--- title: API token template URLs description: Generate Cloudflare API tokens with pre-configured permissions using template URLs. Learn how to create and customize template URLs for any use case. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/fundamentals/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # API token template URLs Use template URLs to generate Cloudflare API tokens with pre-configured permissions. Template URLs allow you to share token requirements with users without manually selecting permissions in the dashboard. Template URLs use query parameters to pre-fill the API token creation page in the Cloudflare dashboard. When a user opens a template URL, the dashboard automatically configures the specified permissions and settings. Cloudflare supports template URLs for both [user API tokens](#user-token-url-format) and [account API tokens](#account-token-url-format). For more information on the difference between these token types, refer to [Account API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/). Note Template URLs only pre-fill the token creation form. Users must still complete the token creation process in the dashboard. ## User token URL format User token template URLs open the token creation form at the user profile level (`/profile/api-tokens`). Tokens created this way are owned by the user. The basic template URL structure is: ``` https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=[ENCODED_PERMISSIONS]&accountId=*&zoneId=all&name=[TOKEN_NAME] ``` ### URL components | Parameter | Required | Description | | ------------------- | -------- | -------------------------------------------- | | permissionGroupKeys | Yes | URL-encoded JSON array of permission objects | | accountId | Yes | Account scope (use \* for all accounts) | | zoneId | Yes | Zone scope (use all for all zones) | | name | No | Pre-filled token name | ## Account token URL format Account token template URLs open the token creation form at the account level. Tokens created this way are owned by the account (service principal tokens) and are not tied to any individual user. Creating account tokens requires Super Administrator or Administrator permissions. The basic template URL structure is: ``` https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=[ENCODED_PERMISSIONS]&name=[TOKEN_NAME] ``` The `:account` segment is a placeholder. When a user opens the URL, the dashboard prompts them to select an account if they have access to more than one. ### URL components | Parameter | Required | Description | | ------------------- | -------- | -------------------------------------------- | | permissionGroupKeys | Yes | URL-encoded JSON array of permission objects | | name | No | Pre-filled token name | Note Account token template URLs do not use `accountId` or `zoneId` parameters. Resource scoping for account tokens is configured during token creation in the dashboard. ## Permission format Both user token and account token template URLs use the same permission encoding. Permissions are encoded as a JSON array with the following structure: ``` [{ "key": "permission_name", "type": "read|edit|revoke|run|purge" }] ``` ### Permission types | Type | Description | | ------ | ------------------------------------------ | | read | Read-only access | | edit | Full access (create, read, update, delete) | | revoke | Revoke permissions | | run | Execute permissions | | purge | Purge permissions | ## Create custom templates ### 1\. Identify required permissions List the permissions your use case needs. Refer to the [permission reference](#permission-reference) table. ### 2\. Create the permission JSON Format your permissions as a JSON array: ``` [ { "key": "dns", "type": "edit" }, { "key": "analytics", "type": "read" } ] ``` ### 3\. URL-encode the JSON Use a URL encoder to convert the JSON string: ``` %5B%7B%22key%22%3A%22dns%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22analytics%22%2C%22type%22%3A%22read%22%7D%5D ``` ### 4\. Build the complete URL For a **user token**, combine all components into the final template URL: ``` https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=[ENCODED_JSON]&accountId=*&zoneId=all&name=Custom%20Token ``` For an **account token**, use the account-level path instead: ``` https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=[ENCODED_JSON]&name=Custom%20Token ``` ## Permission reference Use this table to find permission keys for your custom templates. ### Account permissions | Permission key | Description | Common use cases | | -------------------- | --------------------- | ------------------------ | | account\_analytics | Account analytics | Reporting, monitoring | | account\_api\_tokens | API token management | Token automation | | account\_settings | Account configuration | Account management | | billing | Billing information | Cost tracking, invoicing | | workers\_scripts | Workers scripts | Serverless functions | | workers\_kv\_storage | Workers KV storage | Data storage | | workers\_routes | Workers routes | Traffic routing | | workers\_r2 | R2 storage | Object storage | | d1 | D1 database | SQL databases | | queues | Queues | Message queuing | | page | Cloudflare Pages | Page deployments | | stream | Stream | Video streaming | | images | Images | Image optimization | | logs | Logs | Log management | ### Zone permissions | Permission key | Description | Common use cases | | ---------------------- | -------------------- | ---------------------- | | dns | DNS records | Domain management | | zone | Zone management | Domain configuration | | zone\_settings | Zone settings | Zone configuration | | analytics | Zone analytics | Performance monitoring | | firewall\_services | Firewall rules | Security management | | page\_rules | Page rules | Traffic control | | cache | Cache purging | Content updates | | ssl\_and\_certificates | SSL/TLS certificates | Certificate management | ### Access permissions | Permission key | Description | Common use cases | | -------------------- | -------------------- | ------------------------- | | access | Access applications | Zero Trust apps | | access\_acct | Access organizations | Identity management | | access\_audit\_log | Access audit logs | Compliance, security | | access\_custom\_page | Custom pages | Branding, user experience | | teams | Zero Trust | Gateway, CASB, DLP | ## Common permission templates Use these ready-to-use template