Cloudflare Domains

Cloudflare Domains integration allows your product to manage DNS zones, domain registrations, records, and settings for users who host their domains with Cloudflare.

This integration enables automated domain provisioning, DNS management, SSL control, and zone synchronization for security, deployment, and multi-cloud orchestration use cases.

Credentials Needed

To connect to the Cloudflare Domains API, you need an API Token or an API Key associated with your Cloudflare account.

Recommended Method (API Token)

• Cloudflare API Token
• Account ID

Alternative Method (Legacy Global API Key)

• Cloudflare Global API Key
• Cloudflare Email Address
• Account ID

It's recommended to use an API Token with fine-grained permissions instead of the global key for security reasons.

Permissions Needed / API Scopes

Your API Token must have Domain and Zone-level permissions for managing DNS and domain records.

Permission	Scope	Description
Zone: Read	Account / Specific Zone	View zone and domain info
Zone: Edit	Account / Specific Zone	Modify DNS settings, SSL, and records
DNS: Read	Account / Specific Zone	Read DNS record data
DNS: Edit	Account / Specific Zone	Create, update, or delete DNS records
Domain: Read	Account	View registered domains
Domain: Edit	Account	Register, renew, and manage domains (if applicable)

Minimum required permissions:

• Zone:Read
• DNS:Read

For full DNS and domain automation:

• Zone:Edit, DNS:Edit, Domain:Read, and Domain:Edit

Creating Users / Access Tokens

Step 1: Generate an API Token

1. Go to Cloudflare Dashboard → Profile → API Tokens: https://dash.cloudflare.com/profile/api-tokens
2. Click Create Token.
3. Under "Create Custom Token", choose Start with Template → Edit Cloudflare DNS.
4. Modify permissions if needed:
   • Zone → Read / Edit
   • DNS → Read / Edit
   • Domain → Read / Edit
5. Under Zone Resources, select "All Zones" or limit to specific zones.
6. Click Continue to Summary → Create Token.
7. Copy the API Token — it will only be displayed once.

Step 2 (Alternative): Using Global API Key

If your system still uses the older API Key authentication:

1. Go to Profile → API Keys → Global API Key
2. Click View Global API Key
3. Copy your key securely
4. You will also need your Cloudflare Email Address for authentication

Test Connectivity

You can verify domain-level access using the Cloudflare REST API and curl:

# List all zones (domains) accessible with your credentials
curl -X GET "https://api.cloudflare.com/client/v4/zones" \
  -H "Authorization: Bearer <CLOUDFLARE_API_TOKEN>" \
  -H "Content-Type: application/json"

# Example response: JSON list of your domains and zone IDs

To get DNS records for a domain:

curl -X GET "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_records" \
  -H "Authorization: Bearer <CLOUDFLARE_API_TOKEN>" \
  -H "Content-Type: application/json"

If you receive a valid JSON response, your API Token or Key has been configured correctly.

Save the Results in the Platform and Create Connection

In your product's integration settings, securely store:

• CLOUDFLARE_API_TOKEN
• CLOUDFLARE_ACCOUNT_ID
• (Optional) CLOUDFLARE_ZONE_ID

Label the connection as Cloudflare Domains Integration.

Test the connection by listing zones or retrieving DNS records.

Store connection metadata for automated domain sync or DNS record updates.

Best Practices

• Always use API Tokens with least privilege access instead of the global API key.
• Scope tokens to specific zones whenever possible — avoid "All zones" access unless required.
• Store all credentials securely in an encrypted vault or secret manager.
• Rotate API Tokens periodically (e.g., every 90 days).
• Log API usage and errors to monitor rate limits and failures.
• Handle API rate limits (429 responses) with exponential backoff.
• Use the Cloudflare Zones API to automatically discover and manage domain configurations.
• If your integration automates DNS changes, log all record modifications for audit and rollback.
• When performing frequent updates, use Cloudflare's batch DNS API endpoints to minimize requests.