Cloudflare launches self‑managed OAuth for All on Workers

Cloudflare announced on June 25 that its OAuth for All service lets customers run a self‑managed OAuth 2.0 provider on Cloudflare Workers, eliminating the need for an external identity provider [Cloudflare Blog].

── What shipped ──

The offering is delivered as a Workers KV‑backed configuration bundle that deploys with a single wrangler publish command. It supports the Authorization Code flow with PKCE, the Client Credentials flow, and token‑introspection endpoints out of the box. Built‑in rate limiting and automatic key rotation run on Cloudflare’s edge security stack. Pricing mirrors Workers KV: a free tier covers up to 1,000 active users, and the paid tier starts at $20 per month for up to 10,000 active users [Cloudflare Blog]. Documentation includes a Terraform provider for automated provisioning and a sample React SPA that demonstrates the full login‑logout cycle.

── Why it matters ──

Running the OAuth server at Cloudflare’s 400+ PoP network cuts authentication round‑trip latency by roughly 30 % versus a centralized IdP in North America, according to internal benchmarks. Tokens and client secrets are stored in Workers KV, which can be locked to a specific region via the KV‑regional feature, keeping credential data under customer control. At $20 per month for up to 10,000 users, the paid tier undercuts Auth0 and Okta’s $23–$30 per‑user pricing, shrinking the hosted‑auth market.

── Editor's take ──

The real story is that Cloudflare has turned the edge into a viable identity‑as‑a‑service platform. By moving auth to the edge, traditional IdPs must compete on latency and price, not just feature breadth. Organizations already using Workers for CDN or API routing now have a single vendor for both traffic acceleration and identity.

── Reader poll ──

Which self‑hosted auth solution do you trust for production workloads?

• Cloudflare OAuth for All
• Auth0
• Okta
• Keycloak