Accept Cloudflare cfut_/cfat_ API tokens

[ogerman]

Cloudflare introduced new token formats (user cfut_…, account cfat_…) alongside the existing legacy tokens. This PR extends provisioning validation so those shapes are accepted

[tjhorner]

It seems unlikely the token format will change again in the future, but to prevent this from happening again I feel like this sort of validation should produce a warning instead of failing entirely. Or, instead of strictly matching against the token format, simply check for the common mistakes mentioned in the log message:

cloudflare/cloudflare.go

Line 50 in 6dc1fbb

return fmt.Errorf("API token '%s' appears invalid; ensure it's correctly entered and not wrapped in braces nor quotes", p.Provider.APIToken)

[ItzDabbzz]

This is currently blocking me from setting up a Caddy instance with the Cloudflare DNS provider, as the only token's I can generate are the new ones so far that i know of, Whats the status on this being merged?

[jharris1829]

It seems unlikely the token format will change again in the future, but to prevent this from happening again I feel like this sort of validation should produce a warning instead of failing entirely. Or, instead of strictly matching against the token format, simply check for the common mistakes mentioned in the log message:

I like this as well. In the end if it is an invalid token then it will fail when trying to authenticate and a warning will provide the feedback necessary to double check the format. Unless I am missing something I'm not sure a process-killing error just based on length is necessary.

[will528]

@ItzDabbzz I'm using this in the meantime while I wait for this to be merged. Hope it helps you too.

xcaddy build \
   --with github.com/caddy-dns/cloudflare=github.com/ogerman/cloudflare@master

[jph00]

@mholt thought you might want to know about this one - currently all new Cloudflare tokens are failing with caddy due to the new format. Fix in this PR is just a simple update to the format check. We've tested it and it seems to be working fine.

[sweetgiorni]

In the end if it is an invalid token then it will fail when trying to authenticate and a warning will provide the feedback necessary to double check the format

+1 +1 +1

Maybe don't validate formats you don't own?

[emielmolenaar]

In the end if it is an invalid token then it will fail when trying to authenticate and a warning will provide the feedback necessary to double check the format

+1 +1 +1

Maybe don't validate formats you don't own?

I agree with you, but it’s possible this was designed with security in mind. Since these tokens originate from userland, blindly passing arbitrary strings through the code could introduce vulnerabilities.

[mholt]

Thanks for the ping. Did Cloudflare just break every API client out there?? Any link to the change?

[mholt]

We could just remove the validation if they can just change it instantly like that and break everything.

The validation was deemed necessary after too many people had erroneous configs where their tokens weren't being set properly in the environment or whatever else, because Cloudflare's error messages were so bad, I think even misleading IIRC.

The validation made it obvious and "proved" that it wasn't a problem with this code, it was something on their end, and was to compensate for Cloudflare's terrible error messages.

But again, if it's going to break people, and Cloudflare is just going to change formats out of the blue, we can just remove the validation and leave users on their own.

[emielmolenaar]

Thanks for the ping. Did Cloudflare just break every API client out there?? Any link to the change?

I can not find any news / blog post from Cloudflare regarding the new format. I have generated some keys in the past couple of months and started noticing this change since last week. At first I thought I made a mistake because the keys were prefixed "cfat_". But as we've all seen these are actually keys in a new format.

[ItzDabbzz]

Thanks for the ping. Did Cloudflare just break every API client out there?? Any link to the change?

I found 0 news about the change, Although I did notice that their docs for the create-token page was last updated at Feb 9, 2026. Although from the looks of it, they are preparing to deprecate Global API Key's & Origin CA Key's and transfer to Account API Tokens as the preferred method. As their docs recently added the legacy and deprecated tags next to the titles in the sidebar. CA-Keys was updated recently Mar 19, 2026

• https://developers.cloudflare.com/fundamentals/api/get-started/ca-keys/

[mholt]

Thanks; let's go with this for now. But I might want to remove the validation in the near future knowing that Cloudflare may change this at any time without warning. It will leave users hanging, though, unless Cloudflare fixes their error messages.

[SteppingHat]

Thanks; let's go with this for now. But I might want to remove the validation in the near future knowing that Cloudflare may change this at any time without warning. It will leave users hanging, though, unless Cloudflare fixes their error messages.

@mholt Perhaps we can present a warning as a middle ground? That way users aren't left hanging, but it also won't cause things to break if the format changes.

[mholt]

We could try a warning, but my worry is that the eventual error from Cloudflare will overshadow the warning earlier in the logs. But you're right, it could be a good middle ground. (And the point of warnings is to warn you of future errors.)