CF
Cloudflare
Provider Setup

Connect Cloudflare

ConfigTrace connects to Cloudflare using a scoped API token and your Zone ID. It monitors every DNS record in your zone — any reroute, deletion, TTL change, or proxy toggle is detected and risk-classified at the next sync.

On this page
  1. Prerequisites
  2. Step 1 — Create a scoped API token
  3. Step 2 — Find your Zone ID
  4. Step 3 — Connect in ConfigTrace
  5. Step 4 — Run your first sync
  6. What ConfigTrace monitors
  7. What ConfigTrace never reads

Prerequisites

  • A Cloudflare account with access to the zone you want to monitor
  • Permission to create API tokens in your Cloudflare account
  • A ConfigTrace workspace (owner or admin role)

Step 1 — Create a scoped API token

  1. 1
    Open API Tokens
    Go to dash.cloudflare.com → profile (top right) → API Tokens.
  2. 2
    Start from a template
    Click "Create Token". Use the "Edit zone DNS" template as a starting point — then change the permissions.
  3. 3
    Set read-only permissions
    Set permissions to: Zone → DNS → Read (not Edit).
  4. 4
    Scope to your zone
    Under "Zone Resources", select "Specific zone" and choose your zone.
  5. 5
    Create and copy
    Click "Continue to summary" then "Create Token". Copy the token — it's shown only once.
Scope the token to a single zone. If you want to monitor multiple Cloudflare zones, create one integration per zone — each with its own scoped API token.

Step 2 — Find your Zone ID

Your Zone ID is visible in the Cloudflare Dashboard → your domain → Overview page, in the right sidebar under "API". It's a 32-character hex string.

Step 3 — Connect in ConfigTrace

  1. 1
    Open Integrations
    In the ConfigTrace sidebar, click Integrations, then click Connect on the Cloudflare card.
  2. 2
    Enter credentials
    Paste your API Token and Zone ID.
  3. 3
    Name your integration (optional)
    Optionally give the integration a name (e.g. example.com DNS).
  4. 4
    Save integration
    Click Save integration.

Step 4 — Run your first sync

Click Sync Now. The first sync captures all DNS records in your zone as a baseline — record type, name, content, TTL, and proxy status for every record.

What ConfigTrace monitors

Reads (configuration metadata)
  • A, AAAA, CNAME, MX, TXT, NS records — type, name, content, TTL, proxy status
  • SRV, CAA, LOC, and other record types
  • Per-record TTL and Cloudflare proxy (orange cloud) on/off status
  • Record creation and modification metadata
Never reads
  • Website traffic, visitor data, or request logs
  • Cached content or responses
  • Workers script code or KV namespace contents
  • SSL certificate private keys
  • Account members or billing data
  • Firewall rules or WAF configuration (roadmap)

What ConfigTrace never reads

Cloudflare monitoring is scoped to DNS records. Future updates will add monitoring for firewall rules, page rules, and SSL/TLS settings.

For a full breakdown across all providers, see the Data Access & Permissions reference.