Agentbrisk
developer-tools TypeScript Official

Cloudflare MCP Server

Manage Workers, Pages, R2, KV, D1, DNS, and Zero Trust from any MCP-compatible AI agent

View on GitHub Website

The Cloudflare MCP server is Cloudflare's official integration for the Model Context Protocol, giving AI agents tools to deploy and manage Workers, query D1 databases, read and write KV and R2 storage, configure DNS records, and manage Zero Trust access policies. It authenticates through the Cloudflare API and covers most of what you would otherwise handle through the Cloudflare dashboard or Wrangler CLI.

Cloudflare runs a lot of modern infrastructure: Workers for serverless compute, D1 for edge SQL databases, KV for distributed key-value storage, R2 for object storage, and an entire DNS and access management layer on top. Until recently, managing all of that meant either the dashboard, the Wrangler CLI, or the raw REST API. The Cloudflare MCP server adds a fourth option: an AI agent that can do the work through conversation.

This is one of the more capable official MCP integrations, and also one of the more dangerous ones to configure carelessly. The tool surface covers real write operations across your entire Cloudflare account. That deserves attention before you set it up.

What the server exposes

The tool surface maps closely to what the Wrangler CLI covers, organized around Cloudflare's product lines:

Workers and Pages. The agent can list deployed Workers, view script bindings, deploy new scripts or updates, and check deployment status. For Pages projects, it can list deployments, trigger new builds, and read project settings. This makes it possible to go from "write me a Worker that does X" to a deployed script without leaving the conversation.

D1 databases. D1 is Cloudflare's SQLite-compatible database that runs on the edge. The server can list your D1 databases, run SQL queries, inspect schemas, and manage database instances. Because D1 uses SQLite syntax, anyone familiar with the SQLite MCP server will find the query surface familiar.

KV namespaces. Cloudflare KV is a globally distributed key-value store often used for configuration, session data, or caching. The server can list namespaces, read and write key-value pairs, list keys with prefix filtering, and delete entries. Agents can use this to read application state or write configuration without going through the REST API.

R2 storage. R2 is Cloudflare's S3-compatible object storage. The server exposes bucket listing, object reading, writing, and deletion. An agent that generates an artifact (a report, an image, a build output) can upload it to R2 and return the URL in the same turn.

DNS management. The agent can list DNS records across your zones, create new records, update existing ones, and delete records. This is one of the more sensitive areas of the tool surface: a misconfigured DNS record can take down a live service. Handle this one carefully.

Zero Trust. Access policies, tunnels, and application configurations are exposed for listing and management. For teams using Cloudflare Zero Trust for internal tooling or secure access, the agent can help diagnose configuration issues or set up new access rules.

Setup

The server runs as a Node.js process via npx. You need a Cloudflare API token to authenticate.

Create a scoped API token:

Go to dash.cloudflare.com/profile/api-tokens and click "Create Token". Use the "Custom token" template and select only the permissions your intended workflow requires. For a Workers-focused workflow, you want:

  • Zone: DNS - Edit (only if you need DNS management)
  • Account: Workers Scripts - Edit
  • Account: Cloudflare Pages - Edit
  • Account: D1 - Edit

Start with the narrowest set of permissions that covers your use case. You can always add more later.

Add to Claude Desktop at ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "cloudflare": {
      "command": "npx",
      "args": ["-y", "@cloudflare/mcp-server-cloudflare"],
      "env": {
        "CLOUDFLARE_API_TOKEN": "your-api-token-here",
        "CLOUDFLARE_ACCOUNT_ID": "your-account-id-here"
      }
    }
  }
}

Your account ID is visible in the Cloudflare dashboard sidebar when you select any zone. Setting it explicitly prevents the agent from operating across multiple accounts if your token has access to more than one.

For Claude Code, add the same block to ~/.claude/mcp.json.

Do not put your API token directly in the config file if that file is in a git repository. Use an environment variable reference or keep the config file outside version control.

Real use cases

Workers development loop. The typical workflow without MCP is: write code, run wrangler dev, test locally, run wrangler deploy, check the logs, iterate. With the Cloudflare MCP server, you can ask the agent to draft a Worker, review it, deploy it, and check for errors in the deployment logs, all in conversation. The iteration cycle is shorter, especially for smaller functions.

D1 schema work. If you are building on D1, the agent can inspect your existing tables, help you write migrations, run them against your development database, and verify the schema looks correct before you apply the same migration to production. Pairing this with GitHub MCP lets the agent commit the migration files to your repo alongside running them.

KV configuration management. Many Workers-based applications use KV for feature flags, rate limiting counters, or application config. The agent can read the current state of a namespace, update a value, and verify the write without you needing to remember the Wrangler CLI syntax for KV operations.

DNS troubleshooting. "What DNS records exist for this domain?" and "Is the CNAME pointing where it should?" are questions an agent can answer immediately with read access to your zones. If you need to add or update a record, the agent can do that too, with the confirmation step you'd expect.

Zero Trust policy review. When a user cannot access an internal application protected by Cloudflare Access, the agent can list the relevant access policies, check what rules apply, and identify obvious misconfigurations (wrong email domain, missing group, expired policy). Much faster than clicking through the Zero Trust dashboard.

R2 asset management. For applications that store generated content in R2 (thumbnails, exports, user uploads), the agent can audit a bucket, find objects by prefix, and clean up outdated assets. Combine this with a D1 query to cross-reference which objects still have active database records.

Security considerations

The Cloudflare MCP server is one of the more powerful official integrations in terms of what the agent can actually affect. A few practices that matter here:

Scope your API token aggressively. The single most important configuration decision is the token's permission set. If you give the server an "Edit All Resources" token and the agent misunderstands a prompt, it can modify DNS records, delete Workers, or wipe KV namespaces. Create tokens with only the products and zones you need for the current workflow.

