diff --git a/hosts/sentinel/acme.nix b/hosts/sentinel/acme.nix
index 5100774..c257605 100644
--- a/hosts/sentinel/acme.nix
+++ b/hosts/sentinel/acme.nix
@@ -1,8 +1,14 @@
 {config, ...}: let
   inherit (config.repo.secrets.local) acme;
 in {
-  age.secrets.acme-credentials = {
-    rekeyFile = ./secrets/acme-credentials.age;
+  age.secrets.acme-cloudflare-dns-token = {
+    rekeyFile = ./secrets/acme-cloudflare-dns-token.age;
+    mode = "440";
+    group = "acme";
+  };
+
+  age.secrets.acme-cloudflare-zone-token = {
+    rekeyFile = ./secrets/acme-cloudflare-zone-token.age;
     mode = "440";
     group = "acme";
   };
@@ -11,7 +17,10 @@ in {
     acceptTerms = true;
     defaults = {
       inherit (acme) email;
-      credentialsFile = config.age.secrets.acme-credentials.path;
+      credentialFiles = {
+        CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
+        CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
+      };
       dnsProvider = "cloudflare";
       dnsPropagationCheck = true;
       reloadServices = ["nginx"];
diff --git a/hosts/sentinel/secrets/acme-cloudflare-dns-token.age b/hosts/sentinel/secrets/acme-cloudflare-dns-token.age
new file mode 100644
index 0000000..612643b
Binary files /dev/null and b/hosts/sentinel/secrets/acme-cloudflare-dns-token.age differ
diff --git a/hosts/sentinel/secrets/acme-cloudflare-zone-token.age b/hosts/sentinel/secrets/acme-cloudflare-zone-token.age
new file mode 100644
index 0000000..c26ae7a
--- /dev/null
+++ b/hosts/sentinel/secrets/acme-cloudflare-zone-token.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 Y7J0KmGssDwytzJSMTKnb2qVfCBEl4nMiKeg4PDhbhM
+R+FV22jr0XcybGJk8Z2o40O5ptRK3NPgQOxJ7HlORho
+-> piv-p256 xqSe8Q AyC1XlhbGhbfUBn4gV56t48AazKi5Lt9H5BCOZqbTtOp
+s3mrvVrMZ/kTdUSjKyBWa5hUFL2fwL2xRo7UFF0AwP0
+-> Ao-grease vp@ m_b
+oV7D7L5dZtF75bJ6Ms0yZr92rENJmE4xKpdlBp4h40onYWv1Z17R2/bmygv5MD9+
+S7J25g3rxfk00fUOK8cwDcWyRtp4jQqcooJyrQ
+--- J/aXuudcbUAfU06R065fsvPTX2qZr0w0eZ9gI6I+McY
+vÂâ-##·¬=|Ú•½-IÝR†·¿Ýn<§z´fÄ.\œõ‘cU/OÓ	6÷¶ë¼±ˆÜož’Þ$õ¶8\Ò6E•ËeËí†n
\ No newline at end of file
diff --git a/hosts/sentinel/secrets/acme-credentials.age b/hosts/sentinel/secrets/acme-credentials.age
deleted file mode 100644
index 2bbf452..0000000
Binary files a/hosts/sentinel/secrets/acme-credentials.age and /dev/null differ