claudetools/.claude/memory/ix-whm-dns-api-access.md

---
name: ix-whm-dns-api-access
description: IX cPanel/WHM API access uses the FULL-ACCESS-root 'ClaudeTools' API token (header auth), NOT the root password
metadata:
  type: reference
---

All WHM API work on **IX** (`ix.azcomputerguru.com:2087`, the primary cPanel/WHM box,
public NS `ns1/ns2.acghosting.com` = `52.52.94.202`) — DNS zone edits and everything else —
authenticates with the **WHM API token** named **`ClaudeTools`**, used as a header, NOT the
root password. The token is **FULL-ACCESS ROOT** (capable of ALL WHM API actions, not
DNS-scoped) — treat it as a root credential.

**Working method:**
```
curl -4 -sk "https://ix.azcomputerguru.com:2087/json-api/<func>?api.version=1&..." \
  -H "Authorization: whm root:$(bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field infrastructure/ix-server.sops.yaml credentials.whm-api-token)"
```

**Why (the trap that burned ~an hour on 2026-06-12):** the legacy `/json-api/` path with
**basic-auth password** (`-u root:<password>`) now returns `HTTP 403 Forbidden Access
denied` (a `cpanelresult` JSON, denied **pre-auth** — bad creds give the same 403). It is
NOT cPHulk (disabled) and NOT an Imunify IP block (the WHM login page `/:2087/` returns 200
from the same IP; whitelisting the IP does nothing). cpsrvd/Imunify simply rejects
password-based scripted `json-api` access; the API token is the supported client.

**Token location:** vault `infrastructure/ix-server.sops.yaml` → `credentials.whm-api-token`
(also documented in that entry's plaintext `notes`). `credentials.password` is still the
real root password but DOES NOT work for the API — leave it for SSH/console only.

Common funcs: `dumpzone` (read), `addzonerecord` / `editzonerecord` / `removezonerecord`
(write; cPanel auto-bumps SOA serial + cluster-syncs to the public NS), `synczone`
(force cluster push). Force IPv4 (`curl -4`) for a stable egress IP. Related: [[neptune-exchange-mail-hosting]].