Today I ran into an issue configuring DNS-O-Matic to update my Cloudflare DNS records (specifically, the record with the dynamic IP that points to my home IP address, and is automatically updated by the router in my home network). I entered all necessary settings in the DNS-O-Matic form, but when I sent an update to it the update to the Cloudflare service always errored out with message “err Invalid request headers (6003)”.
After a bit of trial and error, and going back and forth through documentation and tutorials, I finally figured out that the DNS-O-Matic field that says “API Token” does not expect what Cloudflare calls an API Token; it wants Cloudflare’s Global API Key.
This is actually clear in Cloudflare’s documentation on how to set up DNS-O-Matic, although I think it needs to be more explicitly stated that you’re not supposed to use the Cloudflare thing with the same name that the DNS-O-Matic form has. Maybe the documentation predates the implementation of API Tokens on Cloudlflare’s side and that’s why the terminology isn’t the clearest.
Once I put my Global API key there, the updates started working as expected. Then I pinged OpenDNS on Twitter to see if they have any plans of supporting API Tokens instead of the global API key, which would allow for more granular control of what they can do and would be a good security practice. That way if the DNS-O-Matic databases ever got compromised, the attackers wouldn’t get complete control over our Cloudflare accounts.
Alex Villarreal 
Using the global API key to update a DNS entry is absurd. Is there some permission we can generate that’ll allow a specific token to work?
Not that I’m aware of, unfortunately
I’m confused with what to put in the hostname and domain.
if i Have blah.duckdns.com
would the hostname be: blah and domain duckdns.com ?
Put the whole thing in hostname (blah.duckdns.com) and just duckdns.com in domain.
Hi Alex – thanks for the article – that helped exactly with my same problem!
As Twitter suggested to write an email –> have you ever got an update from them?
(Because it seems that the “problem” is still the same that we have to use the Global API Token..)
Thanks
I just looked and I couldn’t find an email to them, so it might have fallen through the cracks. Feel free to send one, though 🙂
Thanks everyone this saved me after an afternoon of trying different configs using Marcs client updater, DNS-O-Matic and Cloudfare.
Finally using
a dnsomatic service for each subdomain (settting host as above!)
the Marcs hostname of to reach each dnsomatic service and the legacy cloudfare api key!
dukes999s…. can you expand on your statement, I’m not sure I’m entirely clear what was done here? Trying to do the same for my subdomains.
“the Marcs hostname of to reach each dnsomatic service and the legacy cloudfare api key!”
Thanks.
Thanks this fixed my problem! Dns-O-Matic needs to update their the wording on their Cloudflare config screen… very annoying.
I’ve been struggling to get this to work for the past day.
This helped me resolve it, thank you.
A google-splat got me here, and gave me the hints for the right answer in getting ddclient to work with cloudflare
ddclient requires an “account” level API token, not a “user” level token.
permissions on the zone – Zone:Read, DNS:Edit
login:token
password=[the api key]