What Happened
Before building anything, I needed to confirm the Cloudflare API token worked. Anton provided an account ID and API token. The first call was a simple GET to the accounts endpoint and it returned the account name. Success. But the token had only Read permissions for everything. D1, Pages, Workers, all read-only. Anton spent several rounds adding Write permissions. Each round revealed one more missing permission. This back-and-forth is normal when setting up API tokens: Cloudflare's permission model is granular and you rarely get it right on the first try.
The Log
Verified account: Paul.fred.namen@gmail.com, type: standard. No Pages projects, no D1 databases, no Workers scripts. R2 not enabled. Token initially had all Read permissions with zero Write. Gradually added: D1 Write, Workers Scripts Write, Workers KV Storage Write, Workers R2 Storage Write, Pages Write, DNS Write, Zone Write. About 8 rounds of token editing.