The Credentials and Secrets DLP profile now includes three new predefined entries for detecting Cloudflare API credentials:
Entry nameToken prefixDetectsCloudflare User API Keycfk_User-scoped API keysCloudflare User API Tokencfut_User-scoped API tokensCloudflare Account Owned API Tokencfat_Account-scoped API tokens
These detections target the new Cloudflare API credential format, which uses a structured prefix and a CRC32 checksum suffix. The identifiable prefix makes it possible to detect leaked credentials with high confidence and low false positive rates — no surrounding context such as Authorization: Bearer headers is required.
Credentials generated before this format change will not be matched by these entries.
In the Cloudflare dashboard, go to Zero Trust > DLP > DLP Profiles.
Select the Credentials and Secrets profile.
Turn on one or more of the new Cloudflare API token entries.
Use the profile in a Gateway HTTP policy to log or block traffic containing these credentials.
Example policy:
SelectorOperatorValueActionDLP ProfileinCredentials and SecretsBlock
You can also enable individual entries to scope detection to specific credential types — for example, enabling Account Owned API Token detection without enabling User API Key detection.
For more information, refer to predefined DLP profiles.
Fetched April 16, 2026