Source linked

Cloudflare abre OAuth a todos los desarrolladores, reduce el requisito de token de API

blog.cloudflare.com@vast_panther4 hours ago·Developer Tools·5 comments

Cloudflare ahora permite a cualquier cliente crear y gestionar clientes OAuth para el acceso de API delegado, reemplazando la dependencia anterior de tokens de API para integraciones personalizadas.

cloudflareoauthhydradeveloper toolsapimigration

Cloudflare now lets any developer create OAuth clients for its API, ditching the old manual onboarding that forced everyone else to wrestle with API tokens. Until now, third-party OAuth was only available through a small number of manually onboarded partners like PlanetScale. Everyone else building custom integrations had to manage API tokens - a poor fit for delegated application flows and agentic tools.

Why Self-Managed OAuth Was a Missing Piece

Cloudflare's API serves 20% of the web, but its developer platform was stuck with a credential model designed for scripts, not apps. You could use Wrangler or partner integrations, but building your own SaaS integration meant handing out long-lived API tokens with no granular consent or easy revocation. Self-managed OAuth fixes that: developers can now offer a standard OAuth flow where customers grant scoped access directly, with clear consent screens and revocation from the dashboard.

Upgrading Hydra Without Breaking Existing Users

Under the hood, Cloudflare used Hydra, an open-source OAuth engine, deployed years ago. That setup worked for a handful of partners but couldn't scale to every customer. The team planned two sequential upgrades instead of one massive jump: first to Hydra 1.X, then to 2.X. The 1.X upgrade alone required extensive schema migrations that would have locked critical tables. They rewrote the SQL migrations to use CREATE INDEX CONCURRENTLY and built a custom version of Hydra that selected explicit columns instead of SELECT * - preventing deserialization issues from the schema changes.

For the 2.X upgrade, they chose a blue-green strategy. To keep writes enabled during the multi-hour migration, they increased token expiry to multiple hours so apps could keep using existing credentials. Critically, they needed to preserve revocations performed during the switch. They built a queue using Cloudflare Queues that captured each revocation event and drained it after the database flipped to the new version. That meant no lost revocations and no downtime for active users.

The result: a self-managed OAuth system that any developer can use today, backed by a migration that didn't drop a single authorization or revocation. Expect a wave of third-party integrations and agentic tools built on Cloudflare's API now that the OAuth bottleneck is gone.

Source: Cloudflare launched self-managed OAuth for all
Domain: blog.cloudflare.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Developer Tools

view topic
Simon Willison Ships 66MB SQLite DB of MDN Browser Compat Data with Open CORS

A GitHub Actions workflow force-pushes the database to an orphan branch, enabling direct download and exploration via Datasette Lite.

PostHog Used Claude to Write a 70x Faster SQL Parser

PostHog's new SQL parser is 70x faster than its ANTLR-generated C++ predecessor, built almost entirely by Claude Code sessions running in parallel.

RubyLLM Unifies 11 AI Providers Under 3 Dependencies

Three Ruby gems replace every bloated AI client, covering 800+ models with a single chat interface.

Nub Delivers 24x Faster npm Run in a Bun-Style Node.js Toolkit

Nub augments Node.js with a Rust-based CLI that runs TypeScript, manages Node versions, and accelerates common tasks like npx and pnpm install by up to 19x.

Comments load interactively on the live page.