cloudflare-mcp
Cloudflare's official MCP server. Lets agents manage Workers, R2 buckets, KV namespaces, DNS, Pages projects, cache purges. API-token authenticated.
Default for any agent that operates Cloudflare infra. Cloudflare tokens are well-scoped — exploit that.
What it does
Wraps the Cloudflare REST API as MCP tools. Coverage is broad: list_workers, deploy_worker, purge_cache, list_dns_records, update_dns_record, list_kv_namespaces, read_kv_value, write_kv_value, list_r2_buckets, list_pages_projects. Authentication is a Cloudflare API token passed via env.
When you actually need it
Three patterns:
- Cache purge after content updates. The classic — your agent updates a blog post, then asks the cloudflare-mcp to purge the relevant URLs. Often part of a chained workflow.
- DNS edits during incidents. An agent watches your monitoring (via another tool), and when a record needs to change (failover, IP rotation), it drafts the change, waits for human approval, then applies.
- Workers script ops. Agents that deploy edge functions — building, deploying, rolling back. With proper scoping this is safe; with broad scopes it’s terrifying.
Setup
Create a Cloudflare API token at dash.cloudflare.com/profile/api-tokens. Use a template close to what you need:
- Edit zone DNS — for DNS automations
- Workers Scripts:Edit — for Workers deploys
- Cache Purge — for cache busting
Then trim. The templates often grant more than you need (e.g. Edit zone DNS includes settings the agent doesn’t touch). Check the per-permission-group breakdown.
"cloudflare": {
"command": "npx",
"args": ["-y", "@cloudflare/mcp-server-cloudflare"],
"env": {
"CLOUDFLARE_API_TOKEN": "…",
"CLOUDFLARE_ACCOUNT_ID": "…"
}
}
The catch
Cloudflare API tokens are arguably the best-in-class auth model for agentic infrastructure access — fine-grained per-resource, per-permission-group. The catch is humans don’t use them well. Two patterns to avoid:
- The “Edit Zone DNS” trap. That template grants edit on the whole zone; if you only need to edit one record-name pattern, the policy language supports a filter. Use it.
- The “I’ll just use Global API Key” shortcut. Global API Keys exist for legacy reasons. Don’t. Ever.
For agent workloads: rotate tokens monthly, scope per-purpose (one for cache, one for DNS, one for Workers), and watch the Cloudflare audit log on a schedule. Cloudflare logs every API call with token, IP, timestamp.
FOR: Cloudflare infrastructure operations using a fine-grained API token scoped per-purpose.
Use it. Token scoping is the strongest safety lever — start from the minimum permission-group template and trim. Rotate tokens monthly. Watch Cloudflare's audit log on the same cadence you check IAM logs elsewhere.
Maintained by Cloudflare.
Cloudflare's typical default for OSS.
Active Cloudflare team maintains; PRs go through Cloudflare's internal review.
API token via env. Server doesn't persist or log it.
Some Workers deploy tools may read script files from a configured directory; scope at the host.
Cloudflare API endpoints (api.cloudflare.com) only.
Cloudflare's API tokens are best-in-class fine-grained: per-account, per-zone, per-permission-group. Use them.
Per the API token. Default templates over-grant; trim before issuing.
Tool output (Workers script source, KV values, R2 object metadata) can contain hostile content. Lower exposure than browser/filesystem MCPs because tool surface is more API-shaped.
MCP SDK + Cloudflare's official @cloudflare/* clients.
Cloudflare API rate limits are generous for normal use; only burst-deploy patterns hit ceilings.
npm package published; check npm provenance attestations on the latest version.
Cloudflare's standard responsible disclosure applies.
Cloudflare's server-side audit log captures API calls (governed by Cloudflare's privacy policy).
Cloudflare's infrastructure. Specific resources (R2, Workers KV, D1) have their own residency settings.
5 present · human approval optional
purge_cacheupdate_dns_recorddeploy_workerdelete_workerwrite_kv_value
NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't