Securing Non-Human Identities with Cloudflare

Cloudflare has introduced updates to address the growing need for securing non-human identities, including agents, scripts, and third-party tools that act on behalf of developers. The company has identified three core pillars to secure identities: Principals (the identity itself), Credentials (proof of that identity), and Policies (what that identity is allowed to do). To protect credentials, Cloudflare is introducing scannable tokens, which can be automatically revoked if leaked. The company is also providing OAuth visibility to manage principals and resource-scoped RBAC to fine-tune policies.

Practical Implications for Developers

Developers can benefit from Cloudflare's updates in several ways:

1. Leaked token detection: Cloudflare's partnership with GitHub and other credential scanning tools can help detect and revoke leaked tokens before they can be used maliciously.
2. OAuth visibility: Cloudflare's OAuth visibility feature allows developers to manage which applications have access to their principals.
3. Resource-scoped RBAC: Cloudflare's resource-scoped RBAC feature enables developers to fine-tune their policies and ensure that even verified identities can only access specific resources.

Key Technical Details

• Cloudflare's scannable tokens are designed to be automatically revoked if leaked.
• The company is partnering with GitHub and other credential scanning tools to detect and revoke leaked tokens.
• Cloudflare's OAuth visibility feature provides a centralized management console for developers to manage which applications have access to their principals.
• Resource-scoped RBAC allows developers to fine-tune their policies and ensure that even verified identities can only access specific resources.