Cloudflare API Token Setup Guide

Configure a scoped Cloudflare API token for Æxyr

10 Steps • ~5 Minutes • Cloudflare Free Plan Compatible

Overview

This guide walks through creating a scoped Cloudflare API token with the exact permissions required by Æxyr for automated SSL certificate provisioning, DNS management, and Cloudflare Tunnel integration.

Required Token Permissions

ScopeResourcePermission
AccountCloudflare TunnelEdit
ZoneZone SettingsRead
ZoneDNSEdit

Scope the token to your specific zone for security best practice.

1 Navigate to Profile

From the Cloudflare dashboard, click your profile icon in the top-right corner and select Profile from the dropdown menu.

Navigate to Profile

2 Open API Tokens

In the left sidebar of your Profile page, click on API Tokens to access the token management interface.

Open API Tokens

3 Create Token

Click the + Create Token button in the top-right to begin creating a new scoped API token.

Create Token

4 Select Edit Zone DNS Template

From the API token templates list, find Edit zone DNS and click Use template. This provides the base DNS editing permissions needed by Æxyr.

Select Edit Zone DNS Template

5 Add Required Permissions

Click + Add more under Permissions to add the additional permission rows that Æxyr requires beyond basic DNS editing.

Add Required Permissions

6 Configure Token Permissions

Configure three permissions:

  • Account > Cloudflare Tunnel > Edit
  • Zone > Zone Settings > Read
  • Zone > DNS > Edit

Set Zone Resources to Include > Specific zone > your domain. Then select your Account. Click Continue to summary.

Configure Token Permissions

7 Review & Create Token

Review the token summary to confirm permissions are correct: Cloudflare Tunnel:Edit at the account level, and Zone Settings:Read + DNS:Edit for your specific zone. Click Create Token.

Review and Create Token

8 Copy Your API Token

Your token is displayed once. Copy it immediately using the copy icon. This token will not be shown again. You can verify it works using the provided curl command.

Copy Your API Token

9 Store Token in Æxyr

Open the Æxyr Secrets Store and add two entries:

  • CFAPI="your-copied-token"
  • CFDOMAIN="yourdomain.com"

Æxyr will automatically use these for SSL certificate provisioning and DNS management.

Store Token in Æxyr Secrets

10 (Optional) Access Æxyr UI From Internet

Optionally, you can access the Æxyr UI directly from the internet. In your Cloudflare DNS settings, ensure your A record points to your server’s IP address with Proxy status enabled. This allows you to reach the Æxyr interface via your domain from any browser.

Verify DNS Configuration

This website uses third-party services including Google Fonts and Paddle for payment processing, which may collect your IP address and billing data. Our contact form collects only the information you voluntarily provide. We do not use tracking cookies or analytics. Privacy Policy