Cloudflare
Cloudflare provides a comprehensive platform for DNS management, CDN, security, serverless computing (Workers), object storage (R2), and more. Use the REST API to manage zones, DNS records, Workers scripts, KV namespaces, R2 buckets, and firewall rules programmatically.
Official docs:
https://developers.cloudflare.com/api/
When to Use
Use this skill when you need to:
- Manage DNS records (create, update, delete A, AAAA, CNAME, MX, TXT records)
- List and configure zones and zone settings
- Deploy and manage Workers scripts
- Manage R2 object storage buckets
- Configure firewall rules and security settings
- Query analytics and logs
Prerequisites
- Create a Cloudflare account at https://dash.cloudflare.com/sign-up
- Go to My Profile > API Tokens and click Create Token
- Choose a template (e.g., "Edit zone DNS") or create a custom token with required permissions
- Copy the generated token immediately (it is only shown once)
Set environment variables:
export CLOUDFLARE_TOKEN="your-api-token"
For zone-specific operations, you also need your Zone ID (found on the zone overview page in the dashboard):
export CLOUDFLARE_ZONE_ID="your-zone-id"
For account-level operations (Workers, R2), you need your Account ID (found on the dashboard overview):
export CLOUDFLARE_ACCOUNT_ID="your-account-id"
How to Use
Base URL
All API requests use: https://api.cloudflare.com/client/v4
1. Verify Token
curl -s "https://api.cloudflare.com/client/v4/user/tokens/verify" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" | jq .
2. List Zones
curl -s "https://api.cloudflare.com/client/v4/zones" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" | jq .
3. Get Zone Details
curl -s "https://api.cloudflare.com/client/v4/zones/$(printenv CLOUDFLARE_ZONE_ID)" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" | jq .
4. List DNS Records
curl -s "https://api.cloudflare.com/client/v4/zones/$(printenv CLOUDFLARE_ZONE_ID)/dns_records" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" | jq .
5. Create DNS Record
Write to /tmp/cloudflare_request.json:
{
"type": "A",
"name": "sub.example.com",
"content": "1.2.3.4",
"ttl": 3600,
"proxied": false
}
Then run:
curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$(printenv CLOUDFLARE_ZONE_ID)/dns_records" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" --header "Content-Type: application/json" -d @/tmp/cloudflare_request.json | jq .
6. Update DNS Record
Write to /tmp/cloudflare_request.json:
{
"type": "A",
"name": "sub.example.com",
"content": "5.6.7.8",
"ttl": 3600,
"proxied": true
}
Then run:
curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$(printenv CLOUDFLARE_ZONE_ID)/dns_records/RECORD_ID" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" --header "Content-Type: application/json" -d @/tmp/cloudflare_request.json | jq .
7. Delete DNS Record
curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/$(printenv CLOUDFLARE_ZONE_ID)/dns_records/RECORD_ID" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" | jq .
8. List Workers Scripts
curl -s "https://api.cloudflare.com/client/v4/accounts/$(printenv CLOUDFLARE_ACCOUNT_ID)/workers/scripts" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" | jq .
9. List KV Namespaces
curl -s "https://api.cloudflare.com/client/v4/accounts/$(printenv CLOUDFLARE_ACCOUNT_ID)/storage/kv/namespaces" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" | jq .
10. List R2 Buckets
curl -s "https://api.cloudflare.com/client/v4/accounts/$(printenv CLOUDFLARE_ACCOUNT_ID)/r2/buckets" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" | jq .
11. Purge Zone Cache
Write to /tmp/cloudflare_request.json:
{
"purge_everything": true
}
Then run:
curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$(printenv CLOUDFLARE_ZONE_ID)/purge_cache" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" --header "Content-Type: application/json" -d @/tmp/cloudflare_request.json | jq .
12. List Firewall Rules
curl -s "https://api.cloudflare.com/client/v4/zones/$(printenv CLOUDFLARE_ZONE_ID)/firewall/rules" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" | jq .
13. Get Zone Analytics
curl -s "https://api.cloudflare.com/client/v4/zones/$(printenv CLOUDFLARE_ZONE_ID)/analytics/dashboard?since=-1440&continuous=true" --header "Authorization: Bearer $(printenv CLOUDFLARE_TOKEN)" | jq .
Common DNS Record Types
| Type | Purpose | Example Content |
|------|---------|-----------------|
| A | IPv4 address | 1.2.3.4 |
| AAAA | IPv6 address | 2001:db8::1 |
| CNAME | Alias to another domain | example.com |
| MX | Mail server | mail.example.com (with priority) |
| TXT | Text record (SPF, DKIM, etc.) | v=spf1 include:_spf.google.com ~all |
| NS | Name server | ns1.example.com |
| SRV | Service locator | Service-specific format |
Guidelines
- Use API Tokens over Global API Key: API tokens provide scoped, least-privilege access and are the recommended authentication method
- Pagination: List endpoints return paginated results (default 20-100 per page). Use
pageandper_pagequery parameters to iterate - Response Structure: All responses include
success,errors,messages, andresultfields. Always checksuccessbefore usingresult - Proxied Records: Setting
proxied: trueroutes traffic through Cloudflare CDN and enables security features. Not all record types support proxying - Zone ID vs Domain Name: Most API endpoints require the Zone ID (a 32-character hex string), not the domain name
- Account ID: Workers, R2, KV, and other account-level resources require the Account ID instead of Zone ID
- Rate Limits: Cloudflare API has rate limits per token. Monitor response headers and implement backoff if you receive 429 responses