Skip to content
Latchkey

Wrangler "A request to the Cloudflare API failed ... 10000" in CI

Wrangler reached the Cloudflare API but the call returned error 10000. The path in the message names the resource (a script, a KV namespace, a Pages project) the token was not allowed to touch, which tells you whether it is a scope or an account problem.

What this error means

Wrangler prints "A request to the Cloudflare API (/accounts/.../...) failed" followed by "Authentication error [code: 10000]". The account id in the URL may not match the token.

wrangler
✘ [ERROR] A request to the Cloudflare API (/accounts/abc123/workers/scripts) failed.

  Authentication error [code: 10000]

Common causes

The token does not belong to that account

The account id in the URL (from CLOUDFLARE_ACCOUNT_ID or wrangler.toml) points at an account the token has no access to, so every call to it returns 10000.

The token is missing the resource permission

A token scoped only for Workers cannot call KV, D1, R2, or Pages endpoints; the specific resource path in the error shows what scope is missing.

How to fix it

Match the token to the account id

  1. Read the account id in the failing URL.
  2. Confirm CLOUDFLARE_ACCOUNT_ID and wrangler.toml point at the same account the token was created in.
  3. Recreate the token in the correct account if they differ.
.github/workflows/ci.yml
env:
  CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
  CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

Add the missing resource scope

For KV, D1, R2, or Pages deploys, add the matching permission to the token (for example "Workers KV Storage: Edit") so those endpoints stop returning 10000.

How to prevent it

  • Create the token inside the same account you deploy to.
  • Grant every resource scope the deploy touches: Workers, KV, D1, R2, Pages.
  • Keep account id and token together as CI secrets so they never drift.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →