By Shanee Moret/Founder, Growth Academy Global

If you want Codex, Claude, OpenClaw, or another AI agent to fix something in Cloudflare, you do not give it your full Cloudflare login.

You give it a limited API token.

That token is the key that lets the agent do approved work inside Cloudflare: edit a DNS record, deploy a Pages project, purge a cache, inspect analytics, or verify a setup. The whole point is that the token should only have the permissions needed for the job in front of it.

If you want screenshots while you follow along, I made a Scribe walkthrough here: How to Generate a Cloudflare API Token. This article gives you the safety rules and the exact agent instructions that screenshots alone do not cover.

What a Cloudflare API Token Does

A Cloudflare API token gives software permission to call the Cloudflare API on your behalf. Cloudflare's own documentation says API tokens are the preferred way to authenticate API requests because they can be scoped to specific permissions and resources.

In plain English: the token tells Cloudflare, "This agent is allowed to do this specific thing, in this specific account or domain, and nothing else."

That is different from the old global API key. A global key is too broad for normal agent work. It is the kind of credential you avoid handing to any assistant unless there is an extremely specific reason and you are ready to rotate it afterward.

The Rule Before You Create Any Token

Decide what the agent needs to do before you create the token.

Not "work on Cloudflare." That is too broad. Be specific:

  • Does it need to edit DNS for one domain?
  • Does it need to purge cache after a website deploy?
  • Does it need to deploy a Cloudflare Pages project?
  • Does it only need to read analytics and settings?
  • Does it need access to one zone, one account, or everything?

If you cannot describe the task in one sentence, the token is probably going to be too broad. Start narrow. You can always create another token later.

How to Create the Token

  1. Log into the Cloudflare dashboard.
  2. Open your profile menu and go to My Profile.
  3. Choose API Tokens.
  4. Select Create Token.
  5. Choose a template if Cloudflare offers one that matches the job, or create a custom token.
  6. Name the token after the job, for example Codex cache purge for growthacademy.global.
  7. Add only the permission group the agent needs.
  8. Limit the token to the account, zone, or resource it should touch.
  9. Use client IP restrictions or a short TTL if the work is temporary and your setup supports that.
  10. Review the summary before creating the token.
  11. Create the token and copy it once. Cloudflare only shows the token secret one time.

Do not paste the token into random documents, Slack threads, screenshots, or public chats. Store it where your agent can access it safely for the specific job, then rotate or delete it when that job is complete.

Safe Token Recipes for Business Owners

These are not universal recipes. They are starting points. The exact permission names can change as Cloudflare updates the dashboard, so use Cloudflare's current permission list as the source of truth.

Agent jobTypical permission boundaryWhat to avoid
Purge cache after a deployZone-level cache purge permission for the specific domainBroad account edit access
Edit DNS for one siteZone DNS Edit for that one zoneAll zones, billing, user, or account admin permissions
Audit site settingsRead-only zone or account permissionsEdit permissions when the agent is only reporting
Deploy or inspect PagesAccount-level Pages permission for the relevant accountPermission to mutate unrelated Workers, DNS, or billing settings
Create more tokens by APIOnly when you intentionally need token creation automationGiving a normal website-maintenance agent token-creation power

The safest pattern is one token per job type. Do not reuse one giant "AI agent token" for everything.

What to Give Your Agent

Your agent usually needs more than the token. Give it the operational context so it does not guess.

  • The Cloudflare account ID.
  • The zone ID if it is working on a domain.
  • The Pages project name if it is deploying a Pages site.
  • The exact hostname or path involved.
  • The allowed actions.
  • The actions it is not allowed to take.

Do not give it vague instructions like "fix Cloudflare." That is how agents make technically valid changes in the wrong place.

Copy-Paste Agent Prompt

Use this when you are giving Codex, Claude, or OpenClaw access to a Cloudflare token.

I need you to use my Cloudflare API token only for this task: [specific task].

Account ID: [account id]

Zone ID: [zone id if needed]

Pages project: [project name if needed]

Allowed actions: [list allowed actions]

Do not rotate credentials, change billing, change nameservers, add broad WAF rules, change unrelated DNS records, purge everything, or edit unrelated zones.

First verify what access the token has. Then show me the planned change before mutating production. After the change, verify the live URL or Cloudflare API result and tell me exactly what changed.

That last sentence matters. A good website-maintenance agent should verify the live result, not just report that the command ran.

When to Rotate or Delete the Token

Rotate or delete the token when:

  • You pasted it into a chat or tool that stores history.
  • The job is complete and the agent no longer needs access.
  • You are not sure where the token was saved.
  • The token had broader permissions than it should have.
  • A contractor, employee, or temporary agent no longer needs it.

There is no shame in rotating credentials. It is normal operations. The mistake is pretending an exposed token is still clean.

What Not to Do

  • Do not use your global API key for routine agent work.
  • Do not create one permanent token with every permission.
  • Do not give an agent billing, user-management, or token-creation access unless that is the actual task.
  • Do not store the token in a public repo, shared doc, or screenshot.
  • Do not let the agent make production changes before it tells you the plan.

The Bottom Line

A Cloudflare API token is not a magic IT artifact. It is a permission slip.

For business owners using Codex, Claude, or OpenClaw, the win is not just knowing where the API token button lives. The win is learning to give the agent enough access to do the job, and not one inch more.

Use the Scribe walkthrough for the clicks. Use this article for the judgment.

Sources: Cloudflare API token creation docs, Cloudflare API token permissions, and Shanee's Scribe walkthrough.