Having different api key per domain (October 2020 update)


Just want to ask for an update on fundamental security issue raised long time ago and closed with ‘closed beta’ ongoing resolution…
Ref: # Having different api key per domain

Thank you!

This should be possible now by using API Tokens.

But how to create those tokens from ui or via api calls? I cant see any way to define subdomain level tokens for DNS edit…only full site zone can be selected.

There are no subdomain level filters for the API, other than if you have an Enterprise zone (which allows all sorts of fun things, and I believe there is a way to accomplish this although it is a bit more complex).

If you want that level of control you’ll need to implement it yourself.

Hm… we got EE zone, but how can we implement those restrictions inside a single zone controlled by single token or tokens? Right now i can’t see a solution here.

Hi @yuriy_kobets,

If you have an Enterprise plan, this should be possible with subdomain zones. Essentially adding a subdomain as its own zone, where you would normally see domains listed. This gives you more control, including subdomain level permissions with the API. You would be best discussing this with your account team. As far as I am aware, you can’t do it with a subdomain not as it’s own zone, but they may be able to advise more.

1 Like

You should be able to select specific zone at least in API token creation


Only to the zone level, but they added record-level restrictions later in the thread.

yeah for subdomain level need to as @domjh stated an CF Enterprise plan and setup subdomain as a zone itself Having different api key per domain (October 2020 update)

see https://support.cloudflare.com/hc/en-us/articles/360026440252-Understanding-Subdomain-Support

This topic was automatically closed after 30 days. New replies are no longer allowed.