Files

2.3 KiB

Cloudflare Portal Integration

API Token Setup

The portal uses Cloudflare's v4 API for DNS management and (optionally) domain registration.

Minimum token: DNS Edit Only

Permission Level Why
Zone → DNS → Edit All zones View and manage DNS records
Account → Account Settings → Read All accounts List zones, verify token
TTL Never expire No unexpected lockouts

Extended token: Add Registrar access

To view domain expiry dates and purchase/transfer domains:

Additional Permission Level Why
Account → Domain Registration → Read All accounts View expiry, auto-renew status
Account → Domain Registration → Edit All accounts Register new domains, toggle auto-renew

Turnstile (public form protection)

Turnstile is a separate widget key, NOT an API token. Generate at dash.cloudflare.com → Turnstile → Add Widget.

Portal Pages

DNS Zones page

  • Lists all zones with status, plan, record count
  • Links zones to portal customers by domain match
  • Record editor: view/edit/delete DNS records by type, name, content, TTL, proxy status

Registered Domains tab

  • Shows all domains registered through Cloudflare Registrar
  • Columns: domain, expiry date, auto-renew status, days left, linked customer
  • Color coding: green (90+ days), amber (<90 days), red (<30 days or expired)
  • Actions: Renew Now, Details, Register New Domain, Transfer Domain

API Usage

# Verify token
curl -s https://api.cloudflare.com/client/v4/user/tokens/verify

# List zones
curl -s https://api.cloudflare.com/client/v4/zones -H "Authorization: Bearer $TOKEN"

# List DNS records for a zone
curl -s "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" -H "Authorization: Bearer $TOKEN"

# List registered domains (needs registrar permission)
curl -s "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/registrar/domains" -H "Authorization: Bearer $TOKEN"

Token Security

  • Store in ~/.hermes/.env as CLOUDFLARE_API_TOKEN=cfut_...
  • Add to Wasabi backup scope (it's in .env which is in the live sync)
  • If registrar token is created as a separate token, store as CLOUDFLARE_REGISTRAR_TOKEN=
  • Turnstile site key and secret key stored in .env as TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY