This has blown my mind. Its been a constant source of frustration since Cloudflare stubbornly refuses to allow non-enterprise accounts to have a seperate key per zone. The thread requesting it is a masterclass in passive aggressiveness:

https://community.cloudflare.com/t/restrict-scope-api-tokens...

▲

Jnr 2 days ago | parent | next [-]

When setting up the API key, use the "Select zones to include or exclude." section. Works fine on the free account.

	▲	teruakohatu 2 days ago \| parent [-]
		I should have clarified, you can’t for subdomains on a non-enterprise account.

▲

Kovah 2 days ago | parent | prev [-]

Could you elaborate on the separate key per zone issue? It's possible to create different API keys which have only access to a specific zone, and I'm a non-enterprise user.

▲

johnmaguire 2 days ago | parent [-]

This allows you to restrict it to a domain (e.g. example.com) but not a sub-domain of that domain.

	▲	Kovah 2 days ago \| parent [-]
		Ah I see, thanks for the clarification!