Change Firewall IP based rules with FQDN based

I have a client which uses our applications hosted with url (example *.myurl.com and *.myurl.dev)
So, in order to allow them to access those services behind Cloudflare I have Firewall access rules which acts as a whitelist. This whitelist includes all the IP addresses of our client. So whenever they add up a new service or IP address, they request to allow a new IP address.

But there is a new application which would need me to allow FQDN instead of IP address.
In CFL access rules I can see IP address, Subnets, ASNs can be allowed. I would like to allow their FQDN (example src.IP eq xyz.com) name which would

  1. remove the overhead of managing IP addresses.
  2. Allow New application
  3. Allow our client more flexibility.

How can I achieve that.

Unfortunately, firewalls don’t work by hostname because they generally don’t do DNS lookups for every request. They use the IP address that’s making the request.

The other option would be to write your own API script that adds whatever IP address they use to the existing rule.

api.cloudflare.com

Thanks sdayman, for the reply.
Can I use CFL worker to achieve this.

I don’t think the Worker is the correct approach, and probably isn’t feasible. It really comes down to implementing a system that makes the API call to change the Firewall IP address.