Cloudflare's "Ask AI" created an API token with read access to my entire account | frr.devLast week, auditing my Cloudflare API tokens, I found one I never created: &ldquo;Cloudflare Agent Token - 2026-04-28&rdquo; , created by the dashboard&rsquo;s AI assistant (&ldquo;Ask AI&rdquo;).<br>Cloudflare&rsquo;s tooltip says it exists so the AI can &ldquo;understand your environment and take actions on your behalf.&rdquo;<br>Its actual grant, from the token&rsquo;s own summary page: read access scoped to All accounts , All zones , and All users — more than 160 permissions. Every one is :Read: it cannot change anything. But &ldquo;read-only&rdquo; undersells it. The list includes Secrets Store:Read, Access: Keys:Read, Access: Service Tokens:Read, Zero Trust: PII:Read, Logs:Read, Account Audit Logs:Read, Billing:Read, API Tokens:Read, and every DNS, Access and identity-provider config you have.<br>It also has no expiry date .<br>A leaked token like this isn&rsquo;t &ldquo;an attacker reconfigures your infrastructure.&rdquo; It&rsquo;s total reconnaissance and data exfiltration : your security posture, your logs, your PII, your org and user structure — readable in one pass. For most teams that is a reportable breach by itself.<br>I used the &ldquo;Ask AI&rdquo; feature. That minted a standing, account-wide read credential that sat in my account for three weeks before I happened to notice it — and, never expiring, would otherwise have stayed valid forever. I was never meaningfully told that asking a question would do this, and &ldquo;Ask AI&rdquo; does not signal &ldquo;provision a permanent agent that can read everything I have.&rdquo;<br>An assistant answering a question needs read access scoped to that question, for that conversation. A permanent credential that reads your whole estate is a different thing, and must be a deliberate, informed, visible opt-in.<br>Check yours: dash.cloudflare.com/profile/api-tokens . If you see &ldquo;Cloudflare Agent Token&rdquo; and don&rsquo;t use the agent, revoke it.<br>Yes: read-only, first-party, revocable. But it never expires, and it was never surfaced to me — so &ldquo;revocable&rdquo; means nothing unless you already know to go looking. None of that makes standing, permanent read access to your secrets, logs and PII proportionate to &ldquo;I asked a chatbot a question.&rdquo;