Use separate tokens for different contexts. Keep a narrow token for Workers development, a different one for DNS work, and avoid using the same token for both agent use and CI/CD pipelines. Token compromise is easier to contain when each token has a specific, limited purpose.

Never use your Global API Key. The Global API Key is a legacy credential that grants full account access. API tokens are scoped and can be revoked individually. There is no reason to use the Global API Key with an MCP server.

Set CLOUDFLARE_ACCOUNT_ID. If your token can access multiple accounts, set the account ID environment variable to constrain the server to the specific account you are working in. Without it, some operations default to the first account in the token's accessible list, which may not be the one you intend.

Keep production DNS separate. If you have zones with live traffic, create tokens that explicitly exclude those zones for day-to-day agent work. DNS changes are fast and can be hard to roll back if the agent creates or overwrites a record incorrectly.

Comparing to the Wrangler CLI

The Cloudflare MCP server is not a replacement for Wrangler. Wrangler has better support for local development (wrangler dev), binding configuration in wrangler.toml, and more granular control over deployment options. For tasks where you know exactly what you want and the command syntax is not the bottleneck, the CLI is faster.

Where the MCP server wins is in exploratory and conversational workflows: "what's deployed in my account right now", "which KV namespaces have more than 10k keys", "help me write and deploy a Worker that does X". The agent can combine multiple tool calls to answer compound questions that would take several CLI commands to piece together.

The two tools work well together. Use Wrangler for development and CI. Use the MCP server for investigation, iteration, and tasks where the goal is clearer than the path to get there.

Pairing with other servers

Cloudflare MCP pairs naturally with a few other servers in the ecosystem:

Combined with GitHub MCP, the agent can read source code from a repository, deploy it as a Worker, and commit any configuration changes back. This covers a tight loop for Worker development.

Combined with Filesystem MCP, the agent can read Worker scripts from your local file system, deploy them to Cloudflare, and write deployment outputs back to disk.

For any workflow involving Supabase MCP, you can combine the two to manage the database layer (Supabase) alongside the edge compute layer (Cloudflare Workers) in a single agent session. This is particularly useful for apps that use Supabase as the data store and Workers as the API layer.

Bottom line

The Cloudflare MCP server is a genuinely useful integration for anyone building on the Cloudflare platform. The tool surface is wide, the official status means it tracks the Cloudflare API accurately, and the setup is straightforward.

The risk profile is higher than most MCP servers because the write operations are consequential. A misconfigured DNS record or an accidentally deleted Worker affects live services. Invest the extra few minutes in creating a scoped API token and setting the account ID. With those guardrails in place, the server is a legitimate productivity gain for Cloudflare-heavy workflows.

For teams using Claude Code or similar coding agents, adding the Cloudflare server to the config means Workers development can stay in one place from idea to deployed code.

Features

  • Deploy and update Cloudflare Workers scripts
  • Query and manage D1 SQL databases
  • Read and write KV namespace entries
  • Manage R2 buckets and objects
  • Configure DNS records across zones
  • List and configure Cloudflare Pages projects
  • Manage Zero Trust access policies and tunnels
  • Retrieve account, zone, and project metadata
  • Authenticates via Cloudflare API token with configurable scopes

How to set up the Cloudflare MCP Server MCP server

  1. Create a Cloudflare API token at dash.cloudflare.com/profile/api-tokens with required scopes
  2. Set CLOUDFLARE_API_TOKEN in your environment or MCP config env block
  3. Add the server block to your Claude Desktop or Claude Code MCP config
  4. Optionally set CLOUDFLARE_ACCOUNT_ID to scope operations to a specific account
  5. Restart your MCP client and verify Cloudflare tools appear in the tool list

Frequently Asked Questions

What is the Cloudflare MCP server?
It is Cloudflare's official Model Context Protocol server that lets AI agents manage Cloudflare resources through natural language. It covers Workers deployment, D1 database queries, KV and R2 storage operations, DNS management, Pages project configuration, and Zero Trust policies, using the Cloudflare API under the hood.
How does the Cloudflare MCP server authenticate?
It uses a Cloudflare API token, set via the CLOUDFLARE_API_TOKEN environment variable. Tokens are created at dash.cloudflare.com/profile/api-tokens. You control the scopes assigned to the token, so you can restrict the agent to only the Cloudflare products it needs. Scoping tokens is important because the server can perform writes across your entire Cloudflare account if you use an unrestricted token.
Can the Cloudflare MCP server deploy Workers?
Yes. The server exposes tools for deploying Workers scripts, updating bindings, and checking deployment status. You can have an agent write the Worker code, then deploy it in the same session without switching to the Wrangler CLI. For iterative development this is particularly fast.
Does the Cloudflare MCP server support D1?
Yes. D1 is Cloudflare's serverless SQLite-compatible database. The server can run SQL queries against D1 databases, list tables, and manage database instances. You get a similar experience to the SQLite MCP server but running on Cloudflare's edge infrastructure.
Is the Cloudflare MCP server safe to use with a production account?
Only if you create a narrowly scoped API token. An unrestricted token gives the agent write access to everything in your Cloudflare account, including production DNS records and deployed Workers. Create a token that covers only the specific products and zones the agent needs, and use the CLOUDFLARE_ACCOUNT_ID variable to limit scope further.
Can I use the Cloudflare MCP server with Claude Code?
Yes. Claude Code supports MCP natively. Add the Cloudflare server block to your Claude Code MCP config at ~/.claude/mcp.json with your API token in the env block, restart, and the tools are immediately available.
Search