Account integration
Zones, DNS, analytics and Workers — what sSystm can see and do on your account.
#What the integration does
The Cloudflare module is a window into your own account, powered by your OAuth token: list zones, inspect and manage DNS records, read traffic analytics, and see your Workers. The little cloud badge next to the logo in the sidebar shows the live connection state — orange with a green dot when your account is connected.
The same connection powers the platform’s BYOC features: your D1 database is created through it, and Build deploys Workers through it.
#The OAuth scopes
sSystm uses Cloudflare’s fine-grained OAuth scopes, grouped below with an honest risk label. "Destructive" means the scope can change live infrastructure (deploy code, alter DNS); "risky" affects live behaviour transiently; "safe" is read-only.
| Scope group | Scopes | Risk |
|---|---|---|
| Developer Platform (D1, Workers, KV, routes) | d1.writeworkers-kv-storage.readworkers-observability.readworkers-routes.readworkers-scripts.write | destructive |
| AI & Machine Learning | aig.writeai.read | risky |
| DNS & Zones | dns.writezone.readzone-settings.read | destructive |
| App Security (WAF, DDoS, firewall) | account-waf.writeddos-protection.readfirewall-services.writezone-waf.write | destructive |
| Rules & Configuration (rulesets) | account-rulesets.readaccount-rulesets.write | destructive |
| Analytics & Logs | analytics.readaccount-logs.read | safe |
| Cache & Performance | cache.purge | risky |
| Account & Billing | account-settings.readnotifications.write | risky |