Cloudflare MCP Server

Official Cloudflare MCP server for managing your Cloudflare account via natural language.

Tools

Last Updated

Apr 27, 2026

What is the Cloudflare MCP Server?

The Cloudflare MCP server gives AI agents structured, permission-aware access to Cloudflare through the Model Context Protocol. With 2 pre-built actions, agents can read, create, and update Cloudflare data on behalf of authorized users.

Willow ships the Cloudflare MCP server as part of an enterprise control plane. Every call runs behind SSO (Okta, Azure AD), enforces RBAC and least-privilege at runtime, writes to a full audit trail, and integrates with Splunk and Loki for SIEM visibility. Connect from Claude Desktop, Claude Code, Cursor, ChatGPT, VS Code, n8n, or any custom agent. Install once, distribute org-wide, and see exactly how Cloudflare is being used by every AI agent in your stack.

Tools

search

Search the Cloudflare OpenAPI spec. All $refs are pre-resolved inline. Products: ai, cloudforce-one, access, magic, workers, realtime, devices, dlp, email-security, stream, ai-search, brand-protection, gateway, email, intel, api_gateway, addressing, browser-rendering, dex, builds, rulesets, security-center, ai-gateway, logpush, vectorize, firewall, load_balancers, settings, logs, secondary_dns... (136 total) Types: interface OperationInfo { summary?: string; description?: string; tags?: string[]; parameters?: Array<{ name: string; in: string; required?: boolean; schema?: unknown; description?: string }>; requestBody?: { required?: boolean; content?: Record<string, { schema?: unknown }> }; responses?: Record<string, { description?: string; content?: Record<string, { schema?: unknown }> }>; } interface PathItem { get?: OperationInfo; post?: OperationInfo; put?: OperationInfo; patch?: OperationInfo; delete?: OperationInfo; } declare const spec: { paths: Record<string, PathItem>; }; Examples: // Find endpoints by product async () => { const results = []; for (const [path, methods] of Object.entries(spec.paths)) { for (const [method, op] of Object.entries(methods)) { if (op.tags?.some(t => t.toLowerCase() === 'workers')) { results.push({ method: method.toUpperCase(), path, summary: op.summary }); } } } return results; } // Get endpoint with requestBody schema (refs are resolved) async () => { const op = spec.paths['/accounts/{account_id}/d1/database']?.post; return { summary: op?.summary, requestBody: op?.requestBody }; } // Get endpoint parameters async () => { const op = spec.paths['/accounts/{account_id}/workers/scripts']?.get; return op?.parameters; }

execute

Execute JavaScript code against the Cloudflare API. First use the 'search' tool to find the right endpoints, then write code using the cloudflare.request() function. Available in your code: interface CloudflareRequestOptions { method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE"; path: string; query?: Record<string, string | number | boolean | undefined>; body?: unknown; contentType?: string; // Custom Content-Type header (defaults to application/json if body is present) rawBody?: boolean; // If true, sends body as-is without JSON.stringify } interface CloudflareResponse<T = unknown> { success: boolean; status: number; result: T; errors: Array<{ code: number; message: string }>; messages: Array<{ code: number; message: string }>; result_info?: { page: number; per_page: number; total_pages: number; count: number; total_count: number; }; } declare const cloudflare: { request<T = unknown>(options: CloudflareRequestOptions): Promise<CloudflareResponse<T>>; }; declare const accountId: string; // accountId is pre-set to "5b3ee81d1cf50af4305b32ae08461275" ([email protected]'s Account) — use it directly in API paths. Your code must be an async arrow function that returns the result. Example: Worker with bindings (requires multipart/form-data): async () => { const code = `addEventListener('fetch', e => e.respondWith(MY_KV.get('key').then(v => new Response(v || 'none'))));`; const metadata = { body_part: "script", bindings: [{ type: "kv_namespace", name: "MY_KV", namespace_id: "your-kv-id" }] }; const b = `--F${Date.now()}`; const body = [`--${b}`, 'Content-Disposition: form-data; name="metadata"', 'Content-Type: application/json', '', JSON.stringify(metadata), `--${b}`, 'Content-Disposition: form-data; name="script"', 'Content-Type: application/javascript', '', code, `--${b}--`].join("\r\n"); return cloudflare.request({ method: "PUT", path: `/accounts/${accountId}/workers/scripts/my-worker`, body, contentType: `multipart/form-data; boundary=${b}`, rawBody: true }); }

