If your domains are on Cloudflare, you can let Devani Hosting configure the DNS for your custom domains automatically — you paste one scoped API token, and from then on every custom domain you attach is pointed and secured for you, with nothing to add by hand.
This is a Whitelabel Agency feature. (If your domains aren't on Cloudflare, see *Custom domains: adding DNS records manually* instead — no token needed.)
Create the token (the right way)
The key detail that trips people up: create a User API Token, not an Account API Token. They live in different places, and the *Account* token builder has a bug ("Account tag in access policy must match tag in request URI") when you scope it to all domains. The User token works first try.
- In Cloudflare, click your profile icon (top-right) → My Profile → API Tokens.
- ⚠️ Not "Account API Tokens" under an account — that's the one with the bug.
- Create Token → Create Custom Token.
- Permissions — add exactly two rows:
Zone→DNS→EditZone→Zone→Read
- Zone Resources →
Include→ change the dropdown toAll zones from an account→ pick your account.
- This is the "all domains" scope. It covers every domain you have now *and* any you add later.
- (Prefer to limit it? Choose
Specified zonesand pick only the client domains you'll host. It works the same; you'd just update the token when you add a new domain.)
- Continue → Create Token → copy it.
You do not need "Entire Account" or a Global API Key — DNS:Edit + Zone:Read is all Devani uses.
Add it to Devani
- In your Devani dashboard go to Account → Automatic DNS (Cloudflare).
- Paste the token and Save. We verify it against Cloudflare and show the zones it can manage.
The token is stored encrypted and is only ever used to create the DNS records your custom domains need. Remove or replace it anytime from the same card.
What happens next
When you attach a custom domain (dashboard or API), Devani creates the routing record and the certificate-validation record in your Cloudflare zone automatically, and the domain goes live on HTTPS within a few minutes. If a record is already in the way, you'll be asked to confirm before anything is replaced — so a live domain is never repointed by surprise.