Skip to main content
Added in: 5.17.0 Prowler for Cloudflare supports two authentication methods, both available in Prowler Cloud and Prowler CLI:
  • API Token (Recommended) — Scoped, least-privilege access to specific permissions and zones.
  • API Key and Email (Legacy) — Global access to the entire account using the Global API Key.
Use only one authentication method at a time. If both API Token and API Key + Email are set, Prowler uses the API Token and logs an error about the conflict.

Required Permissions

Prowler requires read-only access to Cloudflare zones and their settings. The following permissions must be configured when creating the API Token:
ResourcePermissionAccessDescription
AccountAccount SettingsReadRequired to list accounts and verify user identity
ZoneZoneReadRequired to list zones, rulesets, bot management, and SSL settings
ZoneZone SettingsReadRequired to read zone security settings (TLS, HSTS, WAF, etc.)
ZoneDNSReadRequired to read DNS records and DNSSEC status
Ensure the API Token has access to all zones targeted for scanning. Missing permissions may cause some checks to fail or return incomplete results.
User API Tokens are the recommended authentication method because they:
  • Can be scoped to specific permissions and zones
  • Are more secure than global API keys
  • Can be easily rotated without affecting other integrations
Create a User API Token, not an Account API Token. User API Tokens are created from the profile settings and offer finer permission control.

Step 1: Create a User API Token

  1. Log into the Cloudflare Dashboard.
  2. Click on the profile icon in the top right corner, then select “My Profile”.
  3. Click on the API Tokens tab.
  4. Click Create Token, then select Create Custom Token at the bottom of the page.
  5. Configure the token with the following settings:
    • Token name: A descriptive name (e.g., “Prowler Security Scanner”)
    • Permissions:
      • AccountAccount SettingsRead
      • ZoneZoneRead
      • ZoneZone SettingsRead
      • ZoneDNSRead
    • Zone Resources: Select either:
      • Include → All zones (to scan all zones in the account)
      • Include → Specific zone (to limit access to specific zones)
    Token Permissions
  6. Configure the Account Resources and Zone Resources, and optionally set a TTL for the token expiration. Click Continue to summary. Token Resources and TTL
  7. Review the permissions and click Create Token.
  8. Copy the token immediately.
Cloudflare only displays the token once. Copy it immediately and store it securely. If lost, a new token must be created.

Step 2: Provide the Token to Prowler

  • Prowler Cloud: Paste the token in the credentials form when configuring the Cloudflare provider.
  • Prowler CLI: Export the token as an environment variable:
export CLOUDFLARE_API_TOKEN="your-api-token-here"
prowler cloudflare

API Key and Email (Legacy)

API Keys provide full access to the Cloudflare account. While supported, this method is less secure than API Tokens because it grants broader permissions.

Step 1: Get the Global API Key

  1. Log into the Cloudflare Dashboard.
  2. Click on the profile icon in the top right corner, then select “My Profile”.
  3. Click on the API Tokens tab.
  4. Scroll down to the API Keys section.
  5. Click View next to Global API Key.
  6. Enter the account password to reveal the key, then copy it.

Step 2: Provide the Credentials to Prowler

  • Prowler Cloud: Enter the Global API Key and email in the credentials form when configuring the Cloudflare provider.
  • Prowler CLI: Export both values as environment variables:
export CLOUDFLARE_API_KEY="your-api-key-here"
export CLOUDFLARE_API_EMAIL="your-email@example.com"
prowler cloudflare
The email must match the email address used to log into the Cloudflare account.

Best Practices

  • Use API Tokens instead of API Keys — Tokens can be scoped to specific permissions and zones.
  • Use environment variables — Never hardcode credentials in scripts or commands.
  • Rotate credentials regularly — Create new tokens periodically and revoke old ones.
  • Use least privilege — Only grant the minimum permissions needed for scanning.
  • Monitor token usage — Review the Cloudflare audit log for suspicious activity.

Troubleshooting

”Missing X-Auth-Email header” Error

This error occurs when using API Key authentication without providing the email address. Ensure both CLOUDFLARE_API_KEY and CLOUDFLARE_API_EMAIL are set.

”Authentication error” or “Permission denied”

  • Verify the API Token or API Key is correct and not expired.
  • Check that the token has the required permissions.
  • Ensure the token has access to the zones targeted for scanning.

”Both API Token and API Key and Email credentials are set”

This warning appears when all three environment variables are set (CLOUDFLARE_API_TOKEN, CLOUDFLARE_API_KEY, CLOUDFLARE_API_EMAIL). To resolve, unset the credentials that are not needed: 
# To use API Token only (recommended)
unset CLOUDFLARE_API_KEY
unset CLOUDFLARE_API_EMAIL

# Or to use API Key and Email only
unset CLOUDFLARE_API_TOKEN

“Account not found” Error

This error occurs when a specified --account-id is not accessible with the current credentials. Verify the Account ID is correct and that the credentials have access to the target account.