claudetools/.claude/memory/ix-whm-dns-api-access.md

name, description, metadata

name	description	metadata
ix-whm-dns-api-access	IX cPanel/WHM API access uses the FULL-ACCESS-root 'ClaudeTools' API token (header auth), NOT the root password	type reference

All WHM API work on IX (ix.azcomputerguru.com:2087, the primary cPanel/WHM box, public NS ns1/ns2.acghosting.com = 52.52.94.202) — DNS zone edits and everything else — authenticates with the WHM API token named ClaudeTools, used as a header, NOT the root password. The token is FULL-ACCESS ROOT (capable of ALL WHM API actions, not DNS-scoped) — treat it as a root credential.

Working method:

curl -4 -sk "https://ix.azcomputerguru.com:2087/json-api/<func>?api.version=1&..." \
  -H "Authorization: whm root:$(bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field infrastructure/ix-server.sops.yaml credentials.whm-api-token)"

Why (the trap that burned ~an hour on 2026-06-12): the legacy /json-api/ path with basic-auth password (-u root:<password>) now returns HTTP 403 Forbidden Access denied (a cpanelresult JSON, denied pre-auth — bad creds give the same 403). It is NOT cPHulk (disabled) and NOT an Imunify IP block (the WHM login page /:2087/ returns 200 from the same IP; whitelisting the IP does nothing). cpsrvd/Imunify simply rejects password-based scripted json-api access; the API token is the supported client.

Token location: vault infrastructure/ix-server.sops.yaml → credentials.whm-api-token (also documented in that entry's plaintext notes). credentials.password is still the real root password but DOES NOT work for the API — leave it for SSH/console only.

Common funcs: dumpzone (read), addzonerecord / editzonerecord / removezonerecord (write; cPanel auto-bumps SOA serial + cluster-syncs to the public NS), synczone (force cluster push). Force IPv4 (curl -4) for a stable egress IP. Related: neptune-exchange-mail-hosting.