Permissions Needed for Snippets?

Website, Application, Performance
1

Hi,

I seem to be unable to access the https://api.cloudflare.com/client/v4/zones/‘.$myzone.’/snippets/snippet_rules’; endpoint.

I have enabled user permissions for ‘Snippet [edit]’ and I am using the same Zone ID that i’m using for my custom purge code that seems ok.

Is there another permission that needs to be added other than Snippet?

Here is a simple example of the code I am running:

PHP CURL:


$firewallrules=array();
		$firewallrules[]='{"enabled": false, "expression": "", "snippet_name": "test"}';
		$token='Bearer my token';
		$myzone='my zone ID';			//must retrieve through API.  ($urlcf='https://api.cloudflare.com/client/v4/zones)

		$urlcf='https://api.cloudflare.com/client/v4/zones/'.$myzone.'/snippets/snippet_rules';

		$curl = curl_init();
		curl_setopt($curl, CURLOPT_URL, $urlcf);
		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt($curl, CURLOPT_HEADER, 1);
		
		curl_setopt($curl, CURLOPT_HTTPHEADER, array("Authorization: $token", "Content-Type: application/json"));

		curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'POST');
		curl_setopt($curl, CURLOPT_POST, 1);
		curl_setopt($curl, CURLOPT_POSTFIELDS, '{"new_value": ['.implode($firewallrules, ',').']}');
		
		$html=curl_exec($curl);

		echo $html;

{“success”:false,“errors”:[{“code”:10000,“message”:“POST method not allowed for the api_token authentication scheme”}]}

But it should be… any help would be awesome!!

The EXACT same code works when I replace $urlcf with

$urlcf='https://api.cloudflare.com/client/v4/zones/'.$myzone.'/purge_cache';

AND

curl_setopt($curl, CURLOPT_POSTFIELDS, '{"files": ["https://www.infinitesweeps.com/"]}');

Giving me {"success":true,........

Making me believe this is some “bug”.

Thank you for looking!

2

Or…you’re using a POST instead of a PUT.

1 Like
3

OMG i’m so dumb, IDK why it works in the other example… here’s what was wrong (it took me forever to figure this out).

Instead of a POST, it should be a PUT request.

For some reason, the other stuff works with post.

Sorry

4

LOL! Thank you for spotting that so fast. What’s wrong with it now? LOL :? all my rules are deleted. I’m using the example from my ‘Audit Log’ - is that correct? Ya, it’s got to be a bug. LOL, maybe i’m tired :rofl:

I’m basically sending this like 4 times (one for each rule)

$firewallrules[]='{"enabled": true, "expression": "http.host eq \"www.infinitesweeps.com\"", "snippet_name": "CookieCheck"}';
$firewallrules[]='{"enabled": true, "expression": "http.host eq \"www.infinitesweeps.com\"", "snippet_name": "CookieCheck2"}';
$firewallrules[]='{"enabled": true, "expression": "http.host eq \"www.infinitesweeps.com\"", "snippet_name": "another"}';
$firewallrules[]='{"enabled": true, "expression": "http.host eq \"www.infinitesweeps.com\"", "snippet_name": "another"}';

6

You need to send them all at once. Docs aren’t very clear, but it’s “Put Rules.” So it’s the complete ruleset as an array (all four our your rules).

What you’ve been doing is pretty straightforward. If it were a bug, it would have been discovered pretty quickly.

7

Hi, I was just kidding about the bug thing.

I figured it out; basically change ‘new_value’ to ‘rules’ in the PUT request (I guess the Audit thing is different). Now I know :slight_smile: (was using the Audit Logs as the copy paste “perfect example” - but it is not…)

Thanks!!!

8

See this post for today’s “bug” :rofl: How to report wrong IP whois information? - #5 by email669

9

Hey, can I ask one more question? It’s the same code, so I hope it’s best to post in here.

Now i’m trying to setup the ’ Transform Rules’ and having trouble accessing the API.

I’m using this page for reference (and the Audit Logs): Create an HTTP request header modification rule via API · Cloudflare Rules docs

“result”: null,
“success”: false,
“errors”: [
{
“message”: “not found”
}
],
“messages”: null

I believe it’s from the incorrect ‘ruleset id’, but i’m also having trouble getting that;

The link I am using is: $urlcf='https://api.cloudflare.com/client/v4/zones/'.$myzone.'/rulesets';

I tried adding,

ruleset_id

And everything which way in between.

Also using this as reference: Cloudflare API | Rulesets › Update An Account Or Zone Ruleset

Can you please tell me how to make this request? How do I get the ‘ruleset id’ from the if it’s not the same as the link ?

Are you sure it’s not a bug? I’m just kidding, but for real I wish there was easier way to get these calls.

