diff --git a/internal/applicant/providers.go b/internal/applicant/providers.go
index 90e8a972..a9c8a329 100644
--- a/internal/applicant/providers.go
+++ b/internal/applicant/providers.go
@@ -137,6 +137,7 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 
 			applicant, err := pCloudflare.NewChallengeProvider(&pCloudflare.ChallengeProviderConfig{
 				DnsApiToken:           access.DnsApiToken,
+				ZoneApiToken:          access.ZoneApiToken,
 				DnsPropagationTimeout: options.DnsPropagationTimeout,
 				DnsTTL:                options.DnsTTL,
 			})
diff --git a/internal/domain/access.go b/internal/domain/access.go
index dc796c83..a534db69 100644
--- a/internal/domain/access.go
+++ b/internal/domain/access.go
@@ -75,7 +75,8 @@ type AccessConfigForCdnfly struct {
 }
 
 type AccessConfigForCloudflare struct {
-	DnsApiToken string `json:"dnsApiToken"`
+	DnsApiToken  string `json:"dnsApiToken"`
+	ZoneApiToken string `json:"zoneApiToken,omitempty"`
 }
 
 type AccessConfigForClouDNS struct {
diff --git a/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudflare/cloudflare.go b/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudflare/cloudflare.go
index 9782b39b..cdfc1313 100644
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudflare/cloudflare.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudflare/cloudflare.go
@@ -9,6 +9,7 @@ import (
 
 type ChallengeProviderConfig struct {
 	DnsApiToken           string `json:"dnsApiToken"`
+	ZoneApiToken          string `json:"zoneApiToken,omitempty"`
 	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
 	DnsTTL                int32  `json:"dnsTTL,omitempty"`
 }
@@ -20,6 +21,7 @@ func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider,
 
 	providerConfig := cloudflare.NewDefaultConfig()
 	providerConfig.AuthToken = config.DnsApiToken
+	providerConfig.ZoneToken = config.ZoneApiToken
 	if config.DnsPropagationTimeout != 0 {
 		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
 	}
diff --git a/ui/src/components/access/AccessFormCloudflareConfig.tsx b/ui/src/components/access/AccessFormCloudflareConfig.tsx
index cd760ed6..a06d753d 100644
--- a/ui/src/components/access/AccessFormCloudflareConfig.tsx
+++ b/ui/src/components/access/AccessFormCloudflareConfig.tsx
@@ -30,6 +30,11 @@ const AccessFormCloudflareConfig = ({ form: formInst, formName, disabled, initia
       .min(1, t("access.form.cloudflare_dns_api_token.placeholder"))
       .max(64, t("common.errmsg.string_max", { max: 64 }))
       .trim(),
+    zoneApiToken: z
+      .string()
+      .max(64, t("common.errmsg.string_max", { max: 64 }))
+      .trim()
+      .nullish(),
   });
   const formRule = createSchemaFieldRule(formSchema);
 
@@ -54,6 +59,15 @@ const AccessFormCloudflareConfig = ({ form: formInst, formName, disabled, initia
       >
         <Input.Password autoComplete="new-password" placeholder={t("access.form.cloudflare_dns_api_token.placeholder")} />
       </Form.Item>
+
+      <Form.Item
+        name="zoneApiToken"
+        label={t("access.form.cloudflare_zone_api_token.label")}
+        rules={[formRule]}
+        tooltip={<span dangerouslySetInnerHTML={{ __html: t("access.form.cloudflare_zone_api_token.tooltip") }}></span>}
+      >
+        <Input.Password autoComplete="new-password" placeholder={t("access.form.cloudflare_zone_api_token.placeholder")} />
+      </Form.Item>
     </Form>
   );
 };
diff --git a/ui/src/domain/access.ts b/ui/src/domain/access.ts
index ed1bc1ee..9038676b 100644
--- a/ui/src/domain/access.ts
+++ b/ui/src/domain/access.ts
@@ -114,6 +114,7 @@ export type AccessConfigForCdnfly = {
 
 export type AccessConfigForCloudflare = {
   dnsApiToken: string;
+  zoneApiToken?: string;
 };
 
