Manage your DNS with Cloudflare and OpenClaw
DNS is one of those things you touch rarely and then fumble through every time. A subdomain needs to point at a new server, an email provider asks for three TXT records, and you spend twenty minutes in a dashboard you barely remember how to navigate. If your domains are on Cloudflare, you can hand that job to your Operator.io agent instead. Once connected, it can look up your records, add or change them, delete the stale ones, and tell you what is currently pointing where. This walks through the setup and what the agent can do once it is connected.
If DNS still feels like a black box, NetworkChuck's explainer covers how a lookup resolves and what A, CNAME, MX, and TXT records each do, which is the vocabulary the agent uses when it reads a zone back to you.
The Cloudflare skill talks to the Cloudflare API v4 using a scoped bearer token. List zones, read records, create new ones, patch existing entries, and pull a zone's assigned nameservers all go through the same authenticated client. Each change returns immediately in the API response, and DNS propagation follows the TTL on the record, typically a few minutes for proxied records and up to whatever TTL you set for DNS only entries.
What you get
With Cloudflare connected, OpenClaw works your DNS from a message:
- List the zones on your account and read the records in any of them.
- Create, update, or delete records as A, AAAA, CNAME, TXT, MX, or NS.
- Pull a zone's assigned nameservers, the detail you need when you are moving a domain onto Cloudflare.
Each record carries a TTL and, for A, AAAA, and CNAME records, a proxied flag. Proxied records route HTTP and HTTPS traffic through Cloudflare's network, so you get caching, DDoS protection, and your origin IP stays hidden. DNS only records answer with the actual address and skip Cloudflare's proxy layer, which is what you want for email routing and most TXT verification records. The agent sets that flag when you ask, so "proxied" and "DNS only" are things you say in plain language rather than orange and grey icons you click.
The record types it manages cover the jobs you actually reach for:
| Record | Common use | Proxy available |
|---|---|---|
| A and AAAA | Point a name at an IPv4 or IPv6 address | Yes |
| CNAME | Point a name at another hostname | Yes |
| MX | Route inbound mail to a provider | No, DNS only |
| TXT | SPF, DKIM, and domain verification | No, DNS only |
| NS | Delegate a subdomain to other nameservers | No |
Most of the value is in the small, error prone edits you would otherwise do by hand: pointing a new subdomain at a deploy, swapping an IP after a server move, adding the SPF and DKIM TXT records an email provider asks for, or auditing a zone you inherited and never fully read.
MX records for inbound mail, CNAME records for SaaS tools like Vercel or Shopify, and TXT records for domain verification all follow the same create and update path through the API. The DNS records guide in Cloudflare's docs covers the field definitions if you want to understand what the agent is setting.
Option A: a scoped API token
- In the Cloudflare dashboard, open My Profile, then API Tokens, and click Create Token.
- Use the Edit zone DNS template to start, or build a custom token.
- Give the token two permissions: Zone, DNS, Edit so it can change records, and Zone, Zone, Read so it can find your zone in the first place. That second one is easy to forget, and most tools need it.
- Under zone resources, choose the specific domains you want the agent to manage, or all of them.
- Create the token and copy it. Cloudflare shows it once.
Cloudflare's API token guide covers every option.
Then add it to Operator: open Environment, add a variable named CLOUDFLARE_API_TOKEN, and paste it in. The Cloudflare skill is already installed and reads it by name.
Option B: the Cloudflare MCP server
If you would rather use OAuth, open the MCPs page in your Operator dashboard, find Cloudflare, and click Add to connect the official Cloudflare MCP server. The MCP server exposes DNS tools alongside other Cloudflare services like Workers and R2, so it is worth the OAuth path if you plan to manage more than records. For DNS only, the scoped API token is simpler and easier to rotate.
Try it
Connect Telegram or Discord on the channels page, then ask:
Point blog.mydomain.com at 76.76.21.21 with an A record, proxied.
List every DNS record on mydomain.com and flag anything that looks stale.
Add the SPF and DKIM TXT records Resend gave me for mydomain.com.
This pairs well with the rest of the stack. When OpenClaw deploys a site to Vercel, you can have it add the CNAME that points your domain at the deployment in the same conversation. When you set up email with Resend, it can drop in the SPF and DKIM TXT records that Resend asks for instead of you copying them across two tabs.
