SWAG + Cloudflare DNS Challenge → Error determining zone_id: 9103 Unknown X-Auth-Key / X-Auth-Email → Certificate won’t create

Hi everyone,
I’m trying to get SWAG running on my Synology NAS (Docker Compose), to reverse-proxy my Home Assistant instance via HTTPS on my own domain (hosted on Cloudflare, DNS A record pointing correctly).

The goal is to have valid Let’s Encrypt certificates because Home Assistant TTS (Text-to-Speech) via Sonos requires them.

Setup:
• Synology DS220+, SWAG running in Docker with docker-compose
• DNS provider: Cloudflare (Free plan)
• DNS challenge (DNSPLUGIN=cloudflare)
• API Token created as per official docs (Zone DNS → Edit, Zone → Read, for the whole account)
• Token stored correctly in /config/dns-conf/cloudflare.ini → dns_cloudflare_api_token=

SWAG starts and logs this error every time:

ERROR: Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email
→ Cert does not exist

I’ve double-checked everything:

:white_check_mark: Token has correct permissions

:white_check_mark: Correct DNS A record is present

:white_check_mark: The token is used in cloudflare.ini (no quotes)

:white_check_mark: Email is not used in cloudflare.ini (only the token)

:white_check_mark: Domain resolves fine externally

:white_check_mark: Cloudflare account + domain active

I’ve also regenerated the token multiple times → same issue.

Question:

→ What else could cause this Unknown X-Auth-Key / X-Auth-Email error when using an API token (not global API key)?

→ Is there any known incompatibility with Cloudflare Free Plan + API Token + SWAG 4.x.x + DNS-01 Challenge?

Thanks a lot for any tips or ideas — I’m stuck here for hours.

  1. i suggest joining discord for support
  2. if the error you get mentioned auth-email when using an api key, it sounds like you have done something incorrectly in your .ini file. share that file (with some redaction) if you want help
  3. there are no issues with free plan
  4. • API Token created as per official docs (Zone DNS → Edit, Zone → Read, for the whole account) this is the incorrect config for a scoped token, please read the documentation Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation