Cloudflare Launches Self‑Managed OAuth for All Developers

Cloudflare announced self‑managed OAuth on June 3 2026, enabling developers to create and manage their own OAuth clients for delegated access to the Cloudflare API. Prior to this, third‑party OAuth was limited to a handful of manually onboarded integrations, forcing developers to rely on API tokens that are harder to manage and unsuitable for delegated flows.

The new feature expands the OAuth consent experience, adds revocation in the dashboard, and makes app ownership visible to prevent phishing attacks. Underpinning the rollout is a major upgrade of the Hydra OAuth engine, moving from the legacy 0.X version to the latest 1.X release and planning a subsequent 2.X upgrade.

The 1.X upgrade required rewriting SQL migrations with CREATE INDEX CONCURRENTLY and selecting explicit columns to avoid SELECT * deserialization issues, and a blue‑green strategy was devised for the 2.X upgrade to minimize downtime. The upgrade plan includes a revocation replay queue using Cloudflare Queues, a copy‑and‑restore of the production database, targeted data cleanup, and simultaneous cutovers of Hydra and two internal systems.

After the 1.X cutover, refresh‑token errors increased due to stricter invalidation, which was mitigated by adding refresh‑token coalescing in the Worker and leveraging Hydra’s configurable grace period in 2.X. The final 2.X upgrade ran for roughly three hours, with careful monitoring and validation, and the new OAuth engine now supports self‑managed clients for all customers.