Cloudflare has published a list of best practices for using it with APIs.
TL;DR, they recommend setting a page rule that patches all API requests and putting the following settings on it:
- Cache Level: Bypass
- Always Online: OFF
- Web Application Firewall: OFF
- Security Level: Anything but “I’m under attack”
- Browser Integrity Check: OFF