ok think i found it paused = true or false
https://api.cloudflare.com/#zone-edit-zone-properties
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZID}" \
-H "X-Auth-Email: $cfemail" \
-H "X-Auth-Key: $cfkey" \
-H "Content-Type: application/json" \
--data '{"paused":false}'
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZID}" \
-H "X-Auth-Email: $cfemail" \
-H "X-Auth-Key: $cfkey" \
-H "Content-Type: application/json" \
--data '{"paused":true}'
yup seems to be it !
paused = true via API call
Unfortunately, this might not be feasible for folks behind Cloudflare for protection/anti-DDOS reasons as you do not want to expose your origin server’s IP address even temporarily especially when folks can look up when your Letsencrypt SSL certificate is about to expire and needs renewal.
I wonder if you can setup a Cloudflare page rule to only allow .well-known urls to go through ?