Skip to content

DRAFT: Working proposal for Workers Platform authorization #27757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
vy-ton wants to merge 1 commit into from
Closed

DRAFT: Working proposal for Workers Platform authorization #27757

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 98 additions & 0 deletions src/content/docs/workers/configuration/authorization.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
---
pcx_content_type: reference
title: Authorization
head: []
description: Control access to Workers and Developer Platform resources with roles.
---

When you add members to your Cloudflare account or create API tokens, you can assign roles that control access to Workers and other Developer Platform resources. Roles determine what actions users can perform, from viewing metadata to creating and managing resources.

For information about managing account members, refer to [Manage members](/fundamentals/manage-members/manage/). For information about creating API tokens, refer to [Create API tokens](/fundamentals/api/get-started/create-token/).

## Overview

For every product within the [Developer Platform](/products/?product-group=Developer+platform), you can assign one or more of the following role types to users or API tokens on your Cloudflare account:

- **Metadata Read-Only**: Allows viewing resource lists, settings, and observability data (metrics, logs, traces) without access to product content.
- **Content Read-Only**: Allows reading product content (such as D1 database content or Worker code) without the ability to modify it.
- **Editor**: Allows reading and writing product content, and updating settings. Cannot create, delete, or rename resources.
- **Admin**: Full control over resources, including the ability to create, rename, delete, and grant access to other users.
- **Create**: Allows creating new resources. The user who creates a resource automatically becomes the Admin for that resource. Does not grant access to existing resources.

As a best practice, developers building with the Developer Platform should have **Workers Platform Metadata Read-Only** combined with a product-specific **Create** role. This approach allows developers to view resources and observability data across the platform while creating and managing their own resources.

Resource-level roles (such as D1 Database Admin or Worker Admin) mirror account-level roles but apply to a specific resource. Users can have multiple roles, both account-wide and per-resource.

:::note
Roles are ordered from least to most privileged: Metadata Read-Only < Content Read-Only < Editor < Admin. More privileged roles include all access granted by less privileged roles.
Copy link
Copy Markdown

@alsuren alsuren Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Roles are ordered from least to most privileged: Metadata Read-Only < Content Read-Only < Editor < Admin. More privileged roles include all access granted by less privileged roles.
Roles ordered from least to most privileged are: Metadata Read-Only < Content Read-Only < Editor < Admin. More privileged roles include all access granted by less privileged roles.

I initially assumed that it was a statement about all lists of roles on the page. I tried to fit "create" in there somewhere, but it kind of sits on its own.


Page below describes roles for Workers and D1. The same pattern would be followed for all products within Developer Platform.
:::

## Workers Platform roles

Workers Platform roles grant access to all products in the Developer Platform, including Workers, D1, KV, R2, Durable Objects, and other related products.

| Role | Description |
| ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Workers Platform Metadata Read-Only | Can see all resources. <br/> Can read metadata such as settings and observability (metrics, logs, traces). <br/> Cannot read product content or manage resources. |
| [Workers Platform Read-Only](/fundamentals/manage-members/roles/#account-scoped-roles) (existing role) | Can read metadata and product content (KV namespace values, Worker code). <br/> Cannot manage resources or update settings. |
| Workers Platform Editor | Can read and write product content. <br/> Can update settings and create new versions and deployments. <br/> Cannot create, delete, or rename resources. <br/> Cannot manage resource access. |
| [Workers Platform Admin](/fundamentals/manage-members/roles/#account-scoped-roles) (existing role) | Can read metadata and product content. <br/> Can update settings. <br/> Can create, rename, and delete resources. <br/> Can grant resource access to other users. |
| Workers Platform Create | Can create new resources across Developer Platform products (Workers, D1, KV). <br/> User who creates a resource becomes Admin for that resource. <br/> Does not grant access to existing resources. |

## Workers product roles

Workers product roles apply to all Workers in your account.

| Role | Description |
| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Workers Metadata Read-Only | Can see Worker exists (list). <br/> Can see settings (limits, compatibility flags). <br/> Can see bindings configuration, routes, custom domains, cron triggers, and deployment history. <br/> Can see observability (metrics, logs, traces, tail). <br/> Cannot see script code or secret values. |
| Workers Content Read-Only | Can view Worker script source code. <br/> Cannot deploy changes or modify settings. |
| Workers Editor | Can deploy Worker changes to production. <br/> Can create versions and deployments. <br/> Can update Worker settings and bindings. <br/> Can manage routes, custom domains, cron triggers, and secrets. <br/> Cannot create or delete Workers. |
| Workers Admin | Can create, rename, and delete Workers. <br/> Can manage subdomain (\*.workers.dev) settings and account-level Workers settings. <br/> Can grant resource access to other users. |
| Workers Create | Can create a new Worker and become Worker Admin for your Worker. <br/> Does not grant access to existing Workers. |

## Single Worker roles

Single Worker roles apply to a specific Worker in your account.

| Role | Description |
| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Worker Metadata Read-Only | Can see Worker exists (list). <br/> Can see settings (limits, compatibility flags). <br/> Can see bindings configuration, routes, custom domains, cron triggers, and deployment history. <br/> Can see observability (metrics, logs, traces, tail). <br/> Cannot see script code or secret values. |
| Worker Content Read-Only | Can view Worker script source code. <br/> Cannot deploy changes or modify settings. |
| Worker Editor | Can deploy Worker changes to production. <br/> Can create versions and deployments. <br/> Can update Worker settings and bindings. <br/> Can manage routes, custom domains, cron triggers, and secrets. <br/> Cannot delete the Worker or grant others access. |
| Worker Admin | Can rename and delete the Worker. <br/> Can grant access to the Worker to other users. |

## D1 product roles

D1 product roles apply to all D1 databases in your account.

:::note
When deploying a Worker with a D1 binding, user must have **D1 Database Admin** role for the binding's database or **D1 Admin** role. Workers accessing resource bindings do not make granular authorization checks at runtime.
:::

| Role | Description |
| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
| D1 Metadata Read-Only | Can list databases and read database metadata. <br/> Cannot read or write database content. |
| D1 Content Read-Only | Can read database content with read-only queries. <br/> Can read all metadata. <br/> Cannot write to databases or update settings. |
| D1 Editor | Can read and write database content. <br/> Can read all metadata. <br/> Cannot manage databases or update settings. |
| D1 Admin | Can create, list, read, update, and delete all databases. <br/> Can grant access to other users. <br/> Has full access to all D1 resources. |
| D1 Create | Can create new databases. <br/> User who creates a database becomes D1 Database Admin for that database. <br/> Does not grant access to existing databases. |

## D1 database roles

D1 database roles apply to a specific D1 database in your account.

| Role | Description |
| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| D1 Database Metadata Read-Only | Can read database metadata such as settings and observability (metrics, logs, traces). <br/> Cannot read or write database content. <br/> Cannot manage database or update settings. |
| D1 Database Content Read-Only | Can read database content with read-only queries. <br/> Can read all metadata. <br/> Cannot write to database or update settings. |
| D1 Database Editor | Can read and write database content. <br/> Can read all metadata. <br/> Cannot manage database or update settings. |
| D1 Database Admin | Can manage database (read, update, delete). <br/> Can grant database access to other users. <br/> Can read and update database settings. <br/> Can read and write database content. |

## Related resources

- [Manage account members](/fundamentals/manage-members/manage/) - Add and remove members from your account.
- [Roles](/fundamentals/manage-members/roles/) - View all available roles for your account.
- [Create API tokens](/fundamentals/api/get-started/create-token/) - Create tokens with specific permissions.
Loading