Permissions

Why read-only?

Henneth only reads your Cloudflare analytics data. We never modify your DNS records, SSL certificates, security settings, or any other part of your Cloudflare configuration. The read-only token ensures Henneth can never make changes to your site, even if the token were compromised.

Exact permission scope

Henneth requires a single permission:

This grants access to the Cloudflare Analytics API for the specified zone. It allows Henneth to query traffic data, request counts, bandwidth statistics, and visitor information — including AI bot crawl data — for your domain.

Why this permission is needed

The Zone.Analytics:Read permission gives Henneth access to Cloudflare's analytics endpoints. This is how we identify AI agent traffic patterns — by analyzing request metadata such as user agents, request paths, and traffic volumes associated with known AI crawlers and agents.

What this permission cannot do

• ×Cannot modify DNS records or zone settings
• ×Cannot access SSL/TLS certificates or private keys
• ×Cannot read request bodies or response content
• ×Cannot change firewall rules or security settings
• ×Cannot access other zones in your account (when scoped to specific zone)
• ×Cannot create, update, or delete any Cloudflare resources
• ×Cannot access Workers, Pages, or R2 storage
• ×Cannot view or modify billing information

Zone scoping recommendation

When creating your token, always scope it to a specific zone rather than "All zones." This limits the token's access to only the domain you want Henneth to analyze. If you manage multiple domains on Cloudflare, create a separate token for each one you connect to Henneth.