Cloudflare self-managed OAuth clients — evaluation (filed, not adopted)
Verdict: skim + file. Not actionable for RDCO today.
What shipped (2026-06-03)
Cloudflare now lets developers create and manage their own OAuth applications to integrate with Cloudflare. OAuth lets a third-party app act on behalf of a user's CF account with explicit consent and granular scope selection, positioned as "a more secure, user-friendly, and manageable alternative to API tokens." Apps start private (account-only) and can go public after domain verification. Their headline example: Wrangler deploying Workers via OAuth instead of an API token.
This is plain developer-app OAuth — the changelog mentions no PKCE and no dynamic client registration, so it is NOT the MCP/agent authorization flow (OAuth 2.1 + PKCE + DCR) it superficially resembles.
Why RDCO stays on API tokens
- RDCO's entire Cloudflare access path is headless agent automation: Ray deploys HQ/Workers/Pages and hits the API via
~/.claude/scripts/cloudflare-api.sh+wrangler, withCLOUDFLARE_API_TOKENsourced inline from 1Password (op://Ray Agent/Cloudflare Ray Account API Key). See [[feedback_no_secrets_on_disk]] and thecloudflareskill. - OAuth's premise is interactive user-consent. A headless agent can't complete a consent redirect, so OAuth is a worse fit, not a better one, for this use case. API tokens remain the correct primitive for unattended automation.
- Migrating would add a consent/refresh-token dance with zero security upside for our single-owner, single-account setup.
When OAuth WOULD win (revisit triggers)
- If RDCO ever ships a product that connects to other people's Cloudflare accounts (a SaaS managing customers' CF) — then per-user OAuth + granular scopes beats minting and passing API tokens around. Not a current use case.
- If we ever want tighter least-privilege scoping than the current account-scoped token and find token scopes insufficient — OAuth granular scopes are the better path. The existing token already supports scoping, so this is marginal.
Related
- [[feedback_no_secrets_on_disk]] — the 1Password-wrapper principle this decision preserves
- The
cloudflareskill +~/.claude/scripts/cloudflare-api.sh— current token-based access layer