Cloudflare now allows all customers to create and manage their own OAuth clients for delegated API access. Previously, this functionality was limited to a few manually onboarded partners, forcing most developers to use API tokens. This shift simplifies the creation of SaaS integrations and agentic tools by providing a standard consent flow.

Engineering this rollout required a complex migration of their underlying Hydra OAuth engine. To avoid downtime, the team executed a two-stage upgrade from 1.X to 2.X. They used a blue-green deployment strategy and a custom queue system to ensure that user revocations were not lost during the database transition window.

Technical hurdles included schema migrations that threatened to lock critical tables and a strict refresh token invalidation bug. The team solved these by implementing concurrent index creation and a custom Worker to coalesce refresh token requests. This infrastructure update ensures that high-volume clients like Wrangler can maintain sessions without accidental invalidation.

These changes replace cumbersome token management with scoped access and better visibility. Developers can now offer clearer consent and easier revocation for their users. The system now supports a configurable grace period for refresh tokens to prevent session drops.