diff --git a/README.md b/README.md
index a9b6f50..5d4163e 100644
--- a/README.md
+++ b/README.md
@@ -61,8 +61,7 @@ KEYCDN_ZONE_ID=<REPLACE-ME>
 
 ```
 UPPER_DRIVER=cloudflare
-CLOUDFLARE_API_KEY=<REPLACE-ME>
-CLOUDFLARE_API_EMAIL=<REPLACE-ME>
+CLOUDFLARE_API_TOKEN=<REPLACE-ME>
 CLOUDFLARE_ZONE_ID=<REPLACE-ME>
 CLOUDFLARE_DOMAIN=https://<REPLACE-ME>
 ```
@@ -71,6 +70,8 @@ By default, Cloudflare's CDN  does not cache HTML content. You need to create a
 
 If you don't use Cloudflare Enterprise with native `Cache-Tag` support, make sure to enable `useLocalTags` in your `config/upper.php` file (default), otherwise disable it.
 
+You can generate a token in the Cloudflare dashboard. You want to create a custom token with the "Zone.Cache Purge" permission that is restricted to the DNS zone(s) you wish to clear Cloudflare's cache for.
+
  
 ### Varnish Setup
 Varnish URL supports multiple servers, separate with comma. E.g `http://1.1.1.1,http://2.2.2.2`
diff --git a/src/Plugin.php b/src/Plugin.php
index 32c4b89..07739be 100644
--- a/src/Plugin.php
+++ b/src/Plugin.php
@@ -61,6 +61,10 @@ public function init()
             'tagCollection' => TagCollection::class
         ]);
 
+        // Attach Behaviors
+        \Craft::$app->getResponse()->attachBehavior('cache-control', CacheControlBehavior::class);
+        \Craft::$app->getResponse()->attachBehavior('tag-header', TagHeaderBehavior::class);
+
         // Register event handlers
         EventRegistrar::registerFrontendEvents();
         EventRegistrar::registerCpEvents();
@@ -69,11 +73,6 @@ public function init()
         if ($this->getSettings()->useLocalTags) {
             EventRegistrar::registerFallback();
         }
-
-        // Attach Behaviors
-        \Craft::$app->getResponse()->attachBehavior('cache-control', CacheControlBehavior::class);
-        \Craft::$app->getResponse()->attachBehavior('tag-header', TagHeaderBehavior::class);
-
     }
 
     // ServiceLocators
diff --git a/src/config.example.php b/src/config.example.php
index e8b5f6c..393f5a7 100644
--- a/src/config.example.php
+++ b/src/config.example.php
@@ -53,10 +53,12 @@
         'cloudflare' => [
             'tagHeaderName'      => 'Cache-Tag',
             'tagHeaderDelimiter' => ',',
+            'apiToken'           => getenv('CLOUDFLARE_API_TOKEN'),
+            'zoneId'             => getenv('CLOUDFLARE_ZONE_ID'),
+            'domain'             => getenv('CLOUDFLARE_DOMAIN'),
+            // deprecated, do not use for new installs
             'apiKey'             => getenv('CLOUDFLARE_API_KEY'),
             'apiEmail'           => getenv('CLOUDFLARE_API_EMAIL'),
-            'zoneId'             => getenv('CLOUDFLARE_ZONE_ID'),
-            'domain'             => getenv('CLOUDFLARE_DOMAIN')
         ],
 
         // Dummy driver (default)
diff --git a/src/drivers/Cloudflare.php b/src/drivers/Cloudflare.php
index 9d51653..6e5ab33 100644
--- a/src/drivers/Cloudflare.php
+++ b/src/drivers/Cloudflare.php
@@ -1,5 +1,6 @@
 <?php namespace ostark\upper\drivers;
 
+use Craft;
 use GuzzleHttp\Client;
 use GuzzleHttp\Exception\BadResponseException;
 use ostark\upper\exceptions\CloudflareApiException;
@@ -22,6 +23,8 @@ class Cloudflare extends AbstractPurger implements CachePurgeInterface
 
     public $apiEmail;
 
+    public $apiToken;
+
     public $zoneId;
 
     public $domain;
@@ -35,7 +38,7 @@ class Cloudflare extends AbstractPurger implements CachePurgeInterface
     public function purgeTag(string $tag)
     {
         if ($this->useLocalTags) {
-             return $this->purgeUrlsByTag($tag);
+            return $this->purgeUrlsByTag($tag);
         }
 
         return $this->sendRequest('DELETE', 'purge_cache', [
@@ -57,12 +60,12 @@ public function purgeUrls(array $urls)
         }
 
         // prefix urls with domain
-        $files = array_map(function ($url) {
+        $files = array_map(function($url) {
             return rtrim($this->domain, '/') . $url;
         }, $urls);
 
         // Chunk larger collections to meet the API constraints
-        foreach(array_chunk($files, self::MAX_URLS_PER_PURGE) as $fileGroup) {
+        foreach (array_chunk($files, self::MAX_URLS_PER_PURGE) as $fileGroup) {
             $this->sendRequest('DELETE', 'purge_cache', [
                 'files' => $fileGroup
             ]);
@@ -100,21 +103,12 @@ public function purgeAll()
      */
     protected function sendRequest($method = 'DELETE', string $type, array $params = [])
     {
-        $client = new Client([
-            'base_uri' => self::API_ENDPOINT,
-            'headers'  => [
-                'Content-Type' => 'application/json',
-                'X-Auth-Key'   => $this->apiKey,
-                'X-Auth-Email' => $this->apiEmail,
-            ]
-        ]);
+        $client = $this->getClient();
 
         try {
-
-            $uri     = "zones/{$this->zoneId}/$type";
+            $uri = "zones/{$this->zoneId}/$type";
             $options = (count($params)) ? ['json' => $params] : [];
             $client->request($method, $uri, $options);
-
         } catch (BadResponseException $e) {
 
             throw CloudflareApiException::create(
@@ -126,6 +120,29 @@ protected function sendRequest($method = 'DELETE', string $type, array $params =
         return true;
     }
 
+    private function getClient()
+    {
+        $headers = [
+            'Content-Type' => 'application/json',
+        ];
 
+        if ($this->usesLegacyApiKey()) {
+            Craft::$app->getDeprecator()->log('Upper Config: Cloudflare $apiKey', 'Globally scoped Cloudflare API keys are deprecated for security. Create a scoped token instead and use via the `apiToken` key in the driver config.');
 
+            $headers['X-Auth-Key'] = $this->apiKey;
+            $headers['X-Auth-Email'] = $this->apiEmail;
+        } else {
+            $headers['Authorization'] = 'Bearer ' . $this->apiToken;
+        }
+
+        return new Client([
+            'base_uri' => self::API_ENDPOINT,
+            'headers' => $headers,
+        ]);
+    }
+
+    private function usesLegacyApiKey()
+    {
+        return !isset($this->apiToken) && isset($this->apiKey);
+    }
 }