Prevent API access to registered domains

I want to use Cloudflare registrar to register domains. But I don’t want my Wordpress plugins or any other code with my API token to be able to transfer the domains away. Is this possible?
If not, is it possible to register the domain on one cloudflare account and manage its DNS, etc. on another account?

That’s certainly a valid concern. It would be nice if plugin devs would transition over to the new API Token system so you don’t have to give them the key to the kingdom just to use that one Cloudflare feature.

If if’s your own code, then it’s much easier to transition to the new token system. For plugins, maybe a gentle suggestion to the plugin dev would help push this along.

Otherwise, as always, be super careful where you use the global key. I don’t use it anywhere that someone else has access to it.

1 Like

The official cloudflare wordpress plugin uses API keys. I don’t think 3rd parties will migrate any time soon.
Is there any way to protect registered domains?

I’m not sure how bad it is. It looks like you can Unlock it, and if I unlock at the dashboard, it returns the auth code. I’d have to experiment with the API to see if the response for that includes the auth code. I’d be surprised if it did because 1) that’s bad, and 2) it takes a while for the dashboard to return it, and API calls I’ve made return an immediate response.

Again, this warrants some testing for problems.

I just tested the API, and after making an API call to unlock the domain (it worked), I was able to make an API call to “Get Domain” and the info returned included the Auth Code.

Someone with your Global API Key can steal your domain.

If I register the domain in one Cloudflare account, can I manage it another account? That way the worst they can do is change DNS temporarily, but not transfer it out?

Unfortunately, no. Accounts are very separate from each other with different sets of name servers.

This topic was automatically closed after 30 days. New replies are no longer allowed.