Cloudflare Token Creation - Quick Reference
🎯 What You Need: User API Token (NOT Account Token)
A User API Token can have both Account AND Zone permissions. This is what the SaaS platform requires.
🔐 Three Ways to Create Token
Method 1: Using Global API Key (Recommended - Most Reliable)
Get Your Global API Key:
Scroll to “API Keys” section
Click “View” next to Global API Key (requires password)
Copy the key
Create Token:
python create_token_with_global_key.py \
--email your@email.com \
--global-key your_global_api_key \
--account-id 6451353ea5a8407bab6162abc42f5338 \
--zone-id 2cf1f02313c4ef76af3d62eb78bb906e \
--name "GETAIPAGE SaaS Token"
Or set environment variables:
export CLOUDFLARE_EMAIL=your@email.com
export CLOUDFLARE_GLOBAL_KEY=your_global_api_key
export CLOUDFLARE_ACCOUNT_ID=6451353ea5a8407bab6162abc42f5338
export CLOUDFLARE_ZONE_ID=2cf1f02313c4ef76af3d62eb78bb906e
python create_token_with_global_key.py --name "GETAIPAGE SaaS Token"
Method 2: Using Existing Token with Creation Permission
Requirements:
- Existing token must have User:API Tokens:Edit permission
python create_cloudflare_token.py \
--account-id 6451353ea5a8407bab6162abc42f5338 \
--zone-id 2cf1f02313c4ef76af3d62eb78bb906e \
--name "GETAIPAGE Token"
Method 3: Manual Creation (Cloudflare Dashboard)
Recommended if scripts don’t work:
Create Token → Create Custom Token
Add permissions as listed in PERMISSIONS_GUIDE.md
Set resources and create
📋 Required Permissions Summary
Account Permissions (All Accounts)
✅ Account Settings Read
✅ Workers R2 Storage Write
✅ Workers Scripts Read (for listing scripts)
✅ Workers Scripts Write (for deploying scripts)
✅ Workers Routes Write (for configuring routes)
Zone Permissions (Zone: 2cf1f02313c4ef76af3d62eb78bb906e)
✅ Zone Read
✅ SSL and Certificates Read (for reading custom hostnames)
✅ SSL and Certificates Write (for managing custom hostnames)
🧪 After Creating Token
Update .env:
CLOUDFLARE_API_TOKEN=your_new_token_here
Test permissions:
python test_token_permissions.py # Should show 8/8 tests passed
Deploy infrastructure:
python examples/deploy_infrastructure.pyTest deployment:
python examples/full_deployment_example.py /path/to/site tenant domain.com
🔍 Available Helper Scripts
Script |
Purpose |
Requirements |
|---|---|---|
|
Create token using Global API Key |
Email + Global Key |
|
Create token using existing token |
Token with creation permission |
|
Test current token permissions |
Current API token |
|
Guide to add missing permissions |
None (info only) |
|
Manual creation guide |
None (info only) |
⚠️ Important Notes
Global API Key vs API Token:
Global Key: Full access, less secure (use only for creating tokens)
API Token: Scoped access, more secure (use for applications)
Token Type:
We need: User API Token (can have Account + Zone permissions)
NOT: Account Token (Account permissions only)
NOT: Zone Token (Zone permissions only)
Security:
Never commit tokens to version control
Use environment variables
Set token expiration when possible
Rotate tokens periodically
🆘 Troubleshooting
Script fails with authentication error
Verify your Global API Key is correct
Check email address matches Cloudflare account
Ensure key hasn’t been revoked
Token created but tests fail
Token may have wrong permissions
Delete and recreate with all required permissions
Or edit existing token in dashboard to add missing permissions
Can’t find Global API Key
Scroll to “API Keys” section (below API Tokens)
Click “View” (requires password confirmation)