CLOUD

cloudflare-mcp

Cloudflare's official MCP server. Lets agents manage Workers, R2 buckets, KV namespaces, DNS, Pages projects, cache purges. API-token authenticated.

Alive Recommended REVIEWED 2026-05-07
VERDICT

Default for any agent that operates Cloudflare infra. Cloudflare tokens are well-scoped — exploit that.

What it does

Wraps the Cloudflare REST API as MCP tools. Coverage is broad: list_workers, deploy_worker, purge_cache, list_dns_records, update_dns_record, list_kv_namespaces, read_kv_value, write_kv_value, list_r2_buckets, list_pages_projects. Authentication is a Cloudflare API token passed via env.

When you actually need it

Three patterns:

  1. Cache purge after content updates. The classic — your agent updates a blog post, then asks the cloudflare-mcp to purge the relevant URLs. Often part of a chained workflow.
  2. DNS edits during incidents. An agent watches your monitoring (via another tool), and when a record needs to change (failover, IP rotation), it drafts the change, waits for human approval, then applies.
  3. Workers script ops. Agents that deploy edge functions — building, deploying, rolling back. With proper scoping this is safe; with broad scopes it’s terrifying.

Setup

Create a Cloudflare API token at dash.cloudflare.com/profile/api-tokens. Use a template close to what you need:

  • Edit zone DNS — for DNS automations
  • Workers Scripts:Edit — for Workers deploys
  • Cache Purge — for cache busting

Then trim. The templates often grant more than you need (e.g. Edit zone DNS includes settings the agent doesn’t touch). Check the per-permission-group breakdown.

"cloudflare": {
  "command": "npx",
  "args": ["-y", "@cloudflare/mcp-server-cloudflare"],
  "env": {
    "CLOUDFLARE_API_TOKEN":   "…",
    "CLOUDFLARE_ACCOUNT_ID":  "…"
  }
}

The catch

Cloudflare API tokens are arguably the best-in-class auth model for agentic infrastructure access — fine-grained per-resource, per-permission-group. The catch is humans don’t use them well. Two patterns to avoid:

  • The “Edit Zone DNS” trap. That template grants edit on the whole zone; if you only need to edit one record-name pattern, the policy language supports a filter. Use it.
  • The “I’ll just use Global API Key” shortcut. Global API Keys exist for legacy reasons. Don’t. Ever.

For agent workloads: rotate tokens monthly, scope per-purpose (one for cache, one for DNS, one for Workers), and watch the Cloudflare audit log on a schedule. Cloudflare logs every API call with token, IP, timestamp.

▸ MCP SECURITY SCORECARD Methodology v1.0 · Confidence HIGH · Reviewed 2026-05-07 · Next review due 2026-08-07
METHODOLOGY ↗
ADOPT

FOR: Cloudflare infrastructure operations using a fine-grained API token scoped per-purpose.

Use it. Token scoping is the strongest safety lever — start from the minimum permission-group template and trim. Rotate tokens monthly. Watch Cloudflare's audit log on the same cadence you check IAM logs elsewhere.

Maintainer corp

Maintained by Cloudflare.

Licence Apache-2.0

Cloudflare's typical default for OSS.

Code review yes

Active Cloudflare team maintains; PRs go through Cloudflare's internal review.

Secrets handling scoped

API token via env. Server doesn't persist or log it.

Sandbox process
Filesystem access scoped

Some Workers deploy tools may read script files from a configured directory; scope at the host.

Shell access no
Network egress allow-list

Cloudflare API endpoints (api.cloudflare.com) only.

OAuth handling scoped

Cloudflare's API tokens are best-in-class fine-grained: per-account, per-zone, per-permission-group. Use them.

Default permissions moderate

Per the API token. Default templates over-grant; trim before issuing.

Prompt-injection exposure medium

Tool output (Workers script source, KV values, R2 object metadata) can contain hostile content. Lower exposure than browser/filesystem MCPs because tool surface is more API-shaped.

Supply chain surface low

MCP SDK + Cloudflare's official @cloudflare/* clients.

Dep CVE surface clean
Rate-limit risk low

Cloudflare API rate limits are generous for normal use; only burst-deploy patterns hit ceilings.

Signed releases partial

npm package published; check npm provenance attestations on the latest version.

Security policy yes

Cloudflare's standard responsible disclosure applies.

Telemetry none

Cloudflare's server-side audit log captures API calls (governed by Cloudflare's privacy policy).

Data residency cloud

Cloudflare's infrastructure. Specific resources (R2, Workers KV, D1) have their own residency settings.

Credential storage memory
DESTRUCTIVE TOOLS

5 present · human approval optional

  • purge_cache
  • update_dns_record
  • deploy_worker
  • delete_worker
  • write_kv_value

NOT A FORMAL SECURITY AUDIT · Adoption posture based on public-source review · See methodology for what's measured and what isn't