Cloudflare provides a suite of services to enhance the security, performance, and reliability of websites and applications.
Cloudflare provides a suite of services to enhance the security, performance, and reliability of websites and applications. On Nagent, Cloudflare Api Key is exposed as a fully-configurable security & identity tools integration that any agent can call — 25 actions, and API key authentication. No code is required to wire Cloudflare Api Key into your workflow — connect it once via the External Integrations panel and reuse it across every agent you build.
Agent builders use Cloudflare Api Key to automate the kinds of tasks security & identity tools teams previously handled manually. Concrete examples — each one is a single agent step in Nagent — include:
Every action and trigger is paired with a structured input/output schema (visible in the sections below), so when you wire Cloudflare Api Key into Helix — our agentic agent builder — the editor knows exactly what each step expects and produces. Configure once, deploy anywhere across your Nagent agents.
Every operation an agent can call against Cloudflare Api Key, with input parameters and output schema. Drop these into any step of an agent built in Helix.
CLOUDFLARE_API_KEY_CREATE_DNS_RECORDTool to create a new DNS record in a Cloudflare zone. Use when you need to add a record (A, CNAME, TXT, MX, etc.) to a specified zone.
Input parameters
Time to live for DNS record in seconds; 1 means automatic (Cloudflare default).
Fully qualified DNS record name in Punycode.
Custom tags in the form "name:value".
DNS record type.
Free-form comment for the DNS record.
Record content; for types like A/AAAA use IP address, for CNAME use target hostname, etc.
Whether the record is receiving the performance and security benefits of Cloudflare.
Zone identifier in which to create the DNS record.
Settings specific to A record when proxied.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_CREATE_LOCKDOWN_RULETool to create a Zone Lockdown rule. Use when you need to restrict access to specific URL patterns to defined IPs/CIDR ranges. Use after confirming zone_id.
Input parameters
URLs to lock down; supports simple wildcard '*' patterns.
Whether to start the rule in a paused state.
Zone identifier.
Processing priority (lower numbers run first).
Optional summary of the rule.
One or more sources to allow (IP or CIDR ranges).
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_CREATE_RULE_IN_RULESETTool to add a rule to an existing ruleset. Use when you need to append or insert a new rule in a Cloudflare ruleset.
Input parameters
Definition of the rule to add
Zone identifier; required if using zones segment
Account identifier; required if using accounts segment
ID of the target ruleset
Segment for owner: 'accounts' or 'zones'
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_CREATE_RULESETCreates a new Cloudflare ruleset at account or zone scope. Rulesets contain rules that control traffic behavior (firewall, rate limiting, redirects, etc.). First use List Zones to get a zone_id, then specify the phase (e.g., 'http_request_firewall_custom' for WAF rules).
Input parameters
Type of ruleset. 'custom' for user-defined rules, 'root' for account-level entrypoint, 'zone' for zone-level entrypoint.
Human-readable name for the ruleset (e.g., 'Production Firewall Rules').
Execution phase determining when rules run. Common phases: 'http_request_firewall_custom' (WAF), 'http_config_settings' (config), 'ddos_l7' (DDoS), 'http_request_transform' (URL rewrite), 'http_response_headers_transform' (response headers).
List of rules to include. Can be empty and rules added later via Create Rule in Ruleset.
Human-readable description of the ruleset's purpose.
Scope for the ruleset. Use 'zones' for zone-level rulesets or 'accounts' for account-level rulesets.
The 32-character identifier of the account or zone. Get zone IDs from List Zones, account IDs from your Cloudflare dashboard.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_DELETE_DNS_RECORDTool to delete a DNS record. Use when you need to remove a specific DNS record from a zone after confirming both zone and record IDs.
Input parameters
Cloudflare zone identifier. Obtain this from the List Zones action or the Cloudflare dashboard under the zone's Overview page.
DNS record identifier to delete. Obtain this from the List DNS Records action for the target zone.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_DELETE_DNSSECTool to delete DNSSEC records for a zone. Use after disabling DNSSEC at the registrar to remove DNSSEC configuration.
