Product Docs Pricing Changelog
Start free Sign in
Docs / Security / What the token can do

What the token can do

The Cloudflare API token is the only secret Flarelink holds (AES-256-GCM encrypted). It scopes exactly what Flarelink can touch in your account — nothing else. Here's every permission, why it's needed, and what Flarelink creates with it.

Permission Why What Flarelink creates / does
Account → Workers Scripts: Edit Deploy your auth Worker Uploads the source-available auth Worker to your account; attaches a custom domain when you ask.
Account → D1: Edit Your database Creates a D1 database, applies the auth schema, runs the reads/writes behind the table editor and SQL console.
Account → Workers KV Storage: Edit Sessions Creates a KV namespace for sessions (sessions live in KV, never D1).
Account → Workers R2 Storage: Edit File storage Creates and lists R2 buckets, applies CORS so browser uploads work.
User → API Tokens: Edit optional One-click R2 keys Mints a scoped, R2-only API token (your S3 access keypair). This is a token-minting permission — see the note below.
Minimal-permissions setup. User → API Tokens: Edit can mint other tokens, so if you'd rather not grant it, leave it out. Connect still succeeds — Flarelink just disables one-click R2 keys. To use storage, create an R2 API token yourself (R2 → Manage R2 API Tokens in your Cloudflare dashboard) and paste the keypair on the Files page. There's no way to mint durable S3 keys on Cloudflare without a token-minting permission, which is why this is the one scope we made optional rather than required.

It stays auditable on your side.

  • Every R2 keypair Flarelink mints appears in your Cloudflare dashboard under My Profile → API Tokens, named flarelink-r2-…. You can view or revoke it any time — revoking it doesn't touch the rest of your setup.
  • Cloudflare's own account audit log independently records every API call made with the token — so you can verify what Flarelink did without taking our word for it.
  • Revoke the token entirely (in Cloudflare) and Flarelink loses all access instantly. Your deployed auth Worker, D1, KV, and R2 keep running — Flarelink is a control plane, never in your app's request path.

For an in-dashboard record of what Flarelink has actually done with the token, see the Activity log. For how to verify the deployed Worker matches the published source, see the Trust & verification page.

Something unclear or missing? hello@flarelink.dev llms-full.txt ↗