API & Integration Gateway
Programmatic access to zones and DNS records across all connected Cloudflare profiles. Designed for secure automation: hashed credential token model and role-based restrictions.
Authentication
Send an Authorization header using the stored bcrypt hash (never the raw password). Two schemes accepted:
Authorization: Bearer BASE64(username:password_hash)
Authorization: Basic BASE64(username:password_hash)
Where password_hash is the existing bcrypt hash from cf_users.json for an active user. Basic role cannot access API.
Endpoints
GET /index.php?api=zones
List all zones across every configured profile.
Response: { "ok": true, "zones": [ { "id":"...","name":"example.com","profile_id":"...","profile_label":"..." }, ... ] }
GET /index.php?api=records_list&profile_id=PROFILE&zone_id=ZONE
List DNS records for a zone (ordered by type).
Response: { "ok": true, "records": [ { "id":"...","type":"A","name":"www.example.com","content":"203.0.113.10","ttl":120,"proxied":false }, ... ] }
POST /index.php?api=record_create
Create DNS record.
| Field | Req | Description |
|---|---|---|
| profile_id | yes | Profile containing the zone |
| zone_id | yes | Target zone id |
| type | yes | Record type (A, AAAA, CNAME, ...) |
| name | yes | Record name (root use zone apex or @ via UI) |
| content | yes | Record content (IP, target) |
| ttl | no | 1 = Auto, else seconds |
| proxied | no | true/false (A/AAAA/CNAME) |
| priority | no | Required for MX when > 0 |
Response: { "ok": true, "record": { ... } }
POST /index.php?api=record_update
Update existing record (fields same as create + id).
Form: profile_id, zone_id, id, type, name, content, ttl, proxied, priority
POST /index.php?api=record_delete
Delete record by id.
Form: profile_id, zone_id, id
Error Model
{ "ok": false, "error": "Message" }
HTTP status conveys class (400 validation / 401 auth / 403 forbidden / 404 not found / 5xx internal).