Skip to main content
Keyflare uses API keys for authentication. There are two types with different access levels.

Key Types

User KeySystem Key
Prefixkfl_user_*kfl_sys_*
AccessFull adminScoped to project:environment
Use forDevelopers, adminsCI/CD, deployment scripts

User Email Tracking

When a key is created via the CLI, the Cloudflare account email of the creator is automatically recorded (via wrangler whoami). This is shown in the EMAIL column of kfl keys list. Keys created without a detectable email show -.

User Keys (kfl_user_*)

  • Full admin access to everything
  • Can manage all projects, environments, secrets, and other API keys
  • No scoping required — access to all resources
  • Use for: developers, admins, backup keys

System Keys (kfl_sys_*)

  • Scoped access to specific project:environment pairs
  • Can only read or write secrets within their scope
  • Cannot create projects, environments, or other keys
  • Use for: CI/CD pipelines, deployment scripts, runtime services

Permission Levels

Read SecretsWrite SecretsManage ProjectsManage Keys
User key
System keyread✅ (scoped)
System keyreadwrite✅ (scoped)✅ (scoped)

Create API Keys

User Key

kfl keys create --type user --label "backup-admin"
# Output: kfl_user_b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7
The full key is shown only once. Save it securely — it cannot be retrieved again.

System Key

System keys require --scope and --permission flags: 
# Read-only access to production
kfl keys create --type system \
  --label "github-actions-prod" \
  --scope "my-api:production" \
  --permission read

# Read-write access to all environments in a project
kfl keys create --type system \
  --label "dev-script" \
  --scope "my-api:*" \
  --permission readwrite

# Multiple scopes
kfl keys create --type system \
  --label "staging-deployer" \
  --scope "my-api:staging" \
  --scope "frontend:staging" \
  --scope "worker:staging" \
  --permission readwrite
The * wildcard must be quoted to prevent shell expansion:
# Correct
kfl keys create --type system --scope "my-api:*" --permission read

# Wrong (Zsh error: "no matches found")
kfl keys create --type system --scope "my-api:*" --permission read

Scope Format

Scopes follow the format project:environment:
ScopeMeaning
my-api:productionAccess to production environment only
my-api:stagingAccess to staging environment only
my-api:*Access to ALL environments in my-api

List Keys

kfl keys list
Output: 
PREFIX          TYPE    LABEL              EMAIL                  PERMISSION  SCOPES               CREATED
kfl_user_a1b2   user    bootstrap          alice@example.com      full        *                    2024-01-15
kfl_user_b2c3   user    backup-admin       bob@example.com        full        *                    2024-01-16
kfl_sys_c3d4    system  github-actions     alice@example.com      read        my-api:production    2024-01-16
kfl_sys_d4e5    system  dev-script         -                      readwrite   my-api:*             2024-01-17

Update System Keys

Update scopes and permissions for an existing system key: 
# Add staging access (must include ALL scopes)
kfl keys put kfl_sys_c3d4 \
  --scope "my-api:production" \
  --scope "my-api:staging" \
  --permission read
kfl keys put replaces all existing scopes with the new set. Copy current scopes from kfl keys list and modify as needed.

Revoke Keys

kfl keys revoke kfl_sys_c3d4
Revocation is instant — the key can no longer authenticate.

Next Steps

Using Secrets

Inject secrets into CI/CD pipelines and runtime processes.

Security & Backup

Back up your master key and define your recovery strategy.