CLOUDFLARE’S blog post on Securing non-human identities highlights how modern development relies on agents, scripts, and third‑party tools, not just people, and stresses the need to manage their entire lifecycle—from credential handling to OAuth visibility and fine‑grained permissions.
It describes how leaked tokens remain a major risk, noting that GitGuardian reports more than 28 million secrets were published to public GitHub repositories last year, with AI driving leaks 5x faster, and explains how Cloudflare’s partnership with GitHub acts as a global lost‑and‑found for credentials.
The update introduces scannable token formats to improve detection, with new formats such as cfk_[40 characters][checksum], cfut_[40 characters][checksum], and cfat_[40 characters][checksum], and explains how token revocation can be triggered when leaks are detected. It also details improvements to OAuth consent and revocation, giving users a central view of connected applications, their scopes, and the accounts they access, with getting started guidance and a reminder that the enhancements are available now.
Finally, Cloudflare expands resource‑level permissions and new roles to enable true least‑privilege access across account, zone, and specific resources, encouraging users to review tokens, OAuth apps, and permissions to reduce risk.