June 24, 2026
Permission slip... or plot twist?
Cloudflare launched self-managed OAuth for all
Cloudflare opens the doors wider, and the crowd is already asking if this ends in chaos
TLDR: Cloudflare now lets all customers use a standard app-permission system for its services, making outside tools easier to connect and easier to cut off. Commenters instantly split between "finally, useful" and "this is how trusted infrastructure turns into an overgrown platform mess."
Cloudflare just made it easier for outside apps to ask users for permission to connect to their accounts, a move the company says will help people build smoother tools, automations, and business software. In plain English: instead of handing over clunky access keys, users can now click through a more familiar permission screen, see what an app wants, and yank that access later. Cloudflare also says it spent serious time upgrading the plumbing behind the scenes so this rollout wouldn’t melt down.
But the real show was in the comment section, where the mood swung from polite applause to full-on side-eye. One camp sees this as Cloudflare growing up into a bigger platform. The other camp hears alarm bells. Critics worried the company is drifting away from its original role of helping smaller sites survive the rough internet, with one commenter basically predicting a grim future of "bye bye Cloudflare free." Others were even harsher, calling the whole idea of letting third-party apps touch infrastructure accounts "ripe for abuses" and asking why a giant like Amazon hasn’t pushed the same model.
Then came the snark. One especially spicy reaction mocked the blog post itself as a victory lap for doing the bare minimum: "Congrats I guess for releasing something without burning the house down?" Another feared Cloudflare’s expanding menu of products could turn into a Google-style graveyard of abandoned experiments. So yes, Cloudflare shipped a useful new feature — but the comments turned it into a debate about trust, mission creep, and whether this is smart growth or the beginning of a very corporate identity crisis.
Key Points
- •Cloudflare launched self-managed OAuth for all customers, expanding a capability that had previously been limited to a small set of manually onboarded integrations.
- •The company said developers had often relied on API tokens for custom integrations, which were harder to manage and less suitable for delegated access flows.
- •Cloudflare updated its consent experience, added dashboard-based revocation, and made app ownership more visible to improve clarity and reduce phishing risk.
- •Cloudflare said its previous OAuth setup was not mature enough in permissions, consent, and abuse mitigation to support broad self-service usage.
- •To enable the rollout, Cloudflare upgraded its OAuth infrastructure built on Hydra and rewrote migration steps to reduce customer impact during schema changes.