Customize Tools

Edit descriptions, modify arguments, select tools, or add new ones

Set Up Your Cloudflare MCP Server in Minutes

Add the following configuration to your MCP client. Authentication is handled via OAuth. Compatible with Claude Desktop, Claude Code, Cursor, ChatGPT, VS Code, n8n, and any MCP-compatible agent.

Claude Desktop

claude_desktop_config.json

{
  "mcpServers": {
    "willow-cloudflare2": {
      "type": "http",
      "url": "https://<org>.mcp-s.com/mcp/mcp/cloudflare2"
    }
  }
}

Cursor

.cursor/mcp.json

{
  "mcpServers": {
    "willow-cloudflare2": {
      "type": "http",
      "url": "https://<org>.mcp-s.com/mcp/mcp/cloudflare2"
    }
  }
}

Claude Code

CLI

claude mcp add willow-cloudflare2 --transport http https://<org>.mcp-s.com/mcp/mcp/cloudflare2

n8n

HTTP Request Node

{
  "url": "https://<org>.mcp-s.com/mcp/mcp/cloudflare2",
  "method": "POST"
}

Or click "Install with Willow" above to set up automatically with SSO and RBAC preconfigured.

Enterprise Governance for Cloudflare

Willow adds the layer Cloudflare and every other SaaS doesn't ship out of the box: every call runs behind SSO (Okta, Azure AD), enforces RBAC and least-privilege at runtime, writes to full audit logs, and detects shadow AI usage across your stack. One MCP gateway. Any agent. Every tool.

Cloudflare MCP Server FAQ

What is the Cloudflare MCP server?

The Cloudflare MCP server is a Model Context Protocol implementation that lets AI agents like Claude, Cursor, and ChatGPT read and write Cloudflare data through a standardized interface. Willow hosts and governs this server so enterprises can roll it out without a security review backlog.

How is Willow's Cloudflare MCP server different from the official one?

The official Cloudflare MCP server is scoped to a single user's account and does not include enterprise governance. Willow's version adds SSO, RBAC, audit logging, shadow AI detection, and centralized control over which actions agents can take across the entire org.

Which AI clients work with the Cloudflare MCP server?

Claude Desktop, Claude Code, Cursor, ChatGPT, VS Code with MCP support, n8n, and any custom agent built with OpenAI Agents SDK, LangChain, Vercel AI SDK, or Anthropic SDK.

Is the Cloudflare MCP server secure? How does Willow handle authentication?

Every call runs behind your existing SSO (Okta, Azure AD). Per-user OAuth scopes the agent to exactly what that user can do in Cloudflare, nothing more. No credentials reach the LLM. Every action writes to an audit trail.

Can I limit which Cloudflare actions agents can take?

Yes. Willow lets you scope agents to specific actions, specific projects, or specific environments. Toggle actions on or off in the dashboard, or enforce policy via infrastructure-as-code through GitHub.

How do I detect shadow Cloudflare MCP servers in my org?

Willow's browser extension and discovery service surface unmanaged MCP servers, skills, and AI agents across the org. If a developer installed an unapproved Cloudflare MCP locally, you'll see it.

What does the Cloudflare MCP server cost?

Pricing depends on org size and deployment model (SaaS, dedicated cloud, self-host). See withwillow.ai/pricing or contact sales for a quote.

How do I install the Cloudflare MCP server with Willow?

Install via the Willow Connect Panel in one click, or paste the JSON snippet above into your Claude Desktop, Cursor, or Claude Code config. SSO and RBAC inherit from your existing Willow setup.