Migrating a domain onto Cloudflare
When you add a domain to Cloudflare, the agent can read the zone's assigned nameservers from the API and tell you exactly what to paste at your registrar. That step lives outside Cloudflare, at GoDaddy, Namecheap, Google Domains, or wherever you bought the domain. Once the nameservers propagate, Cloudflare becomes authoritative for the zone and the agent can manage every record from there.
Before you flip nameservers on a live site, have the agent audit the existing records and recreate them in Cloudflare first. Missing an MX record during migration is how email silently stops arriving.
Good to know
Scope the token to only the zones you want the agent to manage, because a DNS write lands almost immediately and the record being changed decides what breaks when it is wrong. Point an A or CNAME at the wrong address and the site stops resolving until you fix it. Edit or drop an MX record and inbound mail either goes silent or starts routing somewhere you did not intend, the kind of change you want to read before it ships rather than after someone mentions your replies stopped arriving. The SPF, DKIM, and DMARC records that authenticate your mail behave the same way, since loosening one by accident makes it easier for a stranger to send mail that looks like it came from your domain.
That reach is the case for a read first habit rather than against handing the agent DNS at all. Have it list a zone and show you the records it intends to change before it changes them, and keep the deletes on a quick yes in chat. Keep the Zone Read permission in place even if you only mean to make edits, because without it most tools cannot resolve which zone a record belongs to, and "it cannot list my zones" is almost always that missing read permission.
A couple of record rules will bite you if you forget them. An A or AAAA record cannot share a name with a CNAME on the same hostname, and an NS record cannot share a name with any other type. TXT records for email authentication often need to stay DNS only, since proxied TXT records do not work the way you expect for SPF validation.
One last thing the agent cannot do for you is change where a domain resolves at the registrar level. That happens by updating the nameservers at your registrar, not inside Cloudflare, so if you are migrating a domain, have it read you the zone's nameservers and then set those at the registrar yourself.
Frequently asked questions
How do I connect Cloudflare DNS to my agent?
+
Two ways. A scoped API token is the most direct: in the Cloudflare dashboard open My Profile, API Tokens, Create Token, and grant Zone DNS Edit plus Zone Zone Read, scoped to the domains you want the agent to manage. Add it to Operator's Environment as CLOUDFLARE_API_TOKEN. The alternative is the official Cloudflare MCP server, connected over OAuth from the MCPs page. Either works.
Why can't the agent list my Cloudflare zones?
+
Almost always a missing Zone Read permission. Keep Zone, Zone, Read on the token even if you only mean to make edits, because without it most tools cannot resolve which zone a record belongs to. Pair it with Zone, DNS, Edit so the agent can both find your zone and change records. If a token has edit but not read, "it cannot list my zones" is the usual symptom.
What DNS records can the agent manage?
+
It can list your zones and read their records, then create, update, or delete A, AAAA, CNAME, TXT, MX, and NS records, each with a TTL. For A, AAAA, and CNAME it also sets the proxied flag, so "proxied" and "DNS only" are things you say in plain language rather than icons you click. Two rules still apply: an A or AAAA cannot share a name with a CNAME, and an NS record cannot share a name with another type.
Can the agent move a domain onto Cloudflare?
+
It can do the DNS side but not the registrar side. Where a domain resolves is set by the nameservers at your registrar, not inside Cloudflare, so the agent cannot change that for you. The useful move when migrating is to have it read you the zone's assigned nameservers, then you set those at the registrar yourself. After that, it manages the records normally.
Keep reading
Debugging gog, the Google CLI behind your OpenClaw agent
gog gives OpenClaw Gmail, Calendar, and Drive, and it works well. The trouble is the OAuth setup, the 7 day token expiry on personal accounts, and the No session found error that hits even when gog works in your own shell. Here is how each one actually breaks.
May 30, 2026Connect GitHub so OpenClaw can ship code
Give your Operator agent a GitHub token and it can open pull requests, triage issues, and work your repositories the way you do.
May 24, 2026Deploy to Vercel from OpenClaw
Connect Vercel and your Operator agent can ship your projects and pull deployment details without you opening the dashboard.
May 23, 2026