Wrangler "Authentication error [code: 10000]" - Fix Deploy Auth
Wrangler could not authenticate to the Cloudflare API. The CLOUDFLARE_API_TOKEN is missing, lacks the scopes the command needs, or has expired - so the deploy is rejected.
What this error means
wrangler deploy (or pages deploy) fails with Authentication error [code: 10000], or a message that you must be logged in. It is deterministic: a missing or wrong-scoped token fails the same way every run.
✘ [ERROR] A request to the Cloudflare API (/accounts/.../workers/scripts) failed.
Authentication error [code: 10000]Common causes
Missing or wrong-scoped API token
No CLOUDFLARE_API_TOKEN is set in the job, or the token lacks the permissions the command needs (e.g. Workers Scripts:Edit, Pages:Edit), so the API returns 10000.
Missing or wrong account ID
When the token has access to multiple accounts, CLOUDFLARE_ACCOUNT_ID must disambiguate. Without it, or with the wrong one, the request is unauthorized.
How to fix it
Provide a scoped API token and account ID
Set the token and account ID from CI secrets with the permissions the deploy needs.
- run: npx wrangler deploy
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}Verify the token and its scopes
- Confirm the token is valid:
npx wrangler whoamishould print the account. - Ensure the token includes the permissions the command requires (Workers Scripts:Edit, Account Settings:Read, Pages:Edit as needed).
- Rotate and replace the token if it has expired or been revoked.
How to prevent it
- Use a narrowly scoped API token stored as a CI secret, not the Global API Key.
- Set
CLOUDFLARE_ACCOUNT_IDwhen the token spans multiple accounts. - Add a
wrangler whoamicheck early to fail fast on bad auth.