Here is my ‘complete code’

$token=‘Bearer 1234’;
$myzone=‘1234’; //must retrieve through API
$firewallrules=array();
$firewallrules=‘{“enabled”: false, “action”: “rewrite”, “action_parameters”: {“headers”: {“test”: {“operation”: “set”, “value”: “1”}}}, “description”: “Automated API Test”,“expression”: “ip.src in {127.0.0.1}”,“ruleset_id”:“aff0214c08374f528f91456479c3bb02”}’;
$urlcf=‘https://api.cloudflare.com/client/v4/zones/‘.$myzone.’/rulesets/aff0214c08374f528f91456479c3bb02’;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $urlcf);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_HEADER, 1);

  curl_setopt($curl, CURLOPT_HTTPHEADER, array("Authorization: $token", "Content-Type: application/json"));

  curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'PUT');
  curl_setopt($curl, CURLOPT_POST, 1);
  curl_setopt($curl, CURLOPT_POSTFIELDS, '{"rules":['.implode($firewallrules, ',').']}');

  $html=curl_exec($curl);

  echo $html;
  
  curl_close($curl);

Thank you for all of the help!!

10

Hi, “bump” - can you please give me the answer?

It would really be appreciated. I already been like trying to ‘change words’ add dashes, cross my t’s and dot my i’s for a while… I really don’t want to do that again today :rofl:

I “think” this is going to be the last API endpoint I use, Unless I discover that I can also ‘get analytics’ for requests of cached pages :smiley:

TY!!! Here is the “FULL code” - I really don’t know what else to change except going in another loop all day –

  $firewallrules=array();
  $firewallrules[]='{"enabled": false, "action": "rewrite", "action_parameters": {"headers": {"oldbrowser": {"operation": "set", "value": "1"}}}, "description": "Automated API Softrating","expression": "ip.src in {127.0.0.1}","ruleset_id":"aff0214c08374f528f91456479c3bb02"}';
  

  $token='Bearer 1234';
  $myzone='1234';			//must retrieve through API (see other functions)
  $urlcf='https://api.cloudflare.com/client/v4/zones/'.$myzone.'/rulesets/aff0214c08374f528f91456479c3bb02';
  $curl = curl_init();
  curl_setopt($curl, CURLOPT_URL, $urlcf);
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($curl, CURLOPT_HEADER, 1);
  
  curl_setopt($curl, CURLOPT_HTTPHEADER, array("Authorization: $token", "Content-Type: application/json"));

  curl_setopt($curl, CURLOPT_CUSTOMREQUEST, 'PUT');
  curl_setopt($curl, CURLOPT_POST, 1);
  curl_setopt($curl, CURLOPT_POSTFIELDS, '{"rules":['.implode($firewallrules, ',').']}');

  $html=curl_exec($curl);

  echo $html;
  
  curl_close($curl);

The response is

HTTP/1.1 404 Not Found
{
  "result": null,
  "success": false,
  "errors": [
    {
      "message": "not found"
    }
  ],
  "messages": null
}

cf-auditlog-id: 01958633-3295-7923-851c-c98e5191baf0

11

It says:

Procedure

Follow this workflow to create an HTTP request header modification rule for a given zone via API:

  1. Use the List zone rulesets operation to check if there is already a ruleset for the http_request_late_transform phase at the zone level.
  2. If the phase ruleset does not exist, create it using the Create a zone ruleset operation. In the new ruleset properties, set the following values:
  • kind: zone
  • phase: http_request_late_transform
  1. Use the Update a zone ruleset operation to add an HTTP request header modification rule to the list of ruleset rules. Alternatively, include the rule in the Create a zone ruleset request mentioned in the previous step.

Make sure your API token has the required permissions to perform the API operations.

But I got all these rules in my account that i’m afraid to just start running API code on and mess it allup.

I have a rule called ’ http_request_late_transform’ - All it says is:

{
“description”: “”,
“id”: “1234”,
“kind”: “zone”,
“last_updated”: “2025-03-11T05:19:18.437677Z”,
“name”: “header modification”,
“phase”: “http_request_late_transform”,
“version”: “263”
},

Does that mean I use the http_request_late_transform id in the API post?

Something like:

$urlcf='https://api.cloudflare.com/client/v4/zones/'.$myzone.'/rulesets/'.http_request_late_transform.id;

How does it know which of the 10 rules in the transform rules to update? Is it only via the ‘description’ ?

Is it like the others where I have to post ALL of them? or just 1 of them?

It’s so confusing, please help. I just basically need to update a rule via the API for a ‘Request Header Transform Rules’

Maybe will move to a different domain into debug, but in reality I don’t know what to change other than just guessing.

12

OK, so this is what you do:

You get you value from /myzone/rulesets

'http_request_late_transform ’

Then you must post ALL of the rules to the post.

Is there really not a way to just update One of them?

13

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.