Wrangler "A request to the Cloudflare API failed ... 10000" in CI
Wrangler reached the Cloudflare API but the call returned error 10000. The path in the message names the resource (a script, a KV namespace, a Pages project) the token was not allowed to touch, which tells you whether it is a scope or an account problem.
What this error means
Wrangler prints "A request to the Cloudflare API (/accounts/.../...) failed" followed by "Authentication error [code: 10000]". The account id in the URL may not match the token.
✘ [ERROR] A request to the Cloudflare API (/accounts/abc123/workers/scripts) failed.
Authentication error [code: 10000]Common causes
The token does not belong to that account
The account id in the URL (from CLOUDFLARE_ACCOUNT_ID or wrangler.toml) points at an account the token has no access to, so every call to it returns 10000.
The token is missing the resource permission
A token scoped only for Workers cannot call KV, D1, R2, or Pages endpoints; the specific resource path in the error shows what scope is missing.
How to fix it
Match the token to the account id
- Read the account id in the failing URL.
- Confirm
CLOUDFLARE_ACCOUNT_IDand wrangler.toml point at the same account the token was created in. - Recreate the token in the correct account if they differ.
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}Add the missing resource scope
For KV, D1, R2, or Pages deploys, add the matching permission to the token (for example "Workers KV Storage: Edit") so those endpoints stop returning 10000.
How to prevent it
- Create the token inside the same account you deploy to.
- Grant every resource scope the deploy touches: Workers, KV, D1, R2, Pages.
- Keep account id and token together as CI secrets so they never drift.