Input parameters
Zone identifier to delete DNSSEC for
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_DELETE_RULE_FROM_RULESETTool to delete a specific rule from a ruleset. Use when you need to remove an outdated or incorrect rule from an account or zone ruleset after confirming IDs.
Input parameters
32-character hex identifier of the rule to delete from the ruleset
32-character hex identifier of the ruleset containing the rule to delete
Scope for the ruleset: use 'accounts' for account-level rulesets or 'zones' for zone-level rulesets
32-character hex identifier of the account (if accounts_or_zones='accounts') or zone (if accounts_or_zones='zones')
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_DELETE_RULESETTool to delete all versions of a ruleset. Use when you need to remove a ruleset from an account or zone after confirming no references exist.
Input parameters
Unique identifier of the ruleset to delete.
Scope of the ruleset. Must be 'accounts' or 'zones'.
Account ID if scope is 'accounts', or Zone ID if scope is 'zones'.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_DELETE_ZONETool to delete an existing zone. Use after confirming the zone_id to permanently remove the zone.
Input parameters
Zone identifier to delete
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_GET_CLOUDFLARE_IP_ADDRESSESTool to retrieve IP addresses used on the Cloudflare or JD Cloud network. Use when you need to obtain the list of IPv4 and IPv6 CIDR blocks used by Cloudflare's infrastructure or JD Cloud data centers.
Input parameters
Specify as 'jdcloud' to retrieve IP ranges utilized by JD Cloud data centers. If not specified, returns Cloudflare IP ranges.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_GET_ENTRYPOINT_RULESET_VERSIONRetrieves a specific historical version of an entry point ruleset from Cloudflare. Entry point rulesets are phase-specific and define the rules that execute during a particular phase of request/response processing. This tool fetches a specific version, allowing you to view rules as they existed at a particular point in time. Use cases: - Audit historical rule configurations - Compare rule changes between versions - Rollback analysis (view what rules looked like before a change) - Debug issues by examining past ruleset states Prerequisites: - Requires a valid account_id or zone_id (use List Zones to get zone IDs) - Requires knowing the ruleset phase (e.g., 'http_request_firewall_custom') - Requires knowing the version number to fetch
Input parameters
The execution phase of the entry point ruleset. Common phases include: 'http_request_firewall_custom' (custom WAF rules), 'http_request_firewall_managed' (managed WAF), 'ddos_l4' (Layer 4 DDoS), 'ddos_l7' (Layer 7 DDoS), 'http_request_transform' (URL rewrite), 'http_response_headers_transform' (response headers), 'magic_transit' (Magic Transit), 'http_ratelimit' (rate limiting), 'http_request_sbfm' (Super Bot Fight Mode)
The numeric version identifier of the entry point ruleset to retrieve (e.g., '1', '2', '3')
Scope for the ruleset: use 'accounts' for account-level rulesets or 'zones' for zone-level rulesets
The 32-character alphanumeric identifier of the account (when accounts_or_zones='accounts') or zone (when accounts_or_zones='zones')
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_GET_LOCKDOWN_RULETool to get a Zone Lockdown rule. Use when you need to fetch details of a specific lockdown rule by its ID within a Cloudflare zone.
Input parameters
Identifier of the Cloudflare zone (max length 32)
Unique identifier of the Zone Lockdown rule (max length 32)
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_GET_REGIONAL_TIERED_CACHETool to get the regional tiered cache setting for a zone. Use when you need to verify if regional tiered cache is enabled for performance optimization after zone activation.
Input parameters
Identifier of the Cloudflare zone (max 32 characters)
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_GET_RULESETTool to fetch the latest version of a ruleset by ID. Use after you have the ruleset scope and ID.
Input parameters
DNS zone ID; required if accounts_or_zones='zones', mutually exclusive with account_id.
Cloudflare account ID; required if accounts_or_zones='accounts', mutually exclusive with zone_id.
The unique ID of the ruleset to retrieve.
Must be 'accounts' or 'zones' to select the account- or zone-level endpoint.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_GET_ZONE_DETAILSTool to get details for a specific zone. Use when you need detailed zone metadata by ID.
Input parameters
Identifier for the zone (max length 32)
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_LIST_DNS_RECORDSList, search, sort, and filter DNS records for a Cloudflare zone. Use this tool to retrieve DNS records (A, AAAA, CNAME, TXT, MX, etc.) for a zone. Supports filtering by record type, name, content, and proxy status. Results are paginated; use page and per_page parameters for large record sets. Requires a valid zone_id which can be obtained from the List Zones action.
Input parameters
Filter by exact DNS record name (e.g., 'example.com' or 'sub.example.com'). Case-insensitive.
Page number for paginated results (minimum: 1, default: 1).
Filter by DNS record type (e.g., A, AAAA, CNAME, TXT, MX).
Logical operator for filters: 'all' (AND) matches all criteria, 'any' (OR) matches any criterion. Default: 'all'.
Field to order results by. Default ordering is by type.
Human-readable search query to filter records by name, content, or other properties simultaneously.
Filter by exact record content (e.g., IP address for A records, target hostname for CNAME). Case-insensitive.
Filter by Cloudflare proxy status. True = proxied through Cloudflare, False = DNS only.
Zone identifier (32-character hex string) to list DNS records for.
Number of DNS records per page (minimum: 1, maximum: 5000, default: 100).
Sort direction: 'asc' for ascending, 'desc' for descending. Default: 'asc'.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_LIST_ZONESTool to list, search, sort, and filter Cloudflare zones. Use when you need to retrieve a paginated list of zones available to the authenticated user.
Input parameters
A domain name; supports the same operators as account.name.
Page number (min: 1, default: 1).
Whether to match any or all search requirements (default: all).
Field to order by.
Filter by zone status.
Results per page (min: 5, max: 50, default: 20).
Direction to order zones.
Filter by an account ID.
Account name; supports operators: equal (default), not_equal, starts_with, ends_with, contains, starts_with_case_sensitive, ends_with_case_sensitive, contains_case_sensitive.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_OVERWRITE_DNS_RECORDTool to completely overwrite a DNS record. Use when you need to replace all record details after confirming record type and name.
Input parameters
Time to live for DNS record in seconds; 1 means automatic (Cloudflare default).
Fully qualified DNS record name in Punycode.
Custom tags in the form 'name:value'.
DNS record type.
Free-form comment for the DNS record.
Record content; e.g., IPv4 address for A records, target hostname for CNAME, etc.
Whether the record is receiving the performance and security benefits of Cloudflare.
Zone identifier containing the DNS record.
Type-specific settings object for proxied record; passed through to the API.
Identifier of the DNS record to overwrite.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_RERUN_ZONE_ACTIVATION_CHECKTriggers a new activation check for a zone with 'pending' status. Use this after creating a zone or updating nameservers to verify that DNS propagation is complete and the zone can be activated. Rate limits apply: once every 5 minutes for paid plans (paygo/Enterprise) or once per hour for Free plans.
Input parameters
The unique identifier for the Cloudflare zone. This is a 32-character hexadecimal string that can be found in the Cloudflare dashboard or obtained from the List Zones API.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_UPDATE_DNSSEC_STATUSTool to update DNSSEC configuration for a zone. Use when you need to enable or disable DNSSEC or adjust DNSSEC options after confirming the zone ID.
Input parameters
Desired DNSSEC state. Use 'active' to enable or 'disabled' to turn off DNSSEC.
Identifier of the zone to update.
Allow transfer-in of a pre-signed zone without on-the-fly signing.
Enable NSEC3 together with DNSSEC (commonly used when transferring from another provider).
Enable multi-signer DNSSEC so multiple providers can serve a signed zone.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_UPDATE_LOCKDOWN_RULETool to update a zone lockdown rule. Use when you need to modify the IP or URL settings of an existing Zone Lockdown rule after confirming the rule exists.
Input parameters
List of URL patterns to restrict access for; wildcards supported (e.g., 'shop.example.com/*').
Whether to pause the rule. When paused, the rule is inactive and does not block any traffic.
Identifier of the Cloudflare zone.
Optional human-readable description of the rule's purpose.
Identifier of the Zone Lockdown rule to update.
List of IP addresses or CIDR ranges that will be allowed to access the URLs specified in the rule.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_UPDATE_RULE_IN_RULESETTool to update a specific rule in a ruleset. Use when you need to modify a rule's configuration or reorder it after reviewing its current settings.
Input parameters
Fields to update on a rule.
ID of the rule to update.
Position for reordering a rule within its ruleset.
ID of the ruleset containing the rule.
Scope type: 'accounts' for account rulesets or 'zones' for zone rulesets.
ID of the account or zone.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_UPDATE_RULESETUpdate a Cloudflare ruleset, creating a new version. Use this to modify ruleset description, name, or rules. IMPORTANT: When updating rules, you must include ALL rules you want to keep - any rules not included will be removed. Cannot modify managed rulesets directly - use overrides instead.
Input parameters
Ruleset kind. Generally immutable after creation. Values: 'custom', 'root', 'zone', 'managed'.
Human-readable name for the ruleset. Note: Cannot be changed for managed rulesets.
Execution phase. Common values: 'http_request_firewall_custom', 'http_config_settings', 'ddos_l7', 'http_response_headers_transform'.
Complete list of rules for this ruleset version. WARNING: This replaces ALL existing rules - include every rule you want to keep.
The unique ID of the ruleset to update. Get this from create_ruleset or get_ruleset.
Informative description of this ruleset version. Useful for tracking changes.
Scope of the ruleset. Use "accounts" for account-level rulesets or "zones" for zone-level rulesets.
The 32-character hexadecimal ID of the account or zone (depending on scope). Get this from list_zones or list_accounts.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_UPDATE_ZONETool to edit a Cloudflare zone. Use when you need to update a single zone property at a time. Ensure only one of paused, type, or vanity_name_servers is provided per call.
Input parameters
Zone type: 'full' (Cloudflare DNS), 'partial' (CNAME setup), or 'secondary'
Toggle DNS-only mode; true to disable security and performance features
Identifier of the zone to update (max length 32)
Custom nameserver domains (Business and Enterprise plans only)
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
CLOUDFLARE_API_KEY_UPLOAD_FILE_TO_S3Tool to upload arbitrary file content to temporary storage. Use when you need to stage files for actions requiring FileUploadable.
Input parameters
Raw content of the file as a string; encoded as UTF-8 when uploaded.
MIME type of the file.
Filename (including extension) to store.
Output
Data from the action execution
Error if any occurred during the execution of the action
Whether or not the action execution was successful or not
No publicly available marketplace agent is found using this tool yet. There are 46 agents privately built on Nagent that already use Cloudflare Api Key.
Build on Nagent
Connect Cloudflare Api Key to any Nagent agent in minutes — no API key management, no boilerplate. Just configure and deploy.
The five questions agent builders ask before adopting a new integration.
Open the External Integrations panel inside Nagent (app.nagent.ai/externalIntegration), find Cloudflare Api Key, and click "Connect Now." You'll authenticate with an API key — Nagent handles credential storage and refresh automatically. Once connected, Cloudflare Api Key is available to any agent in your workspace.
No. Nagent provides no-code integration for every tool. Once Cloudflare Api Key is connected, you configure its 25 actions directly in the agent builder UI — no API calls, no boilerplate, no schema management.
Helix — Nagent's agentic agent builder — lets you drop Cloudflare Api Key steps into any workflow visually. Pick an action (e.g., one of those listed above), fill in the inputs (Helix knows the required vs. optional schema for each parameter), and connect it to upstream/downstream steps. Triggers run as the entry point of an agent, so when a Cloudflare Api Key event fires, the agent kicks off automatically.
Every Cloudflare Api Key action and trigger ships with a fully-typed schema — input parameters with name, type, required flag, and description, plus the output payload shape. The schemas are documented in the sections above. Helix uses these schemas to validate your configuration at build time and to type-check the data flowing between steps.
Yes. While Cloudflare Api Key ships with 25 pre-built security & identity tools actions, you can layer custom logic around them inside Helix — pre/post-processing steps, conditional branches, retries, or stitching Cloudflare Api Key together with other connected tools. For deeper customization, talk to our team about Nagent's Agentic AI Lab — forward-deployed engineers who build Cloudflare Api Key-based workflows tailored to your business.