Skip to content
Latchkey

Wrangler "Authentication error [code: 10000]" - Fix Deploy Auth

Wrangler could not authenticate to the Cloudflare API. The CLOUDFLARE_API_TOKEN is missing, lacks the scopes the command needs, or has expired - so the deploy is rejected.

What this error means

wrangler deploy (or pages deploy) fails with Authentication error [code: 10000], or a message that you must be logged in. It is deterministic: a missing or wrong-scoped token fails the same way every run.

wrangler output
✘ [ERROR] A request to the Cloudflare API (/accounts/.../workers/scripts) failed.
  Authentication error [code: 10000]

Common causes

Missing or wrong-scoped API token

No CLOUDFLARE_API_TOKEN is set in the job, or the token lacks the permissions the command needs (e.g. Workers Scripts:Edit, Pages:Edit), so the API returns 10000.

Missing or wrong account ID

When the token has access to multiple accounts, CLOUDFLARE_ACCOUNT_ID must disambiguate. Without it, or with the wrong one, the request is unauthorized.

How to fix it

Provide a scoped API token and account ID

Set the token and account ID from CI secrets with the permissions the deploy needs.

.github/workflows/deploy.yml
- run: npx wrangler deploy
  env:
    CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
    CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

Verify the token and its scopes

  1. Confirm the token is valid: npx wrangler whoami should print the account.
  2. Ensure the token includes the permissions the command requires (Workers Scripts:Edit, Account Settings:Read, Pages:Edit as needed).
  3. Rotate and replace the token if it has expired or been revoked.

How to prevent it

  • Use a narrowly scoped API token stored as a CI secret, not the Global API Key.
  • Set CLOUDFLARE_ACCOUNT_ID when the token spans multiple accounts.
  • Add a wrangler whoami check early to fail fast on bad auth.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →