API token does not appear to be valid.
-
I have the appropriate API token setup with the correct permissions, but getting the error
"App For Cloudflare® error:
API token does not appear to be valid."
-
Internally the error means that the API call to verify the token has failed. Reasons I think that of that could potentially cause this:
- The API token itself is wrong (like part of it was missing when you copied it somehow)
- When the API token was created, secondary restrictions were applied:
- Client IP Address Filtering (should be left blank unless you have a very specific reason to not)
- TTL (also should be left blank unless you have a reason unique to you for not leaving it blank)
You may want to delete the existing token and just create a new one… While I’ve never heard of it, I suppose there’s a chance it got mucked on Cloudflare’s side somehow. Again, never heard of it, but it’s also very easy to create a new one.
If you have shell access on your server, it might be worth running a cURL command (to see if a basic network connection/request is throwing any errors) just to make sure your server can communicate with the Cloudflare API:
curl https://api.cloudflare.com -vI’ll do some more debugging. Have you thought about putting in some sort of debugging, logging or verify the token works and has the appropriate permissions? Might help.
Well, it’s more or less what it’s doing… it makes the call to the API that is only to verify if the token is valid (and that’s the part that’s failing here).
Unfortunately it’s a bit of a catch-22 to do something like check specifically what’s wrong with the token, because that would require the token to work in order to retrieve details *about* the token.
That being said, I am already working on seeing if we can sort out at least if it’s a token issue or something with the server (like an old version of cURL that doesn’t support TLS 1.2 or TLS 1.3). But if it’s a token issue, we are kind of blind since we need a valid token in order to look at permissions/details on the token itself.
Just out of curiosity, if you run this from a shell, does it give you any sort of error message or anything?
curl https://api.cloudflare.com/client/v4/user/tokens/verify -H 'Authorization: Bearer YOUR-API-TOKEN-HERE'It fails
{"success":false,"errors":[{"code":1000,"message":"Invalid API Token"}],"messages":[],"result":null}%Which I believe is suppose to happen on the endpoint /user/tokens/verify, you would have to use the following curl command to verify the token.
curl "https://api.cloudflare.com/client/v4/accounts/<accountid>/tokens/verify" -H "Authorization: Bearer <token>"Sorry, this is because it’s an account owned token. That’s the issue 🙁 So the token works, just the verification method you’re using doesn’t work for account owned. You could provide a checkbox for account owned and then ask for the account ID?
-
This reply was modified 10 months, 2 weeks ago by
jordantrizz.
Account Token support is on the “future to-do” list once Cloudflare has better support for them. But right now some of the permissions/endpoints needed for the plugin aren’t supported with Account Tokens (yet… hopefully Cloudflare sorts that out before too long). But as of today, they aren’t fully supporting them yet:
…so for now, we are needing to use user tokens.
I scripted the creation of the account owned token and didn’t have an issue added all that is required for the plugin 🙁
The issue is certain functions that the plugin uses aren’t supported by account tokens yet (see previous link). Things like Page Rules, Super Bot Fight Mode, Turnstile, Zero Trust, Intel Tools, etc.
I hope they get full support for account tokens, but it’s not there yet.
Even though you can set permissions on the account tokens, Cloudflare hasn’t got all the APIs working with them yet. The notice at the top of the page when manually creating an account token is still valid:
“Not all APIs are guaranteed to support usage of Account Owned Tokens. Supported APIs are listed in the developer documentation.”
And most specifically, they have the compatibility matrix published here: https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/#compatibility-matrix
Ah I see. I moved to your plugin from https://ww.wp.xz.cn/plugins/wp-cloudflare-page-cache/ as it was working fine with AO tokens. Having over 1000+ domains under management under other accounts require that the account own creates the token 🙁 which sucks.
I was looking into possibly using a Cloudflare Worker with OAuth to create a custom token. But I don’t think that’s possible. There is also something I found about crafting a URL to create a token.https://dash.cloudflare.com/profile/api-tokens/custom/create?name=MyAppToken&permissions[]=com.cloudflare.api.account.zone.read&permissions[]=com.cloudflare.api.account.dns.writeBut can’t find any documentation.
