08-tooling

cloudflare self managed oauth evaluation

2026-06-04·tooling·source: Cloudflare changelog — "Self-managed OAuth clients" (2026-06-03)
cloudflareoauthauthtooling-decisionsecrets

Cloudflare self-managed OAuth clients — evaluation (filed, not adopted)

Verdict: skim + file. Not actionable for RDCO today.

What shipped (2026-06-03)

Cloudflare now lets developers create and manage their own OAuth applications to integrate with Cloudflare. OAuth lets a third-party app act on behalf of a user's CF account with explicit consent and granular scope selection, positioned as "a more secure, user-friendly, and manageable alternative to API tokens." Apps start private (account-only) and can go public after domain verification. Their headline example: Wrangler deploying Workers via OAuth instead of an API token.

This is plain developer-app OAuth — the changelog mentions no PKCE and no dynamic client registration, so it is NOT the MCP/agent authorization flow (OAuth 2.1 + PKCE + DCR) it superficially resembles.

Why RDCO stays on API tokens

When OAuth WOULD win (revisit triggers)

Related