Skip to content
Ascend GTM Ops — Docs

Cloudflare native non-human-identity primitives — DEFERRED

ADR-012: Cloudflare native non-human-identity primitives — DEFERRED

Status: Deferred explicitly Date: 2026-04-17 proposed, 2026-04-22 deferral formalized Deciders: Mishaal Murawala

Context

Cloudflare shipped non-human-identity primitives (scannable tokens, OAuth visibility, scoped permissions) as a platform feature in April 2026. V5 currently manages OAuth via ADR-005 (Durable Objects with alarm-based refresh).

The question: should V5 migrate part of its token management to CF’s platform primitives?

Decision

Defer explicitly. Do NOT evaluate, spike, or migrate in 2026 Q2.

Rationale

  1. ADR-005 is working. DO-based token management has zero observed incidents since deploy. Refresh alarms fire reliably.
  2. “Migrate a working system to new platform primitives” has a weak forcing function. No tenant or consumer is asking for it.
  3. CF’s NHI primitives are <6 months old. Platform maturity unknown. Early adopter risk.
  4. Opportunity cost. The engineering time to evaluate + migrate is better spent on ADR-016 (Context Plane) which has a clear business case.

Re-evaluation trigger

Revisit ADR-012 when ANY of:

  • A real token-management incident occurs (expired token not refreshed, leaked credential, scope drift).
  • CF announces Durable Objects deprecation for OAuth token stores.
  • V5 adds 3+ new tenants — at which point the DO management overhead may exceed platform primitive TCO.
  • Kahuna hits SOC 2 and auditors flag DO-based token storage.

Status

Won’t work on this in 2026. If 2027 brings one of the re-evaluation triggers, file ADR-012a.