Authentication overview

Cloudflare Trace provides observability for applications deployed on Cloudflare Workers, offering distributed tracing, log analysis, and metrics. Authentication for Cloudflare Trace is handled through the broader Cloudflare security model, primarily utilizing API tokens and service keys. This approach ensures that access to trace data, configuration, and related resources within the Cloudflare ecosystem is controlled and secured. The authentication mechanisms are designed to integrate seamlessly with existing Cloudflare account management, allowing developers to manage access permissions with granularity.

The core principle behind Cloudflare Trace authentication is to provide secure, auditable access to your observability data. This involves verifying the identity of the user or application making a request and then authorizing that identity to perform specific actions or access particular resources. For programmatic access, such as querying trace data via the Cloudflare API or integrating with third-party tools, API tokens are the standard method. These tokens can be scoped to specific resources and permissions, adhering to the principle of least privilege.

Cloudflare's identity and access management (IAM) system, which underpins Cloudflare Trace authentication, supports various security features including multi-factor authentication (MFA) for dashboard access and API token rotation. This framework is crucial for maintaining the integrity and confidentiality of sensitive operational data generated by your Cloudflare Workers applications. Understanding and correctly configuring these authentication methods is essential for both development and production environments to prevent unauthorized data access or service disruptions.

Supported authentication methods

Cloudflare Trace, as an integral part of the Cloudflare Workers platform, leverages Cloudflare's existing authentication mechanisms. The primary methods for authenticating requests to access or manage Cloudflare Trace data and configurations are:

  • API Tokens: These are the recommended and most flexible method for programmatic access. API tokens can be created with specific permissions and resource access, allowing for fine-grained control over what an application or user can do. For example, a token can be restricted to only read trace data for a specific Worker script, or to manage trace settings across an entire account.
  • Global API Key: While still supported, the Global API Key provides full access to all Cloudflare resources associated with an account. Due to its broad permissions, Cloudflare recommends using API tokens with limited scope instead of the Global API Key for most use cases, especially for automation and third-party integrations.

The choice of authentication method depends on the use case. For interactive use via the Cloudflare dashboard, users authenticate with their Cloudflare account credentials, which can be secured with multi-factor authentication. For automated tasks, scripts, or integrations, API tokens are the preferred and more secure option.

Authentication method comparison

Method When to Use Security Level
API Tokens Programmatic access, automation, third-party integrations, specific resource access High (granular permissions, revocable)
Global API Key Legacy integrations, full account access (discouraged for new use cases) Low (broad permissions, high risk if compromised)
Cloudflare Account Credentials Interactive dashboard access, management by human users High (MFA support, password policies)

Getting your credentials

To interact with Cloudflare Trace programmatically, you will primarily need to generate an API token. The process involves navigating through the Cloudflare dashboard.

Generating an API token

  1. Log in to Cloudflare Dashboard: Access your Cloudflare account at dash.cloudflare.com.
  2. Navigate to API Tokens: From the user profile dropdown (usually top right), select 'My Profile', then navigate to the 'API Tokens' tab. Alternatively, you can use the direct link to Cloudflare API Tokens.
  3. Create Token: Click on 'Create Token'. You will be presented with a list of templates or the option to create a custom token.
  4. Select or Create Template:
    • Use a template: For Cloudflare Trace, you might look for templates related to 'Workers' or 'Analytics' if available, or a general 'Read only' template for observability data.
    • Create Custom Token: This is generally recommended for precise control.
  5. Configure Permissions: When creating a custom token, you need to define the permissions (API permissions) and resource access (Zone Resources or Account Resources). For Cloudflare Trace, you would typically configure permissions related to:
    • Account > Workers > Trace: For managing trace settings.
    • Account > Workers > Script: For managing Worker scripts, which generate trace data.
    • Account > Analytics > Read: For reading analytics data, which may include trace-related metrics.
    • Zone > Zone > Read: If trace data is tied to a specific zone.
    Ensure you select the appropriate account and/or zone for the token to apply to. Adhere to the principle of least privilege by granting only the necessary permissions.
  6. Review and Create: Give your token a descriptive name, review the summary, and click 'Continue to summary', then 'Create Token'.
  7. Copy Token: Your API token will be displayed once. Copy it immediately as it will not be shown again. Treat this token like a password; store it securely and do not embed it directly into public repositories.

