From 3da39ca0d5952038ff7e2916463502efd208d4cb Mon Sep 17 00:00:00 2001
From: kappa <kappa@inouter.com>
Date: Mon, 13 Apr 2026 09:27:11 +0900
Subject: [PATCH] =?UTF-8?q?docs:=20CF=20API=20=ED=86=A0=ED=81=B0=20?=
 =?UTF-8?q?=EA=B6=8C=ED=95=9C=20=EB=B2=94=EC=9C=84=20=EC=8B=A4=EC=B8=A1=20?=
 =?UTF-8?q?=EA=B8=B0=EB=A1=9D=20=E2=80=94=20Rulesets/Firewall/RateLimit=20?=
 =?UTF-8?q?=EC=A0=91=EA=B7=BC=20=EB=B6=88=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 infra/cloudflare.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/infra/cloudflare.md b/infra/cloudflare.md
index addec20..d6241f8 100644
--- a/infra/cloudflare.md
+++ b/infra/cloudflare.md
@@ -11,6 +11,22 @@ Syn 이 엣지 관점에서 소유. 일반 DNS 관리 협업은 Heimdall.
 - ID: `d8e5997eb4040f8b489f09095c0f623c` (kappa@inouter.com)
 - API 토큰: Vault `secret/cloud/cloudflare` (`api_token`, `email`)
 
+### API 토큰 권한 범위 (2026-04-13 실측)
+
+| 엔드포인트 | 권한 |
+|-----------|------|
+| Zone Read | ✅ |
+| DNS Read/Write | ✅ |
+| Turnstile Read | ✅ (Write는 ❌ 403) |
+| Workers Read | ✅ |
+| KV Read | ✅ |
+| Rulesets (WAF/Rate Limit 규칙) | ❌ 403 |
+| Firewall Rules | ❌ 403 |
+| Rate Limits (legacy) | ❌ 403 |
+| Zone Settings | ❌ 403 |
+
+⚠️ **Rate Limit, WAF 규칙, Firewall 설정은 API로 조회/변경 불가 — 대시보드에서만 관리 가능**. 토큰 스코프 확장이 필요하면 CF 대시보드 > My Profile > API Tokens에서 편집.
+
 ## Zone
 
 | Zone | Zone ID | Status | Plan | NS | DNS rec | 비고 |