About Us- API Token (Recommended)
- API Key and Email (Legacy)
Required Permissions
Prowler requires read-only access to your Cloudflare zones and their settings. The following permissions are needed:| Permission | Description |
|---|---|
Zone:Read | Read access to zone settings and configurations |
Zone Settings:Read | Read access to zone security settings (SSL/TLS, HSTS, etc.) |
DNS:Read | Read access to DNS records (for DNSSEC checks) |
API Token (Recommended)
API Tokens are the recommended authentication method because they:- Can be scoped to specific permissions and zones
- Are more secure than global API keys
- Can be easily rotated without affecting other integrations
Step 1: Create an API Token
-
Log into Cloudflare Dashboard
- Go to https://dash.cloudflare.com and sign in
-
Navigate to API Tokens
- Click on your profile icon in the top right corner
- Select My Profile
- Click on the API Tokens tab
-
Create a Custom Token
- Click Create Token
- Select Create Custom Token (at the bottom)
- Configure Token Permissions Give your token a descriptive name (e.g., “Prowler Security Scanner”) and add the required permissions listed above.
-
Set Zone Resources
- Under Zone Resources, select either:
- Include → All zones (to scan all zones in your account)
- Include → Specific zone (to limit access to specific zones)
- Under Zone Resources, select either:
-
Create and Copy Token
- Click Continue to summary
- Review the permissions and click Create Token
- Copy the token immediately - Cloudflare will only show it once
Step 2: Store the Token Securely
Store your API token as an environment variable:API Key and Email (Legacy)
API Keys provide full access to your Cloudflare account. While supported, this method is less secure than API Tokens because it grants broader permissions.Step 1: Get Your API Key
-
Log into Cloudflare Dashboard
- Go to https://dash.cloudflare.com and sign in
-
Navigate to API Tokens
- Click on your profile icon in the top right corner
- Select My Profile
- Click on the API Tokens tab
-
View Global API Key
- Scroll down to the API Keys section
- Click View next to Global API Key
- Enter your password to reveal the key
- Copy the API key
Step 2: Store Credentials Securely
Store both your API key and email as environment variables:The email must be the same email address used to log into your Cloudflare account.
Best Practices
Security Recommendations
- Use API Tokens instead of API Keys - Tokens can be scoped to specific permissions
- Use environment variables - Never hardcode credentials in scripts or commands
- Rotate credentials regularly - Create new tokens periodically and revoke old ones
- Use least privilege - Only grant the minimum permissions needed
- Monitor token usage - Review the Cloudflare audit log for suspicious activity
Troubleshooting
”Missing X-Auth-Email header” Error
This error occurs when using API Key authentication without providing the email address. Ensure bothCLOUDFLARE_API_KEY and CLOUDFLARE_API_EMAIL are set.
”Authentication error” or “Permission denied”
- Verify your API Token or API Key is correct and not expired
- Check that your token has the required permissions
- Ensure your token has access to the zones you’re trying to scan
”Both API Token and API Key and Email credentials are set”
This warning appears when all three environment variables are set:CLOUDFLARE_API_TOKENCLOUDFLARE_API_KEYCLOUDFLARE_API_EMAIL