Cloudflare
Dotnify connects to Cloudflare using an API Token (not the Global API Key). The token is sent as a Bearer token in the Authorization header when calling the Cloudflare API v4.
Creating an API Token
- Log in to the Cloudflare dashboard
- Go to My Profile → API Tokens
- Click Create Token
- Use the Edit zone DNS template (recommended), or create a custom token
Recommended Permissions
For Dotnify to manage your DNS records, the token needs at minimum:
| Permission | Scope |
|---|---|
| Zone - DNS - Edit | Specific zones or All zones |
| Zone - Zone - Read | Specific zones or All zones |
If you want Dotnify to list all your zones (for the zone selection step), the token must have Zone - Zone - Read permission on the zones you want to manage.
Using the "Edit zone DNS" Template
The built-in template provides the correct permissions. When using it:
- Under Zone Resources, select which zones the token can access
- All zones — the token can access every zone in your account
- Specific zone → select individual zones
- Click Continue to summary → Create Token
- Copy the token value — you won't be able to see it again
Adding the Provider in Dotnify
- Go to Providers → Add provider
- Select Cloudflare as the provider type
- Enter a Display name (e.g. "Production Cloudflare", "Staging Cloudflare")
- Paste the API token
- Click Verify & continue
Dotnify will call Cloudflare's /user/tokens/verify endpoint to validate the token, then fetch your zones. If verification fails, check that:
- The token was copied correctly (no trailing spaces)
- The token has not expired
- The token has the required permissions
Selecting Zones
After verification, Dotnify shows all zones accessible with the token. You can:
- Check specific zones to manage only those domains
- Leave all unchecked to manage every accessible zone
You can change the zone selection later by editing the provider.
How Dotnify Uses the Token
Dotnify stores the API token in Redis and uses it to make direct calls to the Cloudflare API v4:
| Operation | Cloudflare Endpoint |
|---|---|
| Verify token | GET /client/v4/user/tokens/verify |
| List zones | GET /client/v4/zones |
| List records | GET /client/v4/zones/{zoneId}/dns_records |
| Create record | POST /client/v4/zones/{zoneId}/dns_records |
| Update record | PATCH /client/v4/zones/{zoneId}/dns_records/{recordId} |
| Delete record | DELETE /client/v4/zones/{zoneId}/dns_records/{recordId} |
Cloudflare-Specific Features
TTL Auto Mode
Cloudflare supports automatic TTL. In Dotnify, set TTL to 1 to enable Auto TTL. The UI shows "Auto" when TTL is 1.
Proxied Records (Orange Cloud)
Cloudflare allows DNS records to be proxied through their network. When creating or editing a record in Dotnify, you can toggle the Proxied checkbox. This is only available for Cloudflare providers.
Record Comments
Cloudflare supports comments on DNS records. Dotnify preserves comments when reading and displaying records.
Security Notes
- The API token is stored in plaintext in Redis (current MVP design). Protect your Redis instance with strong credentials.
- When the provider list is returned via the API, tokens are masked — only the last 4 characters are visible.
- When editing a provider, you can leave the token field blank to keep the current token unchanged.
- The token is never sent to the client-side JavaScript — all Cloudflare API calls are made server-side.