For more detailed instructions on creating and managing API tokens, refer to the Cloudflare API Tokens documentation.

Authenticated request example

Once you have an API token, you can use it to authenticate requests to the Cloudflare API to interact with Cloudflare Trace data or settings. The API token is typically passed in the Authorization header as a Bearer token.

Here's an example using curl to fetch Worker trace settings, assuming you have an API token with appropriate permissions:

curl -X GET "https://api.cloudflare.com/client/v4/accounts/{account_id}/workers/trace_settings"
     -H "Authorization: Bearer YOUR_API_TOKEN"
     -H "Content-Type: application/json"

In this example:

  • YOUR_API_TOKEN should be replaced with the actual API token you generated.
  • {account_id} should be replaced with your Cloudflare Account ID. You can find your Account ID in the Cloudflare dashboard under 'Workers & Pages' or 'Overview' for any zone.

To interact with specific trace data, you would typically use Cloudflare's GraphQL Analytics API. For instance, querying trace logs might look something like this:

curl -X POST "https://api.cloudflare.com/client/v4/graphql"
     -H "Authorization: Bearer YOUR_API_TOKEN"
     -H "Content-Type: application/json"
     --data '{ "query": "query { viewer { accounts(filter: {accountTag: \"YOUR_ACCOUNT_ID\"}) { workersTraceEvents(limit: 100, filter: {date_gt: \"2023-01-01T00:00:00Z\"}) { timestamp eventType workerName duration status } } } }" }'

This GraphQL query example demonstrates how to fetch recent Worker trace events. The exact fields and filters available depend on the GraphQL schema provided by Cloudflare's Analytics API. Always refer to the Cloudflare Workers Trace documentation for the most up-to-date API endpoints and query structures.

Security best practices

Securing your Cloudflare Trace authentication credentials is critical to protect your observability data and prevent unauthorized access to your Cloudflare account. Adhere to the following best practices:

  1. Use API Tokens, Not Global API Keys: Always prefer API tokens over the Global API Key. API tokens allow for granular permissions and are revocable, significantly reducing the blast radius if compromised. The Global API Key grants full access to your account and should be avoided for programmatic use.
  2. Principle of Least Privilege: When creating API tokens, grant only the minimum necessary permissions for the task at hand. For example, if an integration only needs to read trace data, do not grant it permissions to modify Worker scripts or account settings. This limits potential damage if the token is exposed.
  3. Token Scoping: Restrict API tokens to specific resources (e.g., a particular Worker script or Zone) whenever possible. This further narrows the scope of access and reduces risk.
  4. Secure Storage: Never hardcode API tokens directly into your application code or commit them to version control systems (like Git). Instead, use environment variables, secret management services (e.g., Google Secret Manager, AWS Secrets Manager), or secure configuration files that are properly excluded from source control.
  5. Token Rotation: Regularly rotate your API tokens. This means generating new tokens and revoking old ones on a scheduled basis (e.g., every 90 days). This practice minimizes the window of opportunity for a compromised token to be exploited.
  6. Monitor API Token Usage: Cloudflare provides audit logs that record API activity. Regularly review these logs to detect any suspicious or unauthorized use of your API tokens.
  7. Enable Multi-Factor Authentication (MFA): For your Cloudflare account, always enable MFA. This adds an extra layer of security, requiring a second verification step beyond just a password, making it much harder for unauthorized users to access your dashboard and generate new tokens.
  8. Restrict IP Access: If possible, configure API tokens to only be valid when requests originate from a specific set of trusted IP addresses. This provides an additional network-level control.
  9. Revoke Compromised Tokens Immediately: If you suspect an API token has been compromised, revoke it immediately through the Cloudflare dashboard.
  10. Educate Developers: Ensure that all developers working with Cloudflare Trace and its associated APIs understand and follow these security best practices.