From 4a3fbedf98d040033a822e7090ab27959d1fdd7d Mon Sep 17 00:00:00 2001
From: alexzorin <alex@zor.io>
Date: Fri, 13 Mar 2020 14:38:13 +1100
Subject: [PATCH] Cloudflare: Document that permissions can be further
 restricted by use of CF_Zone_ID

---
 dnsapi.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/dnsapi.md b/dnsapi.md
index 31d8f78..464ab79 100644
--- a/dnsapi.md
+++ b/dnsapi.md
@@ -22,6 +22,13 @@ export CF_Account_ID="xxxxxxxxxxxxx"
 ```
 In order to use the new token, the token currently needs access read access to Zone.Zone, and write access to Zone.DNS, across all Zones.  See [Issue #2398](https://github.com/Neilpang/acme.sh/issues/2398) for more info.
 
+To restrict permissions to the greatest extent possible, you can create an API Token with write access to Zone.DNS for a single domain, and then specify the `CF_Zone_ID` directly:
+
+```
+export CF_Token="sdfsdfsdfljlbjkljlkjsdfoiwje"
+export CF_Account_ID="xxxxxxxxxxxxx"
+export CF_Zone_ID="xxxxxxxxxxxxx"
+```
 
 Ok, let's issue a cert now:
 ```