Skip to main content
GrN.dk

Main navigation

  • Articles
  • Contact
  • Your Digital Project Manager
  • About Greg Nowak
  • Services
  • Portfolio
  • Container
    • Excel Freelancer
    • Kubuntu - tips and tricks
    • Linux Apache MySQL and PHP
    • News
    • Image Gallery
User account menu
  • Log in

Breadcrumb

  1. Home

Cloudflare API for Safer DNS Automation

By Greg Nowak. Last updated 2026-07-09.

Cloudflare's dashboard is fine for an occasional DNS edit. The API becomes useful when DNS is part of a launch checklist, migration plan, client onboarding process, or agency handover. In those cases, the goal is not clever automation. The goal is a repeatable workflow that can be reviewed before traffic moves and understood by someone else later.

As of July 9, 2026, Cloudflare's current API documentation still supports a simple curl-and-bash approach for DNS automation. The important baseline is permissions: use scoped API tokens rather than building scripts around a broad Global API key.

Use the API when DNS needs a paper trail

Automation is worth the setup when the risk of manual clicking is higher than the cost of writing a small script. That usually means launches, repeatable environment setup, bulk client work, or a migration where the same decision may need to be checked by a developer, project manager, and site owner.

Situation Best approach Why it helps
One small record change Dashboard Fastest path when there is no repeatable process.
Launch or migration Scripted read, review, then write Reduces wrong-zone and wrong-record mistakes.
Agency handover Versioned bash script with comments Makes ownership and intent visible after the project.
Bulk zone move Export, clean, import Creates a rollback reference and catches old DNS debt.
CI preflight check Read-only token Verifies required records without granting write access.
A practical decision matrix for choosing dashboard work, API scripts, or import/export workflows.

Start with the smallest useful token

Create a token for the job, not for the person who happens to be doing the job today. For inventory and preflight checks, DNS Read is normally enough. For changes and imports, use DNS Write and restrict the token to the relevant zone wherever possible. Cloudflare also supports Account API tokens for compatible endpoints, which can be cleaner for service automation that should not be tied to one employee login.

One practical detail catches teams out: looking up a zone through GET /zones requires Zone Zone Read. If the working script only needs DNS permissions, fetch the zone ID once from the dashboard or a separate admin step, then store it in your secret manager or CI variables.

export CLOUDFLARE_API_TOKEN='...'
export ZONE_ID='...'
CF_API='https://api.cloudflare.com/client/v4'

curl --fail --silent --show-error "$CF_API/user/tokens/verify" \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

A bash workflow another person can run

A dependable DNS script should do four things in order: verify the token, read the current state, make the narrowest possible change, and leave context behind. Do not start with a write call. List the relevant records first, preferably with exact filters instead of broad search behavior.

curl --fail --silent --show-error "$CF_API/zones/$ZONE_ID/dns_records?type=A&name=app.example.com" \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

curl --fail --silent --show-error "$CF_API/zones/$ZONE_ID/dns_records" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --header "Content-Type: application/json" \
  --data '{"type":"A","name":"app.example.com","content":"198.51.100.4","ttl":3600,"proxied":true,"comment":"App origin - OPS-142"}'

Comments are useful because they carry business context inside Cloudflare without changing DNS responses. A ticket number, migration note, client owner, or expiry reminder is often enough. Tags can help larger teams group records, but comments are the low-friction habit to establish first.

Keep Cloudflare's record rules close to the script. A and AAAA records cannot share a name with a CNAME. NS records cannot share a name with any other record type. For TTL, 1 means automatic; otherwise the normal range is 60 to 86400 seconds, with 30 seconds available on Enterprise zones.

Treat imports like migrations, not uploads

For a real DNS migration, import and export endpoints are often more valuable than individual record calls. Export first, keep the file with the change request, clean the source zone file, and import only after someone has reviewed the records that will become active.

curl --fail --silent --show-error "$CF_API/zones/$ZONE_ID/dns_records/export" \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --output zone-export.txt

curl --fail --silent --show-error "$CF_API/zones/$ZONE_ID/dns_records/import" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --form "file=@your_formatted_file.txt"

Cloudflare's current limits matter in production planning: zone files are capped at 256 KiB, and the import/export API limit is three requests per minute per user. If an import fails, read the parsing error instead of retrying blindly.

Zone-file formatting deserves a quiet review. Targets for records such as CNAME, MX, NS, PTR, and SRV should be fully qualified names with a trailing period. Cloudflare supports $ORIGIN, $TTL, and $GENERATE, but not $INCLUDE. If proxy state matters, use Cloudflare's reserved cf-proxied:true or cf-proxied:false tags in the zone file so the import does not guess.

What maintainable DNS automation looks like

For a single site, a few well-named curl commands may be enough. For a business or agency handling multiple zones, make the workflow boring on purpose: obvious inputs, scoped tokens, readable output, and no secrets in the script body.

  1. Keep token and zone IDs in a proper secret store.
  2. Use read-only tokens for checks and write tokens only for approved changes.
  3. Version the script and sample input files.
  4. Put ticket or owner context in record comments.
  5. Export before imports so rollback has a known starting point.

If DNS changes keep showing up during launches, migrations, or client handovers, a small Cloudflare API workflow can remove a lot of avoidable risk. For help turning that into a clean operating process, talk with Greg about a safer DNS automation setup.

Related on GrN.dk

  • AI automations need a spend dashboard before the first runaway bill
  • Cloudflare Service Keys: Old Automation Needs a Token Audit
  • Bulk Delete Cloudflare DNS Records Without Browser Console JavaScript

Need help with this kind of work?

Talk with Greg about DNS automation Get in touch with Greg.

Sources

  • Create API token - Cloudflare Fundamentals docs
  • List Zones - Cloudflare API
  • List DNS Records - Cloudflare API
  • Create DNS Record - Cloudflare API
  • Import and export records - Cloudflare DNS docs
Last modified
2026-07-09

Tags

  • Cloudflare
  • DNS
  • API
  • Automation
  • bash

Review Greg on Google

Greg Nowak Google Reviews

 

  • AI Research Assistants Need a Source Trail, Not Just Citations
  • Recommended WordPress Plugins for Business Websites: Keep the Stack Lean
  • MySQL Zero-Date Import Errors: Fix Them Safely
  • Cloudflare API for Safer DNS Automation
  • Background AI Tasks Need Queues, Not Just Longer API Calls
RSS feed

GrN.dk web platforms, web optimization, data analysis, data handling and logistics.