URLs for common scenarios. Each example provides both a user token URL and an account token URL. ### DNS management Create tokens for DNS record management. #### User token | Use case | Template URL | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | DNS read-only | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22dns%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=DNS%20Read%20Token | | DNS read/write | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22dns%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=DNS%20Management%20Token | #### Account token | Use case | Template URL | | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | DNS read-only | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22dns%22%2C%22type%22%3A%22read%22%7D%5D&name=DNS%20Read%20Token | | DNS read/write | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22dns%22%2C%22type%22%3A%22edit%22%7D%5D&name=DNS%20Management%20Token | ### Workers development Create tokens for Workers, KV storage, and related services. #### User token | Use case | Template URL | | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Workers scripts only | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22workers\_scripts%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=Workers%20Scripts%20Token | | Workers full access | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22workers\_scripts%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers\_kv\_storage%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers\_routes%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=Workers%20Full%20Access%20Token | #### Account token | Use case | Template URL | | -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Workers scripts only | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22workers\_scripts%22%2C%22type%22%3A%22edit%22%7D%5D&name=Workers%20Scripts%20Token | | Workers full access | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22workers\_scripts%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers\_kv\_storage%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers\_routes%22%2C%22type%22%3A%22edit%22%7D%5D&name=Workers%20Full%20Access%20Token | ### Analytics and monitoring Create tokens for accessing analytics and logs. #### User token | Use case | Template URL | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Account analytics | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account\_analytics%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Account%20Analytics%20Token | | Zone analytics | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22analytics%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Zone%20Analytics%20Token | #### Account token | Use case | Template URL | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Account analytics | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22account\_analytics%22%2C%22type%22%3A%22read%22%7D%5D&name=Account%20Analytics%20Token | | Zone analytics | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22analytics%22%2C%22type%22%3A%22read%22%7D%5D&name=Zone%20Analytics%20Token | ### Zero Trust administration Create tokens for Cloudflare Zero Trust management. #### User token | Use case | Template URL | | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Access applications read | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22access%22%2C%22type%22%3A%22read%22%7D%5D&accountId=%2A&zoneId=all&name=Access%20Read%20Token | | Access full management | https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22access%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22access\_acct%22%2C%22type%22%3A%22edit%22%7D%5D&accountId=%2A&zoneId=all&name=Access%20Management%20Token | #### Account token | Use case | Template URL | | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Access applications read | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22access%22%2C%22type%22%3A%22read%22%7D%5D&name=Access%20Read%20Token | | Access full management | https://dash.cloudflare.com/?to=/:account/api-tokens&permissionGroupKeys=%5B%7B%22key%22%3A%22access%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22access\_acct%22%2C%22type%22%3A%22edit%22%7D%5D&name=Access%20Management%20Token | ## Best practices Follow these guidelines when creating and sharing template URLs. * Principle of least privilege: Only request the minimum permissions necessary for your use case. This reduces security risks if a token is compromised. * Use descriptive token names: Include clear, descriptive names in your template URLs to help users understand the token's purpose. * Document token usage: Provide clear documentation about what each token is used for and how to revoke it when no longer needed. * Regular token rotation: Encourage users to regularly rotate tokens and review permissions. * Test before sharing: Always test template URLs in a staging environment before sharing them with users. ## Troubleshooting Review the list of common issues and solutions. | Issue | Solution | | --------------------------------- | --------------------------------------------------------- | | URL does not pre-fill permissions | Verify the JSON is properly URL-encoded | | Permissions are missing | Check permission keys in the reference table | | Token name does not appear | Ensure the name parameter is URL-encoded | | Access denied error | Verify the user has required permissions in their account | Additionally, review the checklist before sharing a template URL. * All permission keys are correct * JSON syntax is valid * URL encoding is proper * Token name is descriptive * Permissions follow least privilege principle ## Related resources * [API token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/) * [Create API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) * [Account API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/) * [API authentication](https://developers.cloudflare.com/fundamentals/api/how-to/make-api-calls/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/fundamentals/","name":"Cloudflare Fundamentals"}},{"@type":"ListItem","position":3,"item":{"@id":"/fundamentals/api/","name":"Cloudflare's API"}},{"@type":"ListItem","position":4,"item":{"@id":"/fundamentals/api/how-to/","name":"How to"}},{"@type":"ListItem","position":5,"item":{"@id":"/fundamentals/api/how-to/account-owned-token-template/","name":"API token template URLs"}}]} ```