Cloudflare
Cloudflare covers roughly 20% of DNS and has an excellent API. DNS.GLOBAL offers full automation against Cloudflare.
Status
Full automation. Live in Phase 1.
Authentication method
Guided API Token. Cloudflare does not offer public third-party OAuth client registration — their OAuth endpoints are scoped to first-party tooling. Instead, DNS.GLOBAL directs the user to a prefilled token-creation URL with the minimum required permissions. The user creates the token, pastes it back, and we validate it immediately.
Why not OAuth?
Cloudflare OAuth is partner-only (Cloudflare Technology Partners) and is not available for Phase 1. The Guided API Token flow is the supported path.
The token template requests exactly three permissions:
| Field | Type | Required | Description |
|---|---|---|---|
Zone.Zone:Read | permission | yes | Zone discovery — find the zone for the domain. |
Zone.DNS:Read | permission | yes | Change planning and conflict detection. |
Zone.DNS:Edit | permission | yes | Record deployment. |
Supported record types
A, AAAA, CNAME, TXT, and MX are supported for automatic deployment.
Special behaviors
- Apex CNAME flattening. Cloudflare flattens
CNAMErecords at the zone apex automatically. DNS.GLOBAL accounts for this when building the change plan. - Proxied records. Cloudflare's proxy (orange-cloud) flag is handled explicitly — records are created unproxied unless your template opts in.
- Batch support. Yes — the adapter uses Cloudflare's batch DNS API.
Known limitations
- API token rate limits apply per Cloudflare account.
- If the pasted token is missing a required permission, validation fails fast and the user is re-prompted with the corrected template URL.
Testing
Cloudflare offers a real sandbox suitable for end-to-end testing. Create a test zone, generate a token from the guided template, and run the connect flow against your test domain.
Tip
Cloudflare is the smoothest provider for a first integration — fast propagation and a reliable batch API.