# Cloudflare Credentials: Both Methods Supported **Last Updated:** 2026-01-31 **Document Version:** 1.0 **Status:** Active Documentation --- This project supports **both** Cloudflare authentication methods. You can set either or both in `.env`; scripts use **API token first**, then fall back to **email + API key**. ## 1. Credential types | Method | .env variables | Use case | |--------|----------------|----------| | **API token** | `CLOUDFLARE_API_TOKEN` | Recommended: scoped, revocable. Used by DNS scripts, NPMplus, tunnel config. | | **Email + API key** | `CLOUDFLARE_EMAIL` + `CLOUDFLARE_API_KEY` | Legacy/global key. Required for some older flows; Certbot can use this. | You can set **both** in `.env`. Scripts that call the Cloudflare API will use the token if set, otherwise email + API key. ## 2. Which scripts use which - **update-all-dns-to-public-ip.sh** – token first, else email+key - **complete-chain138-rpc-setup.sh** – token or email+key (either is enough) - **add-vmid2400-ingress.sh** – token first, else email+key - **update-cloudflare-tunnel-config.sh** – token first, else email+key - **create-dns-record-rpc-core.sh** – token first, else email+key - **scripts/verify/export-cloudflare-dns-records.sh** – token first, else email+key ## 3. Certbot (Let's Encrypt DNS-01) Certbot’s `dns-cloudflare` plugin accepts **one** method per credentials file: **either** API token **or** email + API key, not both in the same file. - **Token-only file** (recommended): `dns_cloudflare_api_token = YOUR_TOKEN` - **Email + API key file**: `dns_cloudflare_email = your@email` `dns_cloudflare_api_key = YOUR_GLOBAL_API_KEY` Scripts that build the Certbot credentials file (e.g. `obtain-all-ssl-certificates.sh`, `setup-letsencrypt-tunnel.sh`) will: - If `CLOUDFLARE_API_TOKEN` is set → write a **token-only** credentials file. - Else if `CLOUDFLARE_EMAIL` and `CLOUDFLARE_API_KEY` are set → write an **email+key** credentials file. - Else → exit with an error asking you to set one of the two methods. Example credential files are in `scripts/certbot/`: - `cloudflare-credentials-token.example` – token-only (copy and set your token). - `cloudflare-credentials-email-api-key.example` – email+key (copy and set email and key). Use **one** of these as your Certbot Cloudflare credentials file (e.g. `~/.secrets/certbot/cloudflare.ini` or `/etc/cloudflare/credentials.ini` on the host that runs Certbot). ## 4. Summary - **.env**: You can set both `CLOUDFLARE_API_TOKEN` and `CLOUDFLARE_EMAIL` / `CLOUDFLARE_API_KEY`. - **Scripts**: They use token first, then email+key. - **Certbot**: One method per credentials file (token-only **or** email+key-only). - **Having both**: Keeps API/token auth for scripts and allows Certbot to use whichever method you put in its credentials file.