TL;DR - Cloudflare MCP Quick Start
Manage your edge infrastructure with AI - DNS, Workers, R2, and more.
🆕 2025: Cloudflare launched remote MCP servers on Workers AI! 4000% YoY growth in AI inference, plus MCP Server Portals for enterprise management. For more on AI agents, see the AI Agents guide.
Quick Setup:
{
"mcpServers": {
"cloudflare": {
"command": "npx",
"args": ["-y", "mcp-server-cloudflare"],
"env": {
"CLOUDFLARE_API_TOKEN": "your-api-token",
"CLOUDFLARE_ACCOUNT_ID": "your-account-id"
}
}
}
}What you can do:
- 🌐 DNS: List, create, and manage DNS records
- ⚡ Workers: Deploy and manage edge functions
- 🪣 R2: Manage object storage
- 🔒 Security: Firewall rules and settings
- 📊 Analytics: Traffic and performance insights
Example conversation:
You: List all DNS records for example.com
Claude: Here are the DNS records for example.com:
| Type | Name | Content | TTL | Proxied |
|-------|-------------|------------------|------|---------|
| A | @ | 192.0.2.1 | Auto | ✅ |
| A | www | 192.0.2.1 | Auto | ✅ |
| MX | @ | mail.example.com | 3600 | ❌ |
| TXT | @ | "v=spf1..." | Auto | ❌ |
| CNAME | api | api-lb.cf.com | Auto | ✅ |🔑 Get your API token at dash.cloudflare.com/profile/api-tokens
🤖 Remote MCP: Cloudflare hosts MCP servers on its global edge - no local hosting required! For an introduction to MCP, see the MCP Introduction guide.
Prerequisites
1. Cloudflare Account
Free or paid Cloudflare account with at least one domain.
2. API Token
Create a scoped API token:
- Go to Cloudflare Dashboard
- Click your profile → API Tokens
- Click Create Token
- Use a template or create custom:
For Read-Only Access:
- Zone: Read
- DNS: Read
- Analytics: Read
For Full Management:
- Zone: Edit
- DNS: Edit
- Worker Scripts: Edit
- R2: Edit
- Set zone restrictions if needed
- Create and copy the token
3. Account ID
Find your Account ID:
- Go to any domain in Cloudflare Dashboard
- The URL contains:
dash.cloudflare.com/ACCOUNT_ID/... - Or find it in the Overview page sidebar
Installation & Configuration
Basic Setup
Add to claude_desktop_config.json:
{
"mcpServers": {
"cloudflare": {
"command": "npx",
"args": ["-y", "mcp-server-cloudflare"],
"env": {
"CLOUDFLARE_API_TOKEN": "your-token-here",
"CLOUDFLARE_ACCOUNT_ID": "your-account-id"
}
}
}
}Zone-Specific Access
For single domain access:
{
"mcpServers": {
"cloudflare-prod": {
"command": "npx",
"args": ["-y", "mcp-server-cloudflare"],
"env": {
"CLOUDFLARE_API_TOKEN": "token-for-prod-only",
"CLOUDFLARE_ZONE_ID": "zone-id-for-example-com"
}
}
}
}Verify Installation
Restart your AI client and test:
You: List my Cloudflare zones
Claude: Here are your Cloudflare zones:
| Domain | Status | Plan |
|----------------|---------|------------|
| example.com | Active | Pro |
| myapp.io | Active | Free |
| staging.dev | Active | Free |Available Tools
DNS Management
| Tool | Description | Example Prompt |
|---|---|---|
list_dns_records | Show all DNS records | ”List DNS for example.com” |
create_dns_record | Add new record | ”Add A record for api” |
update_dns_record | Modify existing | ”Update www to new IP” |
delete_dns_record | Remove record | ”Delete old-subdomain” |
Workers Management
| Tool | Description | Example Prompt |
|---|---|---|
list_workers | Show all Workers | ”What Workers do I have?” |
get_worker | Worker details/code | ”Show my-api-worker code” |
deploy_worker | Deploy new version | ”Deploy this Worker code” |
delete_worker | Remove Worker | ”Delete test-worker” |
R2 Storage
| Tool | Description | Example Prompt |
|---|---|---|
list_r2_buckets | Show R2 buckets | ”List my R2 buckets” |
list_r2_objects | Objects in bucket | ”What’s in assets bucket?” |
get_r2_object | Read object | ”Read config.json” |
put_r2_object | Upload object | ”Upload this file” |
Security & Settings
| Tool | Description | Example Prompt |
|---|---|---|
list_firewall_rules | Show firewall rules | ”What firewall rules exist?” |
get_zone_settings | Zone configuration | ”Show security settings” |
get_analytics | Traffic analytics | ”Show traffic for today” |
Practical Workflows
Workflow 1: DNS Management
Complete DNS overview and management:
You: Show me all DNS records for myapp.io and identify
any potential issues
Claude: Analyzing DNS records for myapp.io...
