Cloudflare Domains
Cloudflare Domains integration allows your product to manage DNS zones, domain registrations, records, and settings for users who host their domains with Cloudflare. This integration enables automated domain provisioning, DNS management, SSL control, and zone synchronization for security, deployment, and multi-cloud orchestration use cases.
Credentials Needed
To connect to the Cloudflare Domains API, you need an API Token or an API Key associated with your Cloudflare account.
Recommended Method (API Token):
- Cloudflare API Token
- Account ID
Alternative Method (Legacy Global API Key):
- Cloudflare Global API Key
- Cloudflare Email Address
- Account ID
It's recommended to use an API Token with fine-grained permissions instead of the global key for security reasons.
Permissions Needed / API Scopes
Your API Token must have Domain and Zone-level permissions for managing DNS and domain records.
| Permission | Scope | Description |
|---|---|---|
| Zone: Read | Account / Specific Zone | View zone and domain info |
| Zone: Edit | Account / Specific Zone | Modify DNS settings, SSL, and records |
| DNS: Read | Account / Specific Zone | Read DNS record data |
| DNS: Edit | Account / Specific Zone | Create, update, or delete DNS records |
| Domain: Read | Account | View registered domains |
| Domain: Edit | Account | Register, renew, and manage domains (if applicable) |
Minimum required permissions:
Zone:ReadDNS:Read
For full DNS and domain automation:
Zone:Edit,DNS:Edit,Domain:Read, andDomain:Edit
Creating Users / Access Tokens
Step 1: Generate an API Token
- Go to Cloudflare Dashboard → Profile → API Tokens https://dash.cloudflare.com/profile/api-tokens
- Click Create Token
- Under "Create Custom Token", choose Start with Template → Edit Cloudflare DNS
- Modify permissions if needed:
- Zone → Read / Edit
- DNS → Read / Edit
- Domain → Read / Edit
- Under Zone Resources, select "All Zones" or limit to specific zones
- Click Continue to Summary → Create Token
- Copy the API Token — it will only be displayed once
Step 2 (Alternative): Using Global API Key
If your system still uses the older API Key authentication:
- Go to Profile → API Keys → Global API Key
- Click View Global API Key
- Copy your key securely
- You will also need your Cloudflare Email Address for authentication
Test Connectivity
You can verify domain-level access using the Cloudflare REST API and curl:
# List all zones (domains) accessible with your credentials
curl -X GET "https://api.cloudflare.com/client/v4/zones" \
-H "Authorization: Bearer <CLOUDFLARE_API_TOKEN>" \
-H "Content-Type: application/json"
# Example response: JSON list of your domains and zone IDs
To get DNS records for a domain:
curl -X GET "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/dns_records" \
-H "Authorization: Bearer <CLOUDFLARE_API_TOKEN>" \
-H "Content-Type: application/json"
If you receive a valid JSON response, your API Token or Key has been configured correctly.
Save the Results in the Platform and Create Connection
- In your product's integration settings, securely store:
CLOUDFLARE_API_TOKENCLOUDFLARE_ACCOUNT_ID- (Optional)
CLOUDFLARE_ZONE_ID
- Label the connection as Cloudflare Domains Integration
- Test the connection by listing zones or retrieving DNS records
- Store connection metadata for automated domain sync or DNS record updates
Best Practices
- Always use API Tokens with least privilege access instead of the global API key
- Scope tokens to specific zones whenever possible — avoid "All zones" access unless required
- Store all credentials securely in an encrypted vault or secret manager
- Rotate API Tokens periodically (e.g., every 90 days)
- Log API usage and errors to monitor rate limits and failures
- Handle API rate limits (429 responses) with exponential backoff
- Use the Cloudflare Zones API to automatically discover and manage domain configurations
- If your integration automates DNS changes, log all record modifications for audit and rollback
- When performing frequent updates, use Cloudflare's batch DNS API endpoints to minimize requests