By ByteBot
Cloudflare opened self-managed OAuth to all developers on June 3, 2026 — ending a years-long arrangement where OAuth was available only to a handful of manually approved integration partners. If you have been building integrations on top of Cloudflare and telling your users to copy-paste an API token into your app, that workaround is now officially obsolete. Proper OAuth authorization flows are available to every Cloudflare account, no partner approval required.
API Tokens Were Always the Wrong Default for Integrations
For years, Cloudflare’s integration story had a quiet flaw: if your SaaS product needed to manage a customer’s DNS records, WAF rules, or Workers deployments, you had to walk them through generating a Cloudflare API token. This works, technically. However, it is a bad experience and a worse security posture.
API tokens hand over credentials without a consent screen. The user does not see what your app intends to do with their account. Revocation requires logging into Cloudflare and manually hunting down the right token. Scope creep happens when developers request broader permissions than necessary because scoping tokens precisely is tedious. OAuth solves all of these problems with a standardized flow: the user clicks “Connect with Cloudflare,” sees exactly what your app is requesting, approves or denies, and can revoke access from their dashboard at any time. Cloudflare acknowledged the shift directly: “As the Developer Platform grew and agentic tools drove demand for delegated access, it became clear that opening up Cloudflare OAuth to all customers was critical to the success of the platform.”
The question of why this took so long is fair. The answer, it turns out, is that the work required to get here was genuinely substantial.
What It Took: 132.5 Million Rows and Zero Downtime
Cloudflare’s engineering retrospective published June 24 reveals the scope of what was required. The underlying OAuth engine — Ory Hydra — needed to be upgraded from 1.X to 2.X. That meant migrating 132.5 million database rows and inserting 114.7 million more, all without taking production OAuth offline for a single user.
The migration surfaced several non-trivial problems. Standard Hydra migrations claimed exclusive locks on critical database tables — the kind of lock that would have blocked all active OAuth operations during the upgrade. The team rewrote the migrations to use non-locking patterns to sidestep this entirely. Hydra 1.X also had strict refresh token reuse behavior that was silently breaking high-volume clients like Wrangler and MCP — the fix required adding token coalescing at the Cloudflare Worker layer so concurrent refresh requests returned the same token rather than invalidating the entire chain. During the 3-hour production cutover, Cloudflare Queues buffered all revocation events to prevent data loss.
The side effects of the upgrade were considerable. API P95 latency dropped from 185ms to 101ms — a 45% improvement. CPU usage fell 37%. Go heap allocation shrank 40%. The OAuth system Cloudflare ships today is meaningfully faster than the one it ran last week, as a direct consequence of the infrastructure work required to open this feature to everyone.
What Developers Can Build With Cloudflare OAuth Now
Three categories of integration open up immediately. First, any SaaS product that manages Cloudflare infrastructure on behalf of customers can now offer a “Connect your Cloudflare account” button backed by a real OAuth flow — scoped permissions, consent screen, dashboard revocation. Second, internal developer platform teams can build tools that act on Cloudflare resources with per-user authorization rather than shared service tokens. Third, and most consequentially for 2026, AI agents and MCP server implementations that need to act on user Cloudflare accounts now have a proper delegated access model to build against.
Cloudflare’s own MCP servers already run on OAuth 2.1. Self-managed OAuth gives third-party developers the same primitive. The scopes mirror Cloudflare API token permissions — you select only what your integration needs. Applications can be private (accessible only within your account) or public (available to any Cloudflare user, after domain ownership verification). Getting started means navigating to Manage account > OAuth clients in the Cloudflare dashboard.
The agentic angle matters here. The MCP ecosystem has been shipping without proper authentication — OAuth is exactly the primitive that addresses this. User-facing consent, scoped tokens, revocable access: Cloudflare making this self-serve is a meaningful unlock for any developer building agents that touch cloud infrastructure. For more on the auth gap in MCP deployments, see our earlier coverage of how Cloudflare is handling temporary accounts for AI agents.
Key Takeaways
- Cloudflare self-managed OAuth went live June 3, 2026 — any Cloudflare account can now register OAuth applications without partner approval
- API tokens remain appropriate for personal automation and CI/CD pipelines; OAuth is the correct choice when a third party needs to act on a user’s Cloudflare account
- The upgrade migrated 132.5M database rows zero-downtime and delivered a 45% API latency improvement as a side effect
- Scopes mirror Cloudflare API token permissions — request only what your integration actually needs
- The most significant unlock is for AI agents and MCP servers that require delegated access to Cloudflare infrastructure