**Current DNS Records:**
| Type | Name | Content | Proxied |
|-------|---------|----------------------|---------|
| A | @ | 104.21.xx.xx | ✅ |
| A | www | 104.21.xx.xx | ✅ |
| CNAME | api | api.railway.app | ✅ |
| MX | @ | mail.provider.com | ❌ |
| TXT | @ | v=spf1 include:... | ❌ |
| TXT | _dmarc | v=DMARC1; p=reject | ❌ |
**Potential Issues:**
⚠️ **Missing www redirect:**
Both @ and www point to same IP, but no redirect rule.
Consider adding a Page Rule to redirect www → @
⚠️ **No DKIM record found:**
Email authentication incomplete. Add DKIM record
from your email provider.
✅ SPF and DMARC properly configured
✅ All web traffic proxied through CloudflareWorkflow 2: Worker Deployment
Manage Cloudflare Workers:
You: List my Workers and their status
Claude: Here are your Cloudflare Workers:
| Worker Name | Routes | Status |
|--------------|-----------------------------| --------|
| api-handler | api.myapp.io/* | Active |
| redirect-svc | myapp.io/r/* | Active |
| image-resize | cdn.myapp.io/images/* | Active |
| test-worker | (no routes) | Inactive|
**Usage (Today):**
- Total requests: 45,230
- CPU time: 12.3ms avg
- Errors: 23 (0.05%)
**Recommendations:**
- test-worker has no routes - consider deleting
- image-resize has highest CPU - review for optimization
You: Show me the code for api-handler
Claude: Here's the api-handler Worker code:
```javascript
export default {
async fetch(request, env) {
const url = new URL(request.url);
// Route to appropriate backend
if (url.pathname.startsWith('/v1')) {
return fetch('https://api-v1.backend.com' + url.pathname);
}
// ... rest of code
}
}
### Workflow 3: Security Audit
Review Cloudflare security settings:
```text
You: Audit security settings for example.com
Claude: **Security Audit for example.com**
**SSL/TLS:**
- Mode: Full (Strict) ✅
- Minimum TLS: 1.2 ✅
- HSTS: Enabled ✅
**Firewall:**
| Rule Name | Action | Expression |
|----------------|---------|----------------------|
| Block bad bots | Block | cf.client.bot |
| Rate limit API | Limit | path contains "/api" |
| Block countries| Block | ip.country in {...} |
**Security Headers:**
- X-Frame-Options: DENY ✅
- X-Content-Type-Options: nosniff ✅
- CSP: Not configured ⚠️
**Recommendations:**
1. Add Content-Security-Policy header
2. Consider enabling Bot Fight Mode
3. Review rate limiting thresholds
**Security Level:** Good (8/10)Workflow 4: R2 Storage Management
Manage R2 object storage:
You: Show my R2 buckets and usage
Claude: **R2 Storage Overview**
| Bucket | Objects | Size | Class |
|-----------------|---------|---------|----------|
| prod-assets | 12,340 | 45.2 GB | Standard |
| user-uploads | 89,012 | 128 GB | Standard |
| backup-archive | 5,678 | 320 GB | Standard |
**Monthly Costs (Estimated):**
- Storage: $4.93
- Class A ops: $0.45
- Class B ops: $0.12
- Egress: Free (Cloudflare benefit!)
- **Total: ~$5.50/mo**
**Recent Activity:**
- user-uploads: 234 uploads today
- prod-assets: 12,000 reads today
You: List files in prod-assets/images/
Claude: Files in prod-assets/images/:
| File Name | Size | Last Modified |
|------------------|--------|---------------|
| logo.png | 45 KB | Dec 20 |
| hero-banner.webp | 234 KB | Dec 22 |
| product-1.jpg | 156 KB | Dec 23 |
| product-2.jpg | 189 KB | Dec 23 |
...
Showing 10 of 2,340 objects.Workflow 5: Traffic Analytics
Understand your traffic patterns:
You: Show me traffic analytics for the last 7 days
Claude: **Traffic Analytics (Last 7 Days)**
**Overview:**
- Total requests: 2.4M
- Unique visitors: 145,000
- Bandwidth: 89 GB
- Cached: 78%
**Daily Breakdown:**
| Date | Requests | Visitors | Cache Hit |
|---------|----------|----------|-----------|
| Dec 24 | 380K | 22,000 | 79% |
| Dec 23 | 420K | 25,000 | 81% |
| Dec 22 | 356K | 19,000 | 76% |
...
**Top Countries:**
1. United States: 45%
2. United Kingdom: 12%
3. Germany: 8%
4. Canada: 6%
**Threats Blocked:**
- SQL injection attempts: 45
- XSS attempts: 23
- Known bad bots: 1,234Example Prompts
DNS Operations
# Reading
"List all DNS records for example.com"
"Show A records for api subdomain"
"What MX records do I have?"
# Creating
"Add an A record pointing api to 192.168.1.1"
"Create CNAME for blog pointing to ghost.io"
"Add TXT record for domain verification"
# Modifying
"Update www to point to new server"
"Change TTL for all A records to 300"
"Enable proxy for the api subdomain"Workers Operations
# Listing and viewing
"What Workers do I have?"
