Cloudflare Opens Self-Managed OAuth to All Developers
Cloudflare rolled out self-managed OAuth for all developers, simplifying delegated API access while carefully upgrading its underlying Hydra OAuth engine.
Cloudflare has opened self-managed OAuth to all developers, letting them create and manage their own OAuth clients instead of relying solely on API tokens. Previously limited to a handful of manually onboarded partners, this capability now provides a standard, safer delegation flow for building SaaS integrations, internal developer platforms, and agentic tools.
To make this expansion secure, Cloudflare improved its consent screens, added revocation controls to the dashboard, and increased app-ownership visibility to curb OAuth phishing. The harder engineering challenge was upgrading Hydra, the open-source OAuth engine powering the platform, at scale without disrupting active users.
Rather than a single massive jump, the team executed a two-stage upgrade—first to the latest 1.X release, then to 2.X—using concurrent index creation and a custom Hydra build with explicit column selection to avoid table locks and deserialization issues. The 2.X migration relied on a blue-green deployment, temporarily extended token lifetimes, and a Cloudflare Queues-based system to replay revocation events, ensuring no access changes were lost during the multi-hour cutover.
The effort offers a concrete case study in migrating critical authentication infrastructure at scale, highlighting practical techniques for schema changes, backward compatibility, and data consistency during zero-downtime upgrades.