API and Terraform
This section covers a few common use cases with the API and Terraform to manage Cloudflare Zero Trust. For more information, refer to our API documentation and Terraform reference guide ↗.
Super Administrators can lock all settings as read-only in Zero Trust. Read-only mode ensures that all updates for the account are made through the API or Terraform.
To enable read-only mode:
- In Zero Trust ↗, go to Settings > Account.
- Enable API/Terraform read-only mode.
All users, regardless of user permissions, will be prevented from making configuration changes through the UI.
The administrators managing policies and groups in Cloudflare Zero Trust might be different from those responsible for configuring WAF custom rules or other Cloudflare settings. You can configure scoped API tokens so that team members and automated systems can manage Zero Trust settings without having permission to modify other configurations in Cloudflare.
You can create a scoped API token via the dashboard or via the API. For a list of available token permissions, refer to API token permissions.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark