Bug in list zones endpoint when using API token?

Prior to the introduction of API tokens, I had been using the the Global API key and a call to GET /client/v4/zones?name=myzone.com to check for the existence of a given zone on my account.

Whether the specified zone existed or not, the call always returned an HTTP 200 json result. If the zone didn’t exist, the result object was simply empty and result_info contained properties like count=0 and total_count=0.

Now I’m testing the same code using an API token that has been given the following permissions:

  • Zone - Zone Settings - Read
  • Zone - Zone - Read
  • Zone - DNS - Edit
  • Include: All zones

When the zone exists, everything works just like before with the Global API key. But when the zone doesn’t exist, I now get an HTTP 403 error with the following body:

         "message":"Actor 'com.cloudflare.api.token.REDACTED' requires permission 'com.cloudflare.api.account.zone.list' to list zones"


Is this a bug or working as intended? I tried adding every other zone/account related READ permission I could find to the token, but nothing seemed to help.

1 Like

I seem to be having a similar issue. I am using the acme.sh script to generate ssl certs based on dns but I keep getting a permission issue just like you. Global key works but my token doesn’t. Where you able to resolve this?

Coincidentally, I also ran into this issue in the context of an ACME client. https://github.com/rmbolger/Posh-ACME/issues/176

I also have a Cloudflare support case open about it, but no resolution yet. In the meantime, I worked around the problem by updating the plugin to list all zones on the account and check for existence locally.

In the 7 month old support ticket I have open about this issue, a support rep just confirmed that this is a technical limitation in the way the limited scope API architecture was designed and that the engineering team is not planning on fixing it anytime soon.

So…bummer I guess.