Skip to content

Cloudflare API access

Token lives at ~/.forge-secrets/cloudflare.env (chmod 600, outside repo):

CLOUDFLARE_API_TOKEN=cfut_...
CLOUDFLARE_ACCOUNT_ID=5b4138008d635b79e07af0c7388cd46f

Same token is the one n8n uses (credential id N4en6wi0o81nWDcn). Decrypt path was n8n's encrypted creds DB at /var/lib/docker/volumes/n8n_n8n_data/_data/database.sqlitecredentials_entity.data → openssl aes-256-cbc -d -md md5 with the encryptionKey from ~/.n8n/config.

Zones this token can edit (10)

Zone Zone ID
gusoutdoor.co 73f45aa552ff1b5dbe8374936102da1f
gusthebass.com 46a7073cb66667b9a835058e26c40230
justinkrystal.com 4b431bbb127a7d38c4681593f440dd32
justinsforge.com 2c415a6672c980b6451718886d12ace0
justinwieb.com 8fe40a37f7f423aa1a0661a71221f87d
justinwiebelhaus.com b7bd37d05f35e46bed8cf374cbdd2206
metaapplications.com 0d29085840dac7a3f749497333429391
shopnovadesign.com 7b99cbd704a862675f87caeebcd047b0
sipnservesociety.com 7a1f05c65e9bf0ea6a9daedcb060c768
virtualrealityalliance.com 71246ba17698266422a0ed27b563b20a

Tunnels in the account

Tunnel ID Role
AdGuard 86588d06-2559-4018-a0f7-fab725b27b8a adguard.justinkrystal.com
VR Alliance fb20b500-0119-4c84-9536-fa85751987c3 justinsforge.com + VR alliance
forge-n8n 542257f6-3cb6-4083-ab11-44d5cb8014c5 n8n.justinwieb.com
media-server a55b7768-b42a-4d78-82b5-4a427bdbb9b7 all *.justinkrystal.com — this is the main catch-all tunnel
TNappe 2ba6e913-f8d7-46e7-bdcd-d5d8a56f784a inactive

Usage patterns

Verify token still works

source ~/.forge-secrets/cloudflare.env
curl -s -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  https://api.cloudflare.com/client/v4/user/tokens/verify | python3 -m json.tool

Add a new DNS record

curl -s -X POST -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
  -d '{"type":"CNAME","name":"foo","content":"'"$TUNNEL_ID"'.cfargotunnel.com","proxied":true,"ttl":1}'

Add tunnel ingress (must fetch, modify, PUT full config)

Fetch → insert new rule BEFORE the (fallback) entry → PUT back.

GET  /accounts/{acct}/cfd_tunnel/{tid}/configurations
PUT  /accounts/{acct}/cfd_tunnel/{tid}/configurations  {"config": {...}}
See scripts/integrations/cloudflare/add-hostname.py for a helper (build if needed).

Protect a hostname with Cloudflare Access

Via API or dashboard. Create an Access Application with domain = "foo.justinkrystal.com", policy require email == "[email protected]" (or business email). Takes 2 min in dashboard.

What this token CAN do

  • Create/edit/delete DNS records in any of the 10 zones
  • Add/modify tunnel ingress rules + public hostnames
  • Create/edit Access applications and policies
  • Read zone settings

What it CANNOT do (safety floor)

  • Log in to the account
  • Create/delete zones
  • Access billing
  • Manage API tokens (can't self-escalate)

When it was extracted, and why

2026-04-24 — Justin asked to add frigate.justinkrystal.com; n8n already had the credential so no new token issued. If you ever rotate it, update here AND in n8n cred N4en6wi0o81nWDcn.