Ya… if other plugins are working okay with account tokens, it’s because they aren’t doing anything with the services that Cloudflare hasn’t made work with account tokens yet. I know account tokens work and it’s not hard to use them instead of user tokens, but we are just in a situation right now where some of the API endpoints for services that *this* plugin uses (things like Turnstile, Zero Trust, etc.) aren’t working yet on Cloudflare’s side. Unfortunately there’s really nothing we can do about that except just wait for Cloudflare to update more of their services to support account owned tokens.
I’ve been keeping an eye on Cloudflare’s compatibility matrix so that when they add support for the services we use, we can make account tokens an option. But until they support them, there’s nothing we can do to work around that because Cloudflare just sees them as invalid tokens when making certain API calls that we utilize (it’s not an issue of changing endpoints, it’s just that Cloudflare’s side doesn’t authenticate with account tokens for certain things).
We use those same custom crafted URLs to help users create tokens, for example this is the link we give users to create the API token this plugin needs.
I totally understand an all in one plugin. So it totally makes sense. I use another plugin for Turnstile and Zero Trust is great but not something I’m doing right now. You could have the option of enable and disabling specific functions and flag account owned versus account tokens. But that doesn’t make sense.
I didn’t see anywhere in the admin where you were using the custom link, where is it?Ya, I certainly don’t love that I’m sitting just twiddling my thumbs waiting for Cloudflare so we can use account tokens, but it is what it is (unfortunately). There’s about 10 other things I’m waiting for Cloudflare to do something before I can implement in the future, so its not the only thing…
I don’t think it makes a lot of sense to cripple the existing functionality in order to use account tokens (I could also seeing that being a whole lot of support issues popping up if we let someone use an account token initially, but then not everything works because they went the account token route). I’m sure the missing services will be implemented by Cloudflare before too long (account tokens are a relatively new thing after all… introduced as a beta only 8 months ago, at the time they said they were shooting for Q3 2025 for all endpoints to work).
The custom link for token creation is the “API tokens” button in the area you enter your API token, but only if there’s no API token set. If there’s no API token it gives you the special link, if you have an API token already set, it will give you a link to your existing API tokens.
Yea, I’m confident account tokens will be on track as per their original estimate. Unlike their WordPress plugin 🙂
I agree with everything you’re saying, it doesn’t make sense to support account-owned tokens right now, especially if they’re going to be fully working by the end of the year. Have you considered adding a note in the error message stating that account-owned tokens aren’t supported? I’ll be honest, I didn’t RTFM, I just assumed, sorry about that.
I haven’t had a chance to review the plugin code. I’m wondering if I can use actions/hooks to disable parts of the plugin that aren’t supported with account-owned tokens, as well as the verify token portion and stop the error message being generated in error_log. Anyways, like you said, it’s not worth putting effort into anything if this will all be resolved end of the year.
Ah, I’ve never clicked the button without a token already entered; it’s not clear what the button does. In the cases where someone might use an account-owned token, and instead has to have a person click the button. It might be worthwhile to change the button to say “Create Cloudflare Token” and have it displayed all the time. With a secondary button that says “View Couldflare Tokens” and only displayed when a token is present in the Cloudflare Token field. However that might be more confusing.This has been by far the most helpful and engaging conversation I’ve had on the WordPress support forum. I really appreciate how responsive and thorough you’ve been — thank you for your time and support.
I’m not holding my breath for an absolute Q3 2025 date for all endpoints, but I’m crossing my fingers that at least the stuff this plugin uses will be ready by the end of the year. As far as Cloudflare’s official plugin, I saw a blurb from a support ticket where they finally said it’s no longer being maintained. They originally were supposed to support multiple platforms and some other stuff that never came to fruition. I guess this plugin is turning into what it probably should have been. It’s also not only for WordPress (XenForo too).
Yes, I’m thinking about something’s to add/minor changes to make things more clear (that account tokens aren’t ready yet). It’s always going to be better if people don’t *need* to read a manual, so things can be improved. Account tokens were kind of sprung on us by Cloudflare randomly one day, but then at the same time they weren’t quite ready for use, so…
It would need more hooks/actions than there current are to selectively disable large swaths of features like that. It probably would be more realistic to be done by extending and overwriting the classes (this plugin uses classes properly so really each method can be extended without needing to rely on a hook in every method). That being said, not going to be worth the effort since account tokens are right around the corner.
Yep, I’m actually not sure why it wasn’t already labeled “Create API token”. Had the same thought yesterday, so going to spend a little time digging/fixing that today.
No worries!
The topic ‘API token does not appear to be valid.’ is closed to new replies.
