Account integration

Zones, DNS, analytics and Workers — what sSystm can see and do on your account.

#What the integration does

The Cloudflare module is a window into your own account, powered by your OAuth token: list zones, inspect and manage DNS records, read traffic analytics, and see your Workers. The little cloud badge next to the logo in the sidebar shows the live connection state — orange with a green dot when your account is connected.

The same connection powers the platform’s BYOC features: your D1 database is created through it, and Build deploys Workers through it.

#The OAuth scopes

sSystm uses Cloudflare’s fine-grained OAuth scopes, grouped below with an honest risk label. "Destructive" means the scope can change live infrastructure (deploy code, alter DNS); "risky" affects live behaviour transiently; "safe" is read-only.

Scope groupScopesRisk
Developer Platform (D1, Workers, KV, routes)d1.writeworkers-kv-storage.readworkers-observability.readworkers-routes.readworkers-scripts.writedestructive
AI & Machine Learningaig.writeai.readrisky
DNS & Zonesdns.writezone.readzone-settings.readdestructive
App Security (WAF, DDoS, firewall)account-waf.writeddos-protection.readfirewall-services.writezone-waf.writedestructive
Rules & Configuration (rulesets)account-rulesets.readaccount-rulesets.writedestructive
Analytics & Logsanalytics.readaccount-logs.readsafe
Cache & Performancecache.purgerisky
Account & Billingaccount-settings.readnotifications.writerisky