API authentication failing

Developers API
1

I have something similar issue. I was trying to create a purge API Call

Request:
curl -X POST “https://api.cloudflare.com/client/v4/zones//purge_cache”
-H “X-Auth-Email: me@MYDOMAIN-com”
-H “X-Auth-Key: CFAU1mImL_xxxMY_AUTH_KEY”
-H “Content-Type: application/json”
–data ‘{“hosts”:[“dev.MYDOMAIN-com”]}’

Response:
{“success”:false,“errors”:[{“code”:6003,“message”:“Invalid request headers”,“error_chain”:[{“code”:6111,“message”:“Invalid format for Authorization header”}]}],“messages”:,“result”:null}

2

Isnt there the zone identifier missing?

3

My bad “<” “>” - didnot pick up. I masked with “MYZONE ID”
curl -X POST “https://api.cloudflare.com/client/v4/zones/MYZONE ID/purge_cache” \

4

The error message specifically refers to the authorisation header, however I still wonder why you got that “hosts” field from.

Make sure your request matches the example at Cloudflare API v4 Documentation

5

Ohh, you got it from Cloudflare API v4 Documentation. That only works on Enterprise plans.

6

I tried -

Request:
curl -X POST “https://api.cloudflare.com/client/v4/zones/MyZone/purge_cache
-H “X-Auth-Email: MyEmail”
-H “X-Auth-Key: MyAuthKey”
-H “Content-Type: application/json”
–data ‘{“purge_everything”:true}’

Response:
{“success”:false,“errors”:[{“code”:6003,“message”:“Invalid request headers”,“error_chain”:[{“code”:6103,“message”:“Invalid format for X-Auth-Key header”}]}],“messages”:,“result”:null}

7

I would double check the mentioned header. You seemingly send an invalid value.

8

Am I doing something wrong?? Can you please paste a working sample?

9

Simply follow the example given and verify it against your call.

10

you have to add "Bearer " as a prefix to the actual key. You may also need to change X-Auth-Key to “Authorization”

Note: as discussed further there’s a difference between API Key and API Token

13

I am afraid that is not really accurate. You are referring to the usage of tokens, the OP asked about the API key.

14

OK - still good to have a note here there’s a practical difference between API Keys and API Tokens.

In my case, I just wanted to get it working following some examples - with ddclient - which was a bit of a pain.

Either way - using a global API key for DNS changes sounds a bit dangerous to me. Having said that - I had to give my token access to all DNS zones as limiting it to one zone ended up with an “unauthorized” error.
… but that’s for another discussion :slight_smile: