Askel.aiAskel.ai
Log in
Askel.aiAskel.ai
Log in
Cloudflare logo

Cloudflare

IAM & SecurityAPI tokenLive

Connect your customers' Cloudflare accounts so Askel can read zone configuration, WAF rules, and traffic controls as part of your onboarding or security-review workflow. A scoped API token is all it takes, and the token never passes through your servers.

Book a demo
View docs

What you can do

List and inspect all zones

Pull every zone in the customer's account, including zone ID, name, status, and nameservers, so your product can scope later reads to the right zone without asking the customer to look anything up.

Read DNS records per zone

Fetch A, CNAME, MX, TXT, and other record types for any zone. Useful for validating domain ownership, checking routing, or detecting misconfigured SPF and DMARC records before onboarding completes.

Audit WAF rules and managed rulesets

Read the customer's active WAF custom rules and managed-ruleset overrides, including rule expressions like (http.request.uri.path contains "/admin"), so your security product can show coverage gaps.

Read rate-limiting rules

Pull rate-limit configurations, including thresholds, matching expressions, and action types, to verify that API endpoints are protected before a go-live or compliance check.

Inspect Workers and Routes

List deployed Workers scripts and their route patterns so your product can map which logic runs at the edge for a given zone without needing access to the source code.

Check Page Rules and Transform Rules

Read forwarding and rewrite rules to understand how traffic is being modified at the edge. Helpful for diagnosing redirect conflicts or verifying that expected rules are active.

Sample use case

Security posture review during customer onboarding

You sell a cloud security posture product. When a new customer, Redpine Technologies, signs up, your onboarding flow needs to verify that their public-facing zones have WAF enabled, that known bad-actor IPs are blocked, and that rate limiting is in place on their login endpoint. Previously, a Redpine network engineer had to do this by hand and send screenshots.

  1. 1

    Customer creates a scoped token

    Redpine's admin opens My Profile in the Cloudflare dashboard, goes to API Tokens, and creates a token with Zone Read and Firewall Services Read permissions scoped to the redpine.io zone. They paste the token into Askel's connection wizard.

  2. 2

    Zone discovery

    Askel calls GET /zones and lists every zone on the account. Your onboarding flow selects redpine.io and stores the zone ID for subsequent reads.

  3. 3

    WAF and rate-limit audit

    Askel fetches the active WAF custom rules and rate-limit rules for redpine.io. Your product checks for a rule targeting the /login path and flags it as missing when none is found.

  4. 4

    Findings surfaced to the customer

    Your product displays a checklist: WAF is active on redpine.io, but no rate-limit rule exists for /login. Redpine's admin is shown the exact API expression to add and can fix it before the posture score is finalised.

  5. 5

    Re-check and pass

    Redpine adds the rate-limit rule in their Cloudflare dashboard. Your product re-reads the rules via Askel, finds the new rule matching (http.request.uri.path eq "/login"), and marks the check as passing.

Authentication

API token

Customer's Cloudflare account admin creates a scoped API token in the dashboard (My Profile -> API Tokens) with the requested permissions, and pastes it into Askel. Askel sends it as `Authorization: Bearer <token>` per request; the token never reaches your servers.

Data flow

How Askel sits between your product and the customer's system

Data flow between Customer's Cloudflare account, Askel, and Your productCustomer's Cloudflare accountAPI endpointAskelauth · mapping · driftYour productyour backend
ZonesDNS recordsWAF rulesRate limitsWorkersPage rules

Related integrations

Okta logo

Okta

Manage users, groups, and apps in customer Okta orgs via a service app.

Microsoft Entra ID logo

Microsoft Entra ID

Read users, groups, and conditional-access policies from customer Entra tenants.

Snyk logo

Snyk

Read vulnerability and license findings from customer Snyk orgs.

FAQ for Cloudflare

What permissions does the API token need?+
The minimum set for read-only access is Zone Read and, depending on what you inspect, one or more of Firewall Services Read, Workers Scripts Read, and DNS Read. Askel documents the exact permission list in the connection wizard and never requests write access unless your workflow includes a write step.
Can the token be scoped to a single zone?+
Yes. Cloudflare lets you create a token that is valid for one or more specific zones. For customers with many zones, Askel supports per-zone tokens and multi-zone tokens equally.
What happens if the customer rotates or revokes the token?+
API calls will return 401 errors, which Askel surfaces as a credential-expired alert on the customer's connection page. The customer creates a new token and pastes it into Askel to restore the connection. No downtime on your infrastructure is involved.
Does Askel support Cloudflare accounts with multiple zones across different plans?+
Yes. The Cloudflare API returns zones regardless of plan tier, though some features such as Advanced WAF rules and Workers are only present on paid plans. Askel reads what is available on the account and skips checks for features that are not active on a given zone.
Ready to ship integrations faster?customers faster?implementations faster?
Join onboarding teams delivering integrations without the engineering queue,
catching drift before it breaks, and hitting go-live dates.
Book a demo
Security & Compliance
ISO 27001 Certified
GDPR Compliant
Askel.ai
Askel.ai
Automation for customer onboarding teams
Product
FeaturesDocumentationIntegrations
Company
About usOur teamBlogContact
Resources
Terms of ServicePrivacy PolicyData Processing AgreementDocumentation

© 2025 Askel.ai. All rights reserved.