"Show details of api-handler Worker"
"What routes are configured?"
# Management
"Show Worker logs from last hour"
"What's the CPU usage for my Workers?"
"List Worker KV namespaces"Security Operations
# Viewing
"Show firewall rules for example.com"
"What's my SSL/TLS configuration?"
"List active page rules"
# Analytics
"Show blocked threats this week"
"What countries is traffic coming from?"
"Show bot traffic percentage"Multiple Accounts/Zones
Different Accounts
{
"mcpServers": {
"cf-personal": {
"command": "npx",
"args": ["-y", "mcp-server-cloudflare"],
"env": {
"CLOUDFLARE_API_TOKEN": "personal-token",
"CLOUDFLARE_ACCOUNT_ID": "personal-account"
}
},
"cf-company": {
"command": "npx",
"args": ["-y", "mcp-server-cloudflare"],
"env": {
"CLOUDFLARE_API_TOKEN": "company-token",
"CLOUDFLARE_ACCOUNT_ID": "company-account"
}
}
}
}Environment Separation
{
"mcpServers": {
"cf-production": {
"env": {
"CLOUDFLARE_API_TOKEN": "prod-readonly-token"
}
},
"cf-staging": {
"env": {
"CLOUDFLARE_API_TOKEN": "staging-full-access-token"
}
}
}
}Security Best Practices
Token Permissions
| Use Case | Recommended Permissions |
|---|---|
| Reading only | Zone:Read, DNS:Read, Analytics:Read |
| DNS management | Zone:Read, DNS:Edit |
| Worker deployment | Zone:Read, Workers:Edit |
| Full management | All relevant Edit permissions |
For more on AI security best practices, see the Understanding AI Safety, Ethics, and Limitations guide.
Token Scoping
Scope tokens to specific zones:
- In token creation, under “Zone Resources”
- Select “Specific zone”
- Choose only the domains AI should access
Audit Logging
You: Show recent API activity for my account
Claude: Cloudflare Audit Log (Last 24h):
| Time | Action | User/Token | Zone |
|----------|-------------------|-----------------|------------|
| 14:32 | DNS record create | mcp-token | example.com|
| 14:15 | Worker deploy | mcp-token | - |
| 12:00 | Page rule update | admin@co.com | myapp.io |Combining with Other MCPs
Cloudflare + GitHub
Deploy on code changes:
You: Check if the Worker code in GitHub differs from deployed
Claude: [Uses GitHub to read repo]
[Uses Cloudflare to get deployed code]
Comparison:
- GitHub version: v2.3.1 (updated Dec 23)
- Deployed version: v2.3.0 (deployed Dec 20)
Differences found:
- New rate limiting logic
- Bug fix for timeout handling
Would you like me to deploy the newer version?Cloudflare + Slack
Alert on issues:
You: If error rate exceeds 1%, alert #ops
Claude: [Uses Cloudflare to monitor]
[Uses Slack to alert]
Monitoring active. Will post to #ops if error
rate exceeds 1%.Troubleshooting
Issue: “Authentication error”
Solutions:
| Cause | Solution |
|---|---|
| Invalid token | Regenerate API token |
| Token expired | Check token status in dashboard |
| Wrong account ID | Verify account ID |
| Insufficient permissions | Add required scopes to token |
Issue: “Zone not found”
Solutions:
- Verify zone ID is correct
- Check token has access to that zone
- Ensure domain is active in Cloudflare
Issue: “Rate limited”
Solutions:
- Reduce request frequency
- Batch operations where possible
- Check Cloudflare API limits
Related MCP Servers
| Server | Complements Cloudflare By… |
|---|---|
| AWS MCP | Backend infrastructure |
| GitHub MCP | Code deployment source |
| Slack MCP | Alerting and notifications |
| Memory MCP | Remembering configurations |
Summary
Cloudflare MCP Server enables AI-powered edge management:
- ✅ DNS - Complete record management
- ✅ Workers - Deploy and manage edge functions
- ✅ R2 - Object storage operations
- ✅ Security - Firewall and settings
- ✅ Analytics - Traffic insights
- ✅ Remote MCP (2025) - Cloud-hosted, no local setup
2025 Cloudflare MCP Features:
- Remote MCP servers on global edge
- Workers AI - 4000% YoY inference growth
- MCP Server Portals - enterprise management
- Python support for building MCP servers
- AI Gateway - security and monitoring
Best use cases:
- DNS record management
- Worker deployment automation
- Security auditing
- Traffic analysis
- Multi-zone management
Security checklist:
- ☐ Create scoped API tokens
- ☐ Limit to specific zones
- ☐ Start with read-only access
- ☐ Monitor audit logs
- ☐ Rotate tokens periodically
Next: Learn about Sentry MCP Server → for error monitoring.
Questions about Cloudflare MCP? Check the Cloudflare Developers or the MCP Registry.