docs/04-configuration/CLOUDFLARE_CREDENTIALS_BOTH_METHODS.md

# Cloudflare Credentials: Both Methods Supported

**Last Updated:** 2026-01-31  
**Document Version:** 1.0  
**Status:** Active Documentation

---

This project supports **both** Cloudflare authentication methods. You can set either or both in `.env`; scripts use **API token first**, then fall back to **email + API key**.

## 1. Credential types

| Method | .env variables | Use case |
|--------|----------------|----------|
| **API token** | `CLOUDFLARE_API_TOKEN` | Recommended: scoped, revocable. Used by DNS scripts, NPMplus, tunnel config. |
| **Email + API key** | `CLOUDFLARE_EMAIL` + `CLOUDFLARE_API_KEY` | Legacy/global key. Required for some older flows; Certbot can use this. |

You can set **both** in `.env`. Scripts that call the Cloudflare API will use the token if set, otherwise email + API key.

## 2. Which scripts use which

- **update-all-dns-to-public-ip.sh** – token first, else email+key  
- **complete-chain138-rpc-setup.sh** – token or email+key (either is enough)  
- **add-vmid2400-ingress.sh** – token first, else email+key  
- **update-cloudflare-tunnel-config.sh** – token first, else email+key  
- **create-dns-record-rpc-core.sh** – token first, else email+key  
- **scripts/verify/export-cloudflare-dns-records.sh** – token first, else email+key  

## 3. Certbot (Let's Encrypt DNS-01)

Certbot’s `dns-cloudflare` plugin accepts **one** method per credentials file: **either** API token **or** email + API key, not both in the same file.

- **Token-only file** (recommended):  
  `dns_cloudflare_api_token = YOUR_TOKEN`  
- **Email + API key file**:  
  `dns_cloudflare_email = your@email`  
  `dns_cloudflare_api_key = YOUR_GLOBAL_API_KEY`  

Scripts that build the Certbot credentials file (e.g. `obtain-all-ssl-certificates.sh`, `setup-letsencrypt-tunnel.sh`) will:

- If `CLOUDFLARE_API_TOKEN` is set → write a **token-only** credentials file.  
- Else if `CLOUDFLARE_EMAIL` and `CLOUDFLARE_API_KEY` are set → write an **email+key** credentials file.  
- Else → exit with an error asking you to set one of the two methods.

Example credential files are in `scripts/certbot/`:

- `cloudflare-credentials-token.example` – token-only (copy and set your token).  
- `cloudflare-credentials-email-api-key.example` – email+key (copy and set email and key).  

Use **one** of these as your Certbot Cloudflare credentials file (e.g. `~/.secrets/certbot/cloudflare.ini` or `/etc/cloudflare/credentials.ini` on the host that runs Certbot).

## 4. Summary

- **.env**: You can set both `CLOUDFLARE_API_TOKEN` and `CLOUDFLARE_EMAIL` / `CLOUDFLARE_API_KEY`.  
- **Scripts**: They use token first, then email+key.  
- **Certbot**: One method per credentials file (token-only **or** email+key-only).  
- **Having both**: Keeps API/token auth for scripts and allows Certbot to use whichever method you put in its credentials file.
-												docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates

- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>

											
										
										
											2026-02-12 15:46:57 -08:00
+								# Cloudflare Credentials: Both Methods Supported
 								**Last Updated:** 2026-01-31
 								**Document Version:** 1.0
 								**Status:** Active Documentation
 								---
 								This project supports **both** Cloudflare authentication methods. You can set either or both in `.env`; scripts use **API token first**, then fall back to **email + API key**.
 								## 1. Credential types
 								| Method | .env variables | Use case |
 								|--------|----------------|----------|
 								| **API token** | `CLOUDFLARE_API_TOKEN` | Recommended: scoped, revocable. Used by DNS scripts, NPMplus, tunnel config. |
 								| **Email + API key** | `CLOUDFLARE_EMAIL` + `CLOUDFLARE_API_KEY` | Legacy/global key. Required for some older flows; Certbot can use this. |
 								You can set **both** in `.env`. Scripts that call the Cloudflare API will use the token if set, otherwise email + API key.
 								## 2. Which scripts use which
 								- **update-all-dns-to-public-ip.sh** – token first, else email+key
 								- **complete-chain138-rpc-setup.sh** – token or email+key (either is enough)
 								- **add-vmid2400-ingress.sh** – token first, else email+key
 								- **update-cloudflare-tunnel-config.sh** – token first, else email+key
 								- **create-dns-record-rpc-core.sh** – token first, else email+key
 								- **scripts/verify/export-cloudflare-dns-records.sh** – token first, else email+key
 								## 3. Certbot (Let's Encrypt DNS-01)
 								Certbot’s `dns-cloudflare` plugin accepts **one** method per credentials file: **either** API token **or** email + API key, not both in the same file.
 								- **Token-only file** (recommended):
 								  `dns_cloudflare_api_token = YOUR_TOKEN`
 								- **Email + API key file**:
 								  `dns_cloudflare_email = your@email`
 								  `dns_cloudflare_api_key = YOUR_GLOBAL_API_KEY`
 								Scripts that build the Certbot credentials file (e.g. `obtain-all-ssl-certificates.sh`, `setup-letsencrypt-tunnel.sh`) will:
 								- If `CLOUDFLARE_API_TOKEN` is set → write a **token-only** credentials file.
 								- Else if `CLOUDFLARE_EMAIL` and `CLOUDFLARE_API_KEY` are set → write an **email+key** credentials file.
 								- Else → exit with an error asking you to set one of the two methods.
 								Example credential files are in `scripts/certbot/`:
 								- `cloudflare-credentials-token.example` – token-only (copy and set your token).
 								- `cloudflare-credentials-email-api-key.example` – email+key (copy and set email and key).
 								Use **one** of these as your Certbot Cloudflare credentials file (e.g. `~/.secrets/certbot/cloudflare.ini` or `/etc/cloudflare/credentials.ini` on the host that runs Certbot).
 								## 4. Summary
 								- **.env**: You can set both `CLOUDFLARE_API_TOKEN` and `CLOUDFLARE_EMAIL` / `CLOUDFLARE_API_KEY`.
 								- **Scripts**: They use token first, then email+key.
 								- **Certbot**: One method per credentials file (token-only **or** email+key-only).
 								- **Having both**: Keeps API/token auth for scripts and allows Certbot to use whichever method you put in its credentials file.