This is a follow-up to my previous article on 5 Hard Lessons from Implementing Zapier OAuth in Spring Boot. After solving all the code issues, I hit one more wall.
You've implemented OAuth 2.0 with PKCE. Your E2E tests pass. You deploy to production. Zapier shows:
Oh, foo. Zapier could not connect to your account.
Try connecting again. Or go to your Zaps and try re-enabling them.
The Cloudflare "Just a moment..." page strikes again.
The Symptom
Zapier's OAuth callback hits your /oauth/token endpoint and gets a 403 with an HTML page instead of JSON:
<!DOCTYPE html>
<html lang="en-US">
<head><title>Just a moment...</title>
<!-- Cloudflare challenge page -->
Your logs show nothing. Because the request never reaches your application.
The Root Cause: Bot Fight Mode
If you have Bot Fight Mode enabled in Cloudflare (Security > Settings > Bot traffic), it's challenging Zapier's automated requests. Even though Zapier is in Cloudflare's verified bots list.
"Easy fix," I thought. "I'll create a WAF rule to skip Bot Fight Mode for /oauth/* paths."
Wrong.
The Documented Limitation You Won't Find Easily
From Cloudflare's official docs:
"You cannot bypass or skip Bot Fight Mode using the Skip action in WAF custom rules or using Page Rules."
And the explanation:
"Skip, Bypass, and Allow actions apply to rules or rulesets running on the Ruleset Engine. While Super Bot Fight Mode rules are implemented in the Ruleset Engine, Bot Fight Mode checks are not."
Translation: Bot Fight Mode (Free plan) runs outside the normal rule engine. No WAF rule, Page Rule, or IP Access Rule can bypass it for specific paths. It's all-or-nothing.
The Solutions
Option 1: Disable Bot Fight Mode Entirely (Free Plan)
If you're on Cloudflare Free:
- Go to Security > Settings
- Click Bot traffic filter
- Turn off Bot Fight Mode
Your OAuth works. But you lose bot protection everywhere.
Option 2: Upgrade to Pro ($20/month) and Use Super Bot Fight Mode
Super Bot Fight Mode does run in the Ruleset Engine. You can skip it for specific paths.
Step 1: Enable Super Bot Fight Mode
- Upgrade to Cloudflare Pro
- Go to Security > Settings > Bot traffic
- Configure Super Bot Fight Mode:
- Definitely automated traffic: Block or Managed Challenge
- Verified bots: Allow
Step 2: Create Skip Rule for OAuth
- Go to Security > Security rules
- Click Create rule
-
Configure:
-
Rule name:
Skip SBFM for OAuth - Expression:
(starts_with(http.request.uri.path, "/oauth/token")) or (starts_with(http.request.uri.path, "/oauth/authorize")) or (starts_with(http.request.uri.path, "/oauth/userinfo")) -
Rule name:
- Action: Skip
-
WAF components to skip: Check All Super Bot Fight Mode Rules
- Click Deploy
Step 3: Test Zapier
Retry the OAuth connection. Should work now.
Why This Matters
| Plan | Bot Protection | Can Skip for APIs? |
|---|---|---|
| Free | Bot Fight Mode | No |
| Pro ($20/mo) | Super Bot Fight Mode | Yes |
If you're building integrations with Zapier, Make.com, n8n, or any other automation platform, you need the ability to exempt your OAuth endpoints from bot challenges. That requires Pro.
The Cost-Benefit
$20/month for Cloudflare Pro gives you:
- Super Bot Fight Mode with path-based exceptions
- Better analytics
- Polish Rules (5 vs 0)
- Faster support
For a production SaaS with third-party integrations, it's worth it. The alternative is no bot protection at all.
TL;DR
- Bot Fight Mode (Free): Cannot be bypassed for specific paths. All or nothing.
- Super Bot Fight Mode (Pro): Can be skipped using WAF custom rules.
-
The fix: Upgrade to Pro, enable SBFM, create Skip rule for
/oauth/*paths.
OAuth integration isn't done until Cloudflare lets the requests through.
Building jo4.io - URL shortener with Zapier, Make.com, and n8n integrations.
Top comments (0)