FastCF

from fastcore.utils import *
from fastcflare import *

Intro to Account Tokens

Account-owned API tokens (created via /accounts/{id}/tokens) are tied to the account, not a specific user. They act as service principals — ideal for CI/CD pipelines and service-to-service integrations, since they remain valid even if the creating user leaves the organisation.

Creating Account Tokens

You need a token with “Create Additional Tokens” permission at the account level. Use the Cloudflare Python SDK with the Global API Key + email (not a user token):

from cloudflare import Cloudflare
cf = Cloudflare(api_token=your_cf_token, api_email='you@example.com')
accts = cf.accounts.list()
acct_id = accts.result[0].id

Look up available permission groups for your account:

groups = cf.accounts.tokens.permission_groups.list(account_id=acct_id)
{g.name: g.id for g in groups if 'dns' in g.name.lower() or 'zone' in g.name.lower()}

Create the token with nested resource format — zones must be nested under the account:

tok = cf.accounts.tokens.create(account_id=acct_id, name="dns-all-zones", policies=[{
    "effect": "allow",
    "resources": {f"com.cloudflare.api.account.{acct_id}": {"com.cloudflare.api.account.zone.*": "*"}},
    "permission_groups": [
        {"id": "c8fed203ed3043cba015a93ad1616f1f"},  # Zone Read
        ...
    ]
}])
dns_tok = tok.value  # Save this — it's only shown once

⚠️ The resource format {"com.cloudflare.api.account.zone.*": "*"} (without nesting) will fail with: “Must specify a zone for account owned tokens, or nest zone under specific account resource”