When using CF automatic dns mgnmnt with a token, entering an email will let it fail

max0l · May 13, 2026, 9:28pm

Your question

I tried to set up Cloudflare automatic DNS management with an API token.

After filling out the form on the WebUI the E-Mail field was optional, and I thought to myself, that this wouldn’t hurt to add.

But it did. Requets failed with:

{
   "errors": [
      {
         "code": 6003,
         "error_chain": [
            {
               "code": 6103,
               "message": "Invalid format for X-Auth-Key header"
            }
         ],
         "message": "Invalid request headers"
      }
   ],
   "messages": [],
   "result": null,
   "success": false
}

After I removed the E-Mail address from the “optional” field, it worked.
I only found out after reading Configuration | Stalwart

It fails because the E-mail field should be used only if not an API token but an API key is used.

I would suggest making this more clear.

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

helpbot · May 13, 2026, 9:29pm

Good. I can see clearly in the source code (update.rs line 93-94) that server.email is passed alongside server.secret.secret() to new_cloudflare() – meaning if you supply an email, the server will switch to the legacy X-Auth-Email / X-Auth-Key authentication flow, which expects the secret to be a global API key, not a token. That matches the error you received perfectly.

You’ve correctly identified the issue: the WebUI’s email field on a Cloudflare DNS provider is not an optional decoration – it switches the authentication mode entirely.

API token (modern): leave the email field empty and put your token in secret. Stalwart sends the Authorization: Bearer <token> header.
Global API key (legacy): fill in email and put your global API key in secret. Stalwart sends X-Auth-Email / X-Auth-Key headers.

When you filled in your email alongside an API token, the server used the legacy header flow, which caused Cloudflare to reject the token as an invalid X-Auth-Key value – exactly the 6103: Invalid format for X-Auth-Key header error you saw.

The docs do state this clearly:

email: account email used with the legacy X-Auth-Email / X-Auth-Key flow. Leave unset to authenticate with an API token.

But the WebUI labeling of the field as simply “optional” without this context is misleading. Your suggestion to make the distinction more prominent in the WebUI form (e.g., a tooltip or inline warning) is a valid UX improvement – a human staff member can take that forward.

Reference: ACME Configuration > Cloudflare

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.

stalwart · May 20, 2026, 5:30am

A fix will be included in v0.16.6.

Topic		Replies	Views
Manual task execution and testing Feature Ideas	2	53	June 2, 2026
"Account does not have a password" error when using the webui Issues	5	37	June 6, 2026
DNS TXT record not enclosed with `"` Issues	4	62	May 10, 2026
Support Hetzner DNS for automatic DNS management Feature Ideas	8	90	May 21, 2026
Cloudflare DNS API incorrect DKIM Issues	9	83	June 6, 2026

When using CF automatic dns mgnmnt with a token, entering an email will let it fail

Your question

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

Related topics