Cloudflare
Cloudflarecloud9 credentials
API Token
cloudflare / api-token
Cloudflare API tokens authenticate scoped requests to the Cloudflare API. Cloudflare documents Bearer authorization and states that new API tokens use the cfut_ prefixed scannable format for credential scanning.
Looks like
examplecfut_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
CLOUDFLARE_API_TOKEN, CF_API_TOKENAuthorizationBearer token used by Cloudflare API v4 requests
automation scripts, Terraform providers, Wrangler config, committed .env files
.env, CI configuration, deployment manifests, local shell profiles
CI/CD variables, cloud secret managers, hosted app settings
curl traces, HTTP client debug logs, and API gateway logs containing Authorization headers
Notes
Prefer scoped API tokens over Global API keys. Token permissions and resource scopes determine blast radius; rotate any token found outside the intended secret store or deployment environment.
Global API Key (legacy)
cloudflare / global-api-key
Cloudflare Global API Key is the legacy account-wide API credential used with the account email address. Cloudflare recommends API tokens where possible and documents that new and rolled Global API Keys use the cfk_ prefixed scannable format.
Looks like
examplecfk_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
CLOUDFLARE_API_KEY, CF_API_KEY, CLOUDFLARE_EMAIL, CF_EMAILlegacy clients commonly require both key and account email
X-Auth-Key, X-Auth-Emaillegacy Cloudflare API authentication headers
legacy automation scripts, Terraform provider configuration, DNS update clients
.env, DNS updater config, CI configuration, shell profiles
CI/CD variables, cloud secret managers, hosted app settings
HTTP client debug logs exposing X-Auth-Key or X-Auth-Email headers
Notes
Global API Key has broad access across a user's Cloudflare resources and requires the account email address for API use. Treat any leak as a high-impact account credential exposure and replace it with scoped API tokens where possible.
Account Login Password
cloudflare / account-login-password
Cloudflare dashboard users authenticate with an email address and password unless the account is governed by SSO. Account members and Super Administrators are managed through Cloudflare account and organization membership flows.
Location
https://dash.cloudflare.com/loginCloudflare dashboard login
password managers, enterprise SSO vaults, and identity-provider credential stores
browser, proxy, or identity-provider logs that capture login submissions or reset flows
Notes
No universal Cloudflare dashboard default password is documented. MFA, SSO, role scopes, and membership policies affect the blast radius of a leaked password, but the password remains the primary account login secret when local Cloudflare authentication is used.
Account Recovery Codes
cloudflare / account-recovery-codes
Cloudflare two-factor authentication setup generates backup recovery codes that can be saved and later used to regain account access if the user loses access to their authenticator or reset channel.
Location
password managers, enterprise vaults, printed recovery-code storage
downloaded, printed, copied, or screenshot recovery-code exports
accidentally committed notes, onboarding docs, or incident runbooks
Notes
Recovery codes are account-access secrets rather than API credentials. They should be rotated/regenerated if found in shared files, tickets, repositories, or screenshots.
R2 S3 Access Key / Secret Access Key
cloudflare / r2-s3-access-key
Cloudflare R2 S3-compatible API tokens produce an Access Key ID and Secret Access Key pair. Cloudflare states that the Secret Access Key is displayed only once after token creation and must be recorded by the operator.
Location
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEYS3 client profiles, rclone config, backup tool config, .env files
object-storage clients, backup scripts, data pipelines, committed examples
CI/CD variables, cloud secret managers, backup platform secrets
S3 client debug logs and failed-auth traces
Notes
R2 keys are commonly used through S3-compatible tooling, so they may appear under generic AWS_* names rather than Cloudflare-specific names. The endpoint identifies Cloudflare R2 usage: https://<ACCOUNT_ID>.r2.cloudflarestorage.com.
Cloudflare Access Service Token
cloudflare / access-service-token
Cloudflare Access service tokens are machine-to-machine credentials made of a client_id and client_secret. Cloudflare Access accepts them in CF-Access-Client-Id and CF-Access-Client-Secret headers and returns an application-scoped authorization cookie when valid.
Looks like
exampleXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.accessXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXLocation
CF-Access-Client-Id, CF-Access-Client-SecretCF_ACCESS_CLIENT_ID, CF_ACCESS_CLIENT_SECRETservice-to-service clients, uptime probes, CI jobs, deployment scripts
.env, Kubernetes manifests, reverse-proxy config, monitoring config
CI/CD variables, cloud secret managers, Kubernetes Secrets
HTTP client debug logs and reverse-proxy logs containing Access headers
Notes
Client ID alone is not sufficient; the client secret is the sensitive half. The pair grants non-interactive access to protected applications according to the Access policy that trusts the service token.
Cloudflare Tunnel Token
cloudflare / cloudflare-tunnel-token
Remotely managed Cloudflare Tunnels use a generated tunnel token passed to cloudflared so the connector can enroll and run the tunnel without a browser login on the host.
Location
TUNNEL_TOKEN, CLOUDFLARE_TUNNEL_TOKENcloudflared service units, Docker Compose files, Kubernetes manifests, systemd drop-ins
container images or VM images built with cloudflared run commands or token env vars
deployment bundles, bootstrap scripts, CI logs, copied tunnel run commands
Kubernetes Secrets, CI/CD variables, cloud secret managers
process listings, service manager logs, shell histories, and cloudflared debug output
Notes
A leaked tunnel token can let another connector join or impersonate the tunnel depending on tunnel configuration and token validity. Treat copied cloudflared run commands as credential-bearing artifacts.
Origin CA Private Key
cloudflare / origin-ca-private-key
Cloudflare Origin CA certificates are installed on origin servers to authenticate the origin to Cloudflare. The private key generated with the certificate is the secret half and must be protected like any TLS private key.
Looks like
pattern-----BEGIN (RSA |EC |)PRIVATE KEY-----Location
origin web server TLS key files, reverse-proxy config, Kubernetes TLS Secrets
certificate managers, Kubernetes Secrets, cloud secret managers
accidentally committed origin certificate bundles or deployment examples
server backups, certificate export archives, configuration bundles
Notes
The public Origin CA certificate is not secret; the private key is. A leaked key can allow impersonation of the configured origin certificate where the corresponding certificate is trusted by Cloudflare.
Workers Secret Binding
cloudflare / workers-secret-binding
Cloudflare Workers secrets store sensitive values such as API keys, tokens, and passwords as encrypted environment-variable-like bindings. Cloudflare documents that secrets are not visible in Wrangler or the dashboard after definition, while the value is passed to the Worker at runtime.
Location
Cloudflare Workers secret bindings managed by Wrangler or the dashboard
available to Worker code as environment bindings at runtime
wrangler commands, local dev vars, tests, or examples that accidentally embed secret values
Wrangler configuration declaring required secret names; local .dev.vars and .env files may contain development copies
Worker logs or local development output that prints secret binding values
Notes
Workers secrets are a storage location for arbitrary credentials, not a single Cloudflare-generated format. The secret name belongs in location or context; the leaked value should be classified by the underlying credential type when recognizable.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.