# Cloudflare credentials (server-side only, never sent to browser)
CLOUDFLARE_ACCOUNT_ID=your_account_id_here
CLOUDFLARE_API_TOKEN=your_api_token_here

# Required API Token permissions:
#   - Access: Apps and Policies Write  (list + create Access apps)
#   - Cloudflare Tunnel: Edit          (create / configure / delete tunnels)
#   - DNS: Edit                        (create CNAME records)
#   - Zone: Read                       (lookup zone ID for a hostname)

# Optional: Cloudflare Access Service Token for fetching server metrics
# (Create one in Zero Trust > Settings > Service Auth)
CF_SERVICE_CLIENT_ID=
CF_SERVICE_CLIENT_SECRET=