Cloudflare API access¶
Token lives at ~/.forge-secrets/cloudflare.env (chmod 600, outside repo):
Same token is the one n8n uses (credential id N4en6wi0o81nWDcn). Decrypt path was n8n's encrypted creds DB at /var/lib/docker/volumes/n8n_n8n_data/_data/database.sqlite → credentials_entity.data → openssl aes-256-cbc -d -md md5 with the encryptionKey from ~/.n8n/config.
Zones this token can edit (10)¶
| Zone | Zone ID |
|---|---|
| gusoutdoor.co | 73f45aa552ff1b5dbe8374936102da1f |
| gusthebass.com | 46a7073cb66667b9a835058e26c40230 |
| justinkrystal.com | 4b431bbb127a7d38c4681593f440dd32 |
| justinsforge.com | 2c415a6672c980b6451718886d12ace0 |
| justinwieb.com | 8fe40a37f7f423aa1a0661a71221f87d |
| justinwiebelhaus.com | b7bd37d05f35e46bed8cf374cbdd2206 |
| metaapplications.com | 0d29085840dac7a3f749497333429391 |
| shopnovadesign.com | 7b99cbd704a862675f87caeebcd047b0 |
| sipnservesociety.com | 7a1f05c65e9bf0ea6a9daedcb060c768 |
| virtualrealityalliance.com | 71246ba17698266422a0ed27b563b20a |
Tunnels in the account¶
| Tunnel | ID | Role |
|---|---|---|
| AdGuard | 86588d06-2559-4018-a0f7-fab725b27b8a | adguard.justinkrystal.com |
| VR Alliance | fb20b500-0119-4c84-9536-fa85751987c3 | justinsforge.com + VR alliance |
| forge-n8n | 542257f6-3cb6-4083-ab11-44d5cb8014c5 | n8n.justinwieb.com |
| media-server | a55b7768-b42a-4d78-82b5-4a427bdbb9b7 | all *.justinkrystal.com — this is the main catch-all tunnel |
| TNappe | 2ba6e913-f8d7-46e7-bdcd-d5d8a56f784a | inactive |
Usage patterns¶
Verify token still works¶
source ~/.forge-secrets/cloudflare.env
curl -s -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
https://api.cloudflare.com/client/v4/user/tokens/verify | python3 -m json.tool
Add a new DNS record¶
curl -s -X POST -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
"https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
-d '{"type":"CNAME","name":"foo","content":"'"$TUNNEL_ID"'.cfargotunnel.com","proxied":true,"ttl":1}'
Add tunnel ingress (must fetch, modify, PUT full config)¶
Fetch → insert new rule BEFORE the (fallback) entry → PUT back.
GET /accounts/{acct}/cfd_tunnel/{tid}/configurations
PUT /accounts/{acct}/cfd_tunnel/{tid}/configurations {"config": {...}}
scripts/integrations/cloudflare/add-hostname.py for a helper (build if needed).
Protect a hostname with Cloudflare Access¶
Via API or dashboard. Create an Access Application with domain = "foo.justinkrystal.com", policy require email == "[email protected]" (or business email). Takes 2 min in dashboard.
What this token CAN do¶
- Create/edit/delete DNS records in any of the 10 zones
- Add/modify tunnel ingress rules + public hostnames
- Create/edit Access applications and policies
- Read zone settings
What it CANNOT do (safety floor)¶
- Log in to the account
- Create/delete zones
- Access billing
- Manage API tokens (can't self-escalate)
When it was extracted, and why¶
2026-04-24 — Justin asked to add frigate.justinkrystal.com; n8n already had the credential so no new token issued. If you ever rotate it, update here AND in n8n cred N4en6wi0o81nWDcn.