Manage sub-domain as separate site for API access

Greetings,

I’m wondering if I’m missing something from the documentation. I’m completely aware of how Name Server records work when delegating DNS authority for a sub-zone and that’s not what I’m looking for.

The problem I’m finding with Cloudflare is that you cannot effectively make use of the API and ensure that API blast radius is mitigated by only granting access to DNS records of a sub-zone.

From what I can tell, API access grants access to the entire zone that API key was created in.

Is there a way to ensure that only DNS records for a sub-zone are editable?

Cheers

A “sub-zone”? Are you saying you delegated a subdomain to Cloudflare and the parent domain isn’t using Cloudflare?