Skip to content

AccountApiToken

Source: src/Cloudflare/ApiToken/AccountApiToken.ts

A Cloudflare account-owned API token (POST /accounts/{account_id}/tokens).

Account-owned tokens are managed at the account level and persist independently of any single user. Use these for CI tokens, third-party integrations, or anywhere the token should outlive an individual user’s session.

Creating account-owned tokens requires the caller to have the API Tokens > Write account permission.

Creating a Token

Section titled “Creating a Token”
const token = yield* Cloudflare.AccountApiToken("ci-token", {
  name: "my-ci-token",
  accountId,
  policies: [
    {
      effect: "allow",
      permissionGroups: [
        "Workers Scripts Write",
        "Workers KV Storage Write",
      ],
      resources: { [`com.cloudflare.api.account.${accountId}`]: "*" },
    },
  ],
});


yield* GitHub.Secret("cf-api-token", {
  owner: "me",
  repository: "my-repo",
  name: "CLOUDFLARE_API_TOKEN",
  value: token.value,
});

Attaching Policies via Bindings

Section titled “Attaching Policies via Bindings”

A token can be created with no policies of its own; the policies are supplied through its binding contract (see {@link ApiTokenBinding}). This is how capabilities like {@link CreateTunnel} provision a least-privilege token.

const token = yield* Cloudflare.AccountApiToken("scoped-token");


yield* token.bind("MyCapability", {
  policies: [
    {
      effect: "allow",
      permissionGroups: ["Cloudflare Tunnel Write"],
      resources: { [`com.cloudflare.api.account.${accountId}`]: "*" },
    },
  ],
});

Exposing a Token to a Worker

Section titled “Exposing a Token to a Worker”

Bind the token’s outputs in the Worker’s Init phase to get runtime accessors. Binding token.value injects it as a secret_text Worker binding; the returned accessor reads it back (as Redacted) at runtime.

// init
const value = yield* token.value; // Accessor<Redacted<string>>
const accountId = yield* token.accountId; // Accessor<string>


return {
  fetch: Effect.gen(function* () {
    const apiToken = yield* value; // Redacted<string>
    // ... call the Cloudflare API with `apiToken`
    return HttpServerResponse.text("ok");
  }),
};