Cloudflare Node
Manage Cloudflare zones, DNS records, SSL certificates, and CDN cache from BizFirst workflows.
Authentication: All operations require a Scoped API Token (NOT a Global API Key). Create tokens at Cloudflare Dashboard → My Profile → API Tokens. Use the minimum required permissions for each workflow. Rate limit: 1,200 requests per 5 minutes per token.
Operations (22 total)
Zone
5 operations
List, inspect, configure settings, and purge cache at the zone level.
DNS
8 operations
Full DNS record lifecycle: list, get, create, update, delete, batch create, import/export BIND zone files.
SSL
6 operations
Get/set SSL mode, list certificates, order new certs, and delete expired ones.
Cache
3 operations
Invalidate CDN cache by URL, by tag (Enterprise), or purge all cached assets for a zone instantly.
Required API Token Permissions
| Resource Group | Required Permission | Notes |
|---|---|---|
| Zone (list, get, getSettings) | Zone.Read | Read-only zone access |
| Zone (updateSettings, purgeAll) | Zone.Edit | Modify zone configuration |
| DNS (list, get, export) | DNS.Read | Read-only DNS access |
| DNS (create, update, delete, batchCreate, import) | DNS.Edit | Modify DNS records |
| SSL (getSettings, listCerts, getCert) | SSL and Certificates.Read | Read certificate data |
| SSL (setMode, orderCert, deleteCert) | SSL and Certificates.Edit | Modify SSL configuration |
| Cache (purgeByUrl, purgeByTag, purgeAll) | Cache Purge | Invalidate cached content |
Connection
| Field | Type | Required | Description |
|---|---|---|---|
ApiToken | string | required | Scoped Cloudflare API Token. Create at Cloudflare Dashboard → My Profile → API Tokens. Never use the Global API Key. Store in BizFirst Credentials Manager. |
Rate Limits
The Cloudflare API enforces a limit of 1,200 requests per 5 minutes per API token. For bulk DNS workflows (batchCreate, import), add delays in your flow to stay within rate limits. Exceeding the limit returns HTTP 429.
Error Codes
| Code | Description |
|---|---|
MISSING_API_TOKEN | The ApiToken connection field is not configured |
MISSING_ZONE_ID | ZoneId is required but was not provided |
MISSING_TYPE | DNS record Type is required but was not provided |
MISSING_NAME | DNS record Name is required but was not provided |
MISSING_CONTENT | DNS record Content is required but was not provided |
UNKNOWN_ERROR | An unexpected error occurred — check the error port output for details |
UNSUPPORTED_OPERATION | The specified resource/operation combination is not valid |
Node Policies & GuardRails
| Policy | Enforcement |
|---|---|
| Always use scoped API Tokens — never the Global API Key | Least privilege per workflow; if the token is compromised, blast radius is limited |
| Store the API Token in BizFirst Credentials Manager | Never hardcode tokens in node configuration JSON |
| Verify Zone ID before destructive operations | Zone ID is a 32-character hex string — a wrong ID affects the wrong domain |
| Prefer targeted cache purge over full purge | purgeByUrl and purgeByTag are surgical; purgeAll causes an origin load spike |
| DNS changes propagate via Cloudflare instantly; TTL governs resolver caching | Reduce TTL before migrations to shorten propagation time |
| SSL mode changes affect all live traffic immediately | Always test on a staging zone before applying to production |
| Respect the 1,200 req/5 min rate limit in bulk flows | Add a Delay node between batches in high-volume DNS workflows |