Manage sub-domain as separate site for API access


I’m wondering if I’m missing something from the documentation. I’m completely aware of how Name Server records work when delegating DNS authority for a sub-zone and that’s not what I’m looking for.

The problem I’m finding with Cloudflare is that you cannot effectively make use of the API and ensure that API blast radius is mitigated by only granting access to DNS records of a sub-zone.

From what I can tell, API access grants access to the entire zone that API key was created in.

Is there a way to ensure that only DNS records for a sub-zone are editable?


A “sub-zone”? Are you saying you delegated a subdomain to Cloudflare and the parent domain isn’t using Cloudflare?

@sdayman I believe JD is saying that he wants to be able to assign API Token permissions to only a single sub-domain, not the entire zone.

I have the same problem. We’re looking at auto-generating ssl certificates using posh-acme and we can supply a cloudflare API key to automatically handle the cname record for us. However, we don’t want this token to have permissions to other subdomains as it could impact production clients.

Is there a way to have an API Token with permissions to only a single subdomain, or to split a sub-domain into its own zone so the access of an API Token can be limited to that.

The problem is that this API token would need permission to to control an unknown DNS record, as that record does not exist. So it needs permission to edit the Zone DNS itself.

I can only think of an in-house solution where your process only allows input for the one-and-only hostname (subdomain) of the client, and then makes the API call on their behalf.