Cloudflare Opens OAuth to All Customers
On June 3, Cloudflare released self-managed OAuth, allowing any customer to create and manage OAuth clients for delegated access to the Cloudflare API. Previously, third-party OAuth was limited to a small number of manually onboarded partners like PlanetScale. Developers had to rely on API tokens, which are harder to manage and unsuitable for many delegated flows.
The Upgrade Behind the Launch
To support this, Cloudflare upgraded their OAuth engine from an early Hydra 1.X version to Hydra 2.X. The upgrade was done in two phases to minimize disruption: first to the latest 1.X release, then to 2.X using a blue-green database strategy.
Phase 1: Upgrading to Hydra 1.X
The 1.X upgrade required extensive schema migrations that would normally lock critical tables. Cloudflare rewrote migrations to use CREATE INDEX CONCURRENTLY and built a custom Hydra version with explicit column selection instead of SELECT * to avoid deserialization issues.
After cutover, they saw an increase in refresh token errors due to stricter refresh invalidation in the new version: reused refresh tokens would invalidate the entire token chain. This broke high-volume clients like Wrangler and MCP. They mitigated it by adding refresh token coalescing in a Cloudflare Worker that caches refresh requests briefly, short-circuiting retries before they reach Hydra. The 2.X version later resolved this natively with a configurable "refresh token grace period."
Phase 2: Blue-Green Upgrade to Hydra 2.X
For the 2.X upgrade, an in-place migration was impossible due to schema changes. Cloudflare chose a blue-green strategy that kept writes enabled during the migration, at the cost of losing some token writes. To minimize lost writes, they increased token expiry to multiple hours. To prevent loss of revocations, they built a queue system using Cloudflare Queues that recorded revocation events during the window and replayed them after cutover.
The migration took approximately three hours, affecting 132.5 million rows updated and 114.7 million rows inserted. After cutover, they observed a data cleanup job in their authorization service aggressively purging OAuth policy data, causing 403 errors. Investigation revealed a Hydra migration had corrupted valid OAuth sessions. They restored data and improved authorization behaviors to remove reliance on static policy data.
Performance Improvements
Post-upgrade metrics show significant gains:
| Metric (avg) | Before | After | Change |
|---|---|---|---|
| API P95 | 185ms | 101ms | -45% |
| RSS memory | 888MB | 763MB | -14% |
| Go heap alloc | 449MB | 271MB | -40% |
| Goroutines | 4015 | 3076 | -23% |
| CPU | 1.07 cores | 0.67 cores | -37% |
Getting Started
Any Cloudflare customer can now create OAuth apps via the dashboard. This enables building SaaS integrations, internal developer platforms, and agentic tools with standard OAuth flows. Users get clearer consent, easier revocation, and granular scope control. Check the documentation or go directly to the OAuth apps page in your dashboard.
Why It Matters
Self-managed OAuth removes a barrier for developers building on Cloudflare's platform. Instead of managing API tokens, you can now offer a delegated OAuth flow. The performance improvements from the Hydra upgrade benefit all existing OAuth users, including Wrangler and partner integrations.
