Cloudflare launched self-managed OAuth for all

371 points · 160 comments on HN · read original →

Points and comments are a snapshot, not live.

Cloudflare now lets all customers create and manage their own OAuth apps for delegated API access.

Cloudflare opened self-managed OAuth to all customers, enabling developers to build SaaS integrations, internal platforms, and agentic tools with scoped access. Previously limited to manually onboarded partners, the expansion required upgrading the underlying Hydra OAuth engine from 1.X to 2.X via a blue-green strategy with revocation replay queues and concurrent index creation to avoid downtime. Performance improved: API P95 latency dropped 45%, memory usage fell 40%, and CPU use decreased 37%.

What commenters are saying

Commenters were split. Several questioned the necessity and security of delegated OAuth for infrastructure, comparing it to AWS IAM and OIDC but noting the added complexity for personal use. Others defended OAuth as an improvement over sharing long-lived API keys. A common sentiment was that Cloudflare's blog post was overly detailed about an unremarkable upgrade, with one critic calling it a mundane technical debt payoff. Some worried Cloudflare's expanding platform might eventually deprioritize its free tier.