Skip to content

UserApiToken

Source: src/Cloudflare/ApiToken/UserApiToken.ts

A Cloudflare user-owned API token (POST /user/tokens).

User-owned tokens are tied to the authenticated user’s identity. They can be created by any authenticated user (including OAuth-derived sessions from alchemy login) without needing the account-level API Tokens > Write permission, but they are also revoked if the user leaves the account.

For CI tokens, prefer {@link AccountApiToken} so the token survives personnel changes.

Policy resources are passed through verbatim — no accountId rewriting is performed because user tokens aren’t bound to a single account.

Creating a Token

Section titled “Creating a Token”
const token = yield* Cloudflare.UserApiToken("personal-token", {
  name: "my-personal-token",
  policies: [
    {
      effect: "allow",
      permissionGroups: ["Workers Scripts Read"],
      resources: { [`com.cloudflare.api.account.${accountId}`]: "*" },
    },
  ],
});

Attaching Policies via Bindings

Section titled “Attaching Policies via Bindings”

A token can be created with no policies of its own; the policies are supplied through its binding contract (see {@link ApiTokenBinding}).

const token = yield* Cloudflare.UserApiToken("scoped-token");


yield* token.bind("MyCapability", {
  policies: [
    {
      effect: "allow",
      permissionGroups: ["Workers Scripts Read"],
      resources: { [`com.cloudflare.api.account.${accountId}`]: "*" },
    },
  ],
});

Exposing a Token to a Worker

Section titled “Exposing a Token to a Worker”

Bind the token’s value output in the Worker’s Init phase to get a runtime accessor. Binding it injects a secret_text Worker binding; the returned accessor reads it back (as Redacted) at runtime.

// init
const value = yield* token.value; // Accessor<Redacted<string>>


return {
  fetch: Effect.gen(function* () {
    const apiToken = yield* value; // Redacted<string>
    // ... call the Cloudflare API with `apiToken`
    return HttpServerResponse.text("ok");
  }),
};