# Cloudflare Tunnel Notes

## API Token Permissions (recommended)
- Account: Cloudflare Tunnel (read/edit)
- Zone: DNS (read/edit)

## Credentials
`cloudflared tunnel create` generates a credentials JSON file under:
`~/.cloudflared/<tunnel-id>.json`

This skill's generated `config.yml` references that file directly.

## Ingress
Default pattern:
- Hostname -> LOCAL_SERVICE
- Fallback -> 404

## Rollback Order
1. Stop/disable service
2. Remove DNS route
3. Delete tunnel (optional)