codetomake.com

Restrict tokens · Cloudflare Fundamentals docs

2024.12.12 20:59



Skip to content Cloudflare Docs Search Products Learning Status Support Log in GitHub X YouTube Select theme Dark Light Auto Cloudflare Fundamentals Overview Concepts What is Cloudflare? How Cloudflare works Cloudflare IP addresses Our free plan Reference architectures ↗ The Internet How to use Cloudflare Manage account Create account Verify email address Log into Cloudflare Manage email notifications Account security Add abuse contact Allow Cloudflare access Leaked Password Notifications Login and account issues Manage active sessions Multi-Factor Email Authentication Provision with SCIM Review audit logs Secure compromised account Set up SSO ↗ Two-factor authentication Zone holds Account customizations Account name Appearance Communication preferences Language preference Manage domains Overview Add a site Add multiple sites via automation Change your domain version Connect your domain Manage subdomains Move a domain between Cloudflare accounts Pause Cloudflare Redirect one domain to another Remove a domain Star domains Manage members Overview Manage Policies Roles Role scopes Set up SSO ↗ Accounts, zones, and profiles Find zone and account IDs Use Cloudflare without changing nameservers Troubleshooting Subscriptions and billing Create billing profile Billing Policy ↗ Cancel Cloudflare subscriptions Change domain plan Change password or email Change Super Administrator Delete your Cloudflare account Preview services Troubleshoot failed payments Understand Cloudflare invoices Update billing information Basic tasks Improve SEO Interacting with Cloudflare Maintenance mode Minimize downtime Optimize site speed ↗ Prepare for surges or spikes in web traffic Prevent DDoS attacks ↗ Protect your origin server Recovering from a hacked site Scan for PCI compliance Secure your website ↗ Test speed Trace a request Overview Beta Use Cloudflare Trace Beta Limitations Changelog Under a DDoS attack? Cloudflare s API Get started Create API token Get Global API key (legacy) Get Origin CA keys Account owned tokens How to Make API calls Create tokens via API Control API Access Restrict tokens Roll tokens Reference Limits API token permissions API token templates API deprecations SDKs Troubleshooting Building custom views Overview Reference Policies Cloudflare Cookies Compliance documentation Content Security Policies (CSPs) Incident Management Policy ↗ Licenses Project Cybersafe Schools Abuse Overview Review abuse policies ↗ Complaint types Providing specific URLs Customer abuse report obligations Submit report ↗ SDK ecosystem support policy /cdn-cgi/ endpoint Cloudflare and Google Analytics Cloudflare crawlers Cloudflare HTTP request headers Cloudflare Ray ID Connection limits Cryptographic Attestation of Personhood Glossary Network Layers Network ports Partners Redirects Scans and penetration testing policy TCP connections Under Attack mode Changelog Products Learning Status Support Log in GitHub X YouTube Select theme Dark Light Auto On this page Overview Client IP address range filtering Time to live (TTL) constraints

On this page

Overview Client IP address range filtering Time to live (TTL) constraints

Was this helpful?

What did you like?

What went wrong?

Thank you for helping improve Cloudflare's documentation!

Products Cloudflare Fundamentals Cloudflare s API How to Restrict tokens

Restrict tokens

API tokens can be restricted at runtime in two ways:

Client IP address range filtering Time To Live (TTL) constraints

Client IP address range filtering

Client IP address restrictions control which IP addresses can make API requests with this token. By default, if no filtering is applied, all IP addresses can use the token. Once an Is in rule is applied, the token can only be used from the defined IP addresses. Define ranges with CIDR notation . To allow an IP range with exceptions, define Is not in to exempt specific IPs or smaller ranges.

Note

Client IP address range filtering is not applied to the Verify Token endpoint.

Time to live (TTL) constraints

By default, tokens do not expire and are long lived. Defining a TTL sets when a token starts being valid and when a token is no longer valid. This is often referred to as notBefore and notAfter . Setting these timestamps limits the lifetime of the token to the defined period. Not setting the start date or notBefore means the token is active as soon as it is created. Not setting the end date or notAfter means the token does not expire.

Note

Dates selected are defined as 00:00 UTC of that day. For finer grained time selection, use the API .

Was this helpful?

What did you like?

What went wrong?

Thank you for helping improve Cloudflare's documentation!

Edit page Cloudflare Dashboard Discord Community Learning Center Support Portal Cookie Settings