Cloudflare Integration
Connect Cloudflare to enable the AI agent to query zones, DNS records, alert history, and infrastructure details during investigations.
Capabilities
Once connected, the AI agent can:
| Capability | Description |
|---|---|
| List Zones | Browse and search domains managed in your Cloudflare account |
| View Zone Details | Get full zone configuration including SSL and security settings |
| List DNS Records | Query DNS records by type, name, or content for any zone |
| View Alert History | Access notification alert history for incident investigation |
Prerequisites
- A Cloudflare account with API access
- An API Token (recommended) or Global API Key
- Your Account ID
Authentication Methods
Cloudflare supports two authentication methods. We recommend using a scoped API Token for better security.
- API Token (Recommended)
- Global API Key
Scoped API Tokens allow you to grant only the permissions Autoheal needs. This is the most secure option.
Required fields:
- API Token / Global API Key: Your scoped API Token
- Account ID: Your Cloudflare Account ID
The Auth Email field should be left blank when using an API Token.
The Global API Key grants full access to your Cloudflare account. Use this only if you cannot create scoped API Tokens.
Required fields:
- API Token / Global API Key: Your Global API Key
- Auth Email (for Global API Key): The email address associated with your Cloudflare account
- Account ID: Your Cloudflare Account ID
The Global API Key has full access to your Cloudflare account. We strongly recommend using a scoped API Token instead for better security.
Setup
Option A: Create an API Token (Recommended)
- Log in to your Cloudflare dashboard
- Click your profile icon and go to My Profile → API Tokens
- Click Create Token
- Use the Read all resources template, or create a custom token with the permissions listed below
- Copy the generated token (it will only be shown once)
Option B: Use Global API Key
- Log in to your Cloudflare dashboard
- Click your profile icon and go to My Profile → API Tokens
- In the Global API Key section, click View
- Copy the API key
- In the Cloudflare dashboard, go to any domain's Overview page
- Find Account ID in the right sidebar under API
- Copy the Account ID
- Go to Integrations in Autoheal
- Click Cloudflare
- Enter a name (e.g., "Production Cloudflare")
Enter the following:
- API Token / Global API Key: Your API Token or Global API Key
- Auth Email (only if using Global API Key): Your Cloudflare account email
- Account ID: Your Cloudflare Account ID
Click Test Connection to verify, then Save.
Required Permissions
When using a scoped API Token, create it with at least these permissions:
| Permission | Why It's Needed |
|---|---|
Zone:Read | List and view zone details |
DNS:Read | List and view DNS records |
Account Settings:Read | Access account-level information |
Notifications:Read | View alert notification history |
Create a dedicated API token for Autoheal with only read permissions. Avoid using tokens with write or delete access. Scoped API tokens are more secure than the Global API Key.
Finding Your Account ID
Your Account ID can be found in several places:
- Domain Overview: Go to any domain → Overview → right sidebar under API
- Account Home: Go to Account Home → the URL contains your account ID:
https://dash.cloudflare.com/<account-id> - Workers & Pages: Navigate to Workers & Pages → Account ID is displayed in the right sidebar
Example Queries
Once connected, you can ask the AI agent questions like:
List all zones in my Cloudflare account
Show me the DNS records for example.com
What A records point to 192.168.1.1?
Show me recent Cloudflare alerts
Troubleshooting
401 Unauthorized
- Verify the API Token or Global API Key is correct and has not been revoked
- If using a Global API Key, ensure the Auth Email field is filled in with the correct Cloudflare account email
- If using an API Token, ensure the Auth Email field is left blank
- Check that the token has the required permissions
- Ensure the token has not expired (check TTL settings)
Invalid format for Authorization header
- This error typically means you are using a Global API Key but the Auth Email field is empty
- Global API Keys require the Auth Email to be set — enter the email address associated with your Cloudflare account
- If you intended to use an API Token, verify you copied the scoped token (not the Global API Key)
403 Forbidden
- The API token may not have access to the requested resource
- Verify the Account ID matches the account the token was created for
- Check that zone-level permissions include the zones you're querying
No Zones Found
- Verify the Account ID is correct
- Check that the API token has
Zone:Readpermission - Ensure there are active zones in the account
Connection Timeout
- Cloudflare API uses
https://api.cloudflare.com/client/v4/— verify network connectivity - Check if corporate firewalls or proxies are blocking API access