 export type AccessConfigForClouDNS = {
diff --git a/ui/src/i18n/locales/en/nls.access.json b/ui/src/i18n/locales/en/nls.access.json
index ef2f481d..09dd15fd 100644
--- a/ui/src/i18n/locales/en/nls.access.json
+++ b/ui/src/i18n/locales/en/nls.access.json
@@ -111,9 +111,12 @@
   "access.form.cdnfly_api_secret.label": "Cdnfly user API secret",
   "access.form.cdnfly_api_secret.placeholder": "Please enter Cdnfly user API secret",
   "access.form.cdnfly_api_secret.tooltip": "For more information, see <a href=\"https://doc.cdnfly.cn/shiyongjieshao.html\" target=\"_blank\">https://doc.cdnfly.cn/shiyongjieshao.html</a>",
-  "access.form.cloudflare_dns_api_token.label": "Cloudflare API token",
-  "access.form.cloudflare_dns_api_token.placeholder": "Please enter Cloudflare API token",
+  "access.form.cloudflare_dns_api_token.label": "Cloudflare DNS API token",
+  "access.form.cloudflare_dns_api_token.placeholder": "Please enter Cloudflare DNS API token",
   "access.form.cloudflare_dns_api_token.tooltip": "For more information, see <a href=\"https://developers.cloudflare.com/fundamentals/api/get-started/create-token/\" target=\"_blank\">https://developers.cloudflare.com/fundamentals/api/get-started/create-token/</a>",
+  "access.form.cloudflare_zone_api_token.label": "Cloudflare Zone API token (Optional)",
+  "access.form.cloudflare_zone_api_token.placeholder": "Please enter Cloudflare Zone API token",
+  "access.form.cloudflare_zone_api_token.tooltip": "For more information, see <a href=\"https://developers.cloudflare.com/fundamentals/api/get-started/create-token/\" target=\"_blank\">https://developers.cloudflare.com/fundamentals/api/get-started/create-token/</a><br><br>Only required when you scope the DNS API token to <b>specific zones</b>. PLease scope the Zone API token to <b>all zones</b> with <i>Zone/Zone/Read</i> permission.",
   "access.form.cloudns_auth_id.label": "ClouDNS API user ID",
   "access.form.cloudns_auth_id.placeholder": "Please enter ClouDNS API user ID",
   "access.form.cloudns_auth_id.tooltip": "For more information, see <a href=\"https://www.cloudns.net/wiki/article/42/\" target=\"_blank\">https://www.cloudns.net/wiki/article/42/</a>",
diff --git a/ui/src/i18n/locales/zh/nls.access.json b/ui/src/i18n/locales/zh/nls.access.json
index bec170b6..b5bd5543 100644
--- a/ui/src/i18n/locales/zh/nls.access.json
+++ b/ui/src/i18n/locales/zh/nls.access.json
@@ -105,9 +105,12 @@
   "access.form.cdnfly_api_secret.label": "Cdnfly 用户端 API Secret",
   "access.form.cdnfly_api_secret.placeholder": "请输入 Cdnfly 用户端 API Secret",
   "access.form.cdnfly_api_secret.tooltip": "这是什么？请参阅 <a href=\"https://doc.cdnfly.cn/shiyongjieshao.html\" target=\"_blank\">https://doc.cdnfly.cn/shiyongjieshao.html</a>",
-  "access.form.cloudflare_dns_api_token.label": "Cloudflare API Token",
-  "access.form.cloudflare_dns_api_token.placeholder": "请输入 Cloudflare API Token",
+  "access.form.cloudflare_dns_api_token.label": "Cloudflare DNS API 令牌",
+  "access.form.cloudflare_dns_api_token.placeholder": "请输入 Cloudflare DNS API 令牌",
   "access.form.cloudflare_dns_api_token.tooltip": "这是什么？请参阅 <a href=\"https://developers.cloudflare.com/fundamentals/api/get-started/create-token/\" target=\"_blank\">https://developers.cloudflare.com/fundamentals/api/get-started/create-token/</a>",
+  "access.form.cloudflare_zone_api_token.label": "Cloudflare Zone API 令牌（可选）",
+  "access.form.cloudflare_zone_api_token.placeholder": "请输入 Cloudflare Zone API 令牌",
+  "access.form.cloudflare_zone_api_token.tooltip": "这是什么？请参阅 <a href=\"https://developers.cloudflare.com/fundamentals/api/get-started/create-token/\" target=\"_blank\">https://developers.cloudflare.com/fundamentals/api/get-started/create-token/</a><br><br>仅当你将 DNS API 令牌范围指定为<b>特定域</b>时需要填写，请将 Zone API 令牌范围指定为<b>全部域</b>，并分配 <i>Zone/Zone/Read</i> 权限。",
   "access.form.cloudns_auth_id.label": "ClouDNS API 用户 ID",
   "access.form.cloudns_auth_id.placeholder": "请输入 ClouDNS API 用户 ID",
   "access.form.cloudns_auth_id.tooltip": "这是什么？请参阅 <a href=\"https://www.cloudns.net/wiki/article/42/\" target=\"_blank\">https://www.cloudns.net/wiki/article/42/</a>",