |
| Workers KV | ✅ |
| Workers Observability | ❌ |
| Workers Queues | ✅ |
| Zaraz | ❌ |
| Zero Trust Client Platform | ❌ |
| Zero Trust Devices and Services | ✅ |
| Zone/Domain Management | ✅ |

| Product | Compatible |
| ------------------------------- | ----------------------- |
| Account Management | ✅ |
| Account Analytics | ❌ |
| Zero Trust Devices and Services | ✅ |
| Stream | ✅ |
| Pages | ✅ |
| Speed | ✅ |
| Images | ✅ |
| Zone/Domain Management | ✅ |
| Workers | ✅ |
| Workers Queues | ✅ |
| Workers KV | ✅ |
| Workers AI | ❌ |
| Workers Observability | ❌ |
| Durable Objects | ❌ |
| R2 | ✅ |
| Tunnels | ✅ |
| Cache | ✅ |
| Rulesets | ✅ |
| Custom Pages | ✅ |
| Cloud Connector | ✅ |
| Trace | ✅ |
| Configuration Rules | ✅ |
| DNS | Partial (Non-analytics) |
| Access | ❌ |
| Magic WAN | ❌ |
| Magic Transit | ❌ |
| Magic Network Monitoring | ✅ |
| Managed Rules | ❌ |
| Load Balancing | ❌ |
| Spectrum | ❌ |
| Pub/Sub | ❌ |
| Distributed Web | ❌ |
| Radar | ✅ |
| Data Loss Prevention | ✅ |
| Network Error Logging | ❌ |
| Super Bot Fight Mode | ❌ |
| Page Shield | ✅ |
| AI Gateway | ✅ |
| Turnstile | ❌ |
| AMP | ✅ |
| API Shield | ✅ |
| Billing | ❌ |
| Digital Experience Monitoring | ✅ |
| Intel Data Platform | ❌ |
| Email Relay | ❌ |
| Gateway Filtering | ❌ |
| Healthchecks | ✅ |
| Log Explorer | ❌ |
| Zero Trust Client Platform | ❌ |
| Registrar | ❌ |
| Hyperdrive | ❌ |
| Vectorize | ❌ |
| Waiting Room | ✅ |
| Zaraz | ❌ |
Loading