Cloudflare wrangler deploy "Authentication error [code: 10000]" in CI
wrangler could not authenticate to the Cloudflare API: "Authentication error [code: 10000]" means the CLOUDFLARE_API_TOKEN env var is unset, expired, or lacks the Workers/Pages edit scope. wrangler cannot do an interactive login in CI, so the token must be present.
What this error means
wrangler deploy or wrangler pages deploy stops with "A request to the Cloudflare API (/accounts/.../workers/scripts/...) failed. Authentication error [code: 10000]". Local deploys that use an OAuth login work, but CI fails.
X [ERROR] A request to the Cloudflare API (/accounts/xxxx/workers/scripts/my-worker) failed.
Authentication error [code: 10000]Common causes
No CLOUDFLARE_API_TOKEN in the CI environment
wrangler relies on an OAuth login locally, but CI has none. Without CLOUDFLARE_API_TOKEN (and often CLOUDFLARE_ACCOUNT_ID) it cannot authenticate.
The token lacks Workers/Pages edit permission
A token scoped only to read or to a different product returns 10000 because it cannot edit the Worker or Pages project.
How to fix it
Provide a scoped API token via env
- Create a token with "Edit Cloudflare Workers" (and Pages, if deploying Pages).
- Store it and the account id as secrets.
- Expose them to the deploy step as CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID.
- name: Deploy with wrangler
run: npx wrangler deploy
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}Confirm the token scope with whoami
Run wrangler whoami to check the token authenticates and lists the expected account before deploying.
npx wrangler whoamiHow to prevent it
- Set CLOUDFLARE_API_TOKEN from a secret in every deploy job.
- Scope the token to Workers/Pages edit for the right account.
- Never depend on an interactive wrangler login in CI.