Skip to main content

Announcing StackOne Defender: leading open-source prompt injection guard for your agent Read More

Connect

Connectors Agent Auth MCP Connector Builder

Optimize

Tool Discovery Falcon Engine

Secure

Defender
Connectors

HRIS / HCM

Employee Onboarding Employee Offboarding

Recruiting

Application Screening Interview Scheduling

Customer Support

Ticket Triage Voice Call Summarization

Sales & CRM

Deal Risk Scoring Lead Qualification

Accounting & Finance

Invoice Processing Month-End Accruals

Marketing

Campaign Reports Lead Nurture Sequences
View all use cases

Developers

Docs Changelog Status

Learn

Blog Case Studies Events Partners
Pricing
Login Book Demo Start Free

Cloudflare MCP Server
for AI Agents

Production-ready Cloudflare MCP server with 137 extensible actions — plus built-in authentication, security, and optimized execution.

Start Free Book Demo Read Docs →
Cloudflare logo
Cloudflare MCP Server
Built by StackOne StackOne

Coverage

137 Agent Actions

Create, read, update, and delete across Cloudflare — and extend your agent's capabilities with custom actions.

MCP Actions → Create Actions →

Authentication

Agent Tool Authentication

Per-user OAuth in one call. Your Cloudflare MCP server gets session-scoped tokens with zero credentials stored on your infra.

Agent Auth →

Security

Agent Protection

Every Cloudflare tool response scanned for prompt injection in milliseconds — 88.7% accuracy, all running on CPU.

Prompt Injection Defense →

Performance

Max Agent Context. Min Cost.

Free up to 96% of your agent's context window to enhance reasoning and reduce cost, on every Cloudflare call.

Tools Discovery →

What is the Cloudflare MCP Server?

A Cloudflare MCP server lets AI agents read and write Cloudflare data through the Model Context Protocol — Anthropic's open standard for connecting LLMs to external tools. StackOne's Cloudflare MCP server ships with 137 pre-built actions, fully extensible via the Connector Builder — plus managed authentication, prompt injection defense, and optimized agent context. Connect it from MCP clients like Claude Desktop, Cursor, and VS Code, or from agent frameworks like OpenAI Agents SDK, LangChain, and Vercel AI SDK.

All Cloudflare MCP Tools and Actions

Every action from Cloudflare's API, ready for your agent. Create, read, update, and delete — scoped to exactly what you need.

Accounts

  • List Accounts

    List all accounts you have ownership or verified access to.

  • Get Account

    Retrieve details for a specific Cloudflare account by ID.

AI Gateways

  • Create AI Gateway

    Create a new AI Gateway for proxying and monitoring AI API calls.

  • List AI Gateways

    List all AI Gateway configurations in the account.

  • Get AI Gateway

    Retrieve details for a specific AI Gateway including configuration and usage statistics.

  • Update AI Gateway

    Update an AI Gateway's configuration including caching, rate limiting, and logging settings.

  • Delete AI Gateway

    Delete an AI Gateway and all its configuration.

Custom Hostnames

  • Create Custom Hostname

    Create a new custom hostname for a zone with SSL configuration for SaaS customer domains.

  • List Custom Hostnames

    List all custom hostnames for a zone with optional filtering by hostname, SSL status, and order.

  • Get Custom Hostname

    Retrieve details for a specific custom hostname including SSL status and ownership verification.

  • Update Custom Hostname

    Update a custom hostname's SSL settings, origin server, or other configuration.

  • Delete Custom Hostname

    Delete a custom hostname and its associated SSL certificate.

D1 Databases

  • Create D1 Database

    Create a new D1 SQL database.

  • List D1 Databases

    List all D1 SQL databases in the account.

  • Get D1 Database

    Retrieve details for a specific D1 database by UUID.

  • Query D1 Database

    Execute a SQL query against a D1 database with optional parameter binding.

  • Delete D1 Database

    Delete a D1 database by UUID.

DNS Records

  • Create DNS Record

    Create a new DNS record for a zone with type, name, content, TTL, and proxy settings.

  • List DNS Records

    List all DNS records for a zone with optional filtering by type, name, and content.

  • Get DNS Record

    Retrieve details for a specific DNS record by zone ID and record ID.

  • Update DNS Record

    Overwrite an existing DNS record with new values for type, name, content, TTL, and proxy settings.

  • Delete DNS Record

    Delete a DNS record from a zone.

WAF Rulesets

  • List WAF Rulesets

    List all rulesets at the zone level for WAF and other security features.

  • Get WAF Ruleset

    Retrieve a specific ruleset with all its rules.

  • Delete WAF Ruleset

    Delete a zone-level ruleset and all its versions.

IP Access Rules

  • Create IP Access Rule

    Create an IP access rule to block, challenge, or allow traffic based on IP, IP range, country, or ASN.

  • List IP Access Rules

    List IP access rules for the account that control access based on IP address, IP range, country, or ASN.

  • Delete IP Access Rule

    Delete an IP access rule by ID.

Healthchecks

  • Create Healthcheck

    Create a standalone healthcheck to monitor an origin server's availability via HTTP, HTTPS, or TCP.

  • List Healthchecks

    List all standalone healthchecks for a zone to monitor origin server availability.

  • Get Healthcheck

    Retrieve details for a specific healthcheck including its status, configuration, and failure reason.

  • Update Healthcheck

    Update a healthcheck's configuration including address, check interval, expected responses, and suspension status.

  • Delete Healthcheck

    Delete a standalone healthcheck from a zone.

KV Namespaces

  • Create KV Namespace

    Create a new Workers KV namespace in the account.

  • List KV Namespaces

    List all Workers KV namespaces in the account.

  • Get KV Namespace

    Retrieve details for a specific KV namespace by ID.

  • Delete KV Namespace

    Delete a KV namespace and all its keys.

KV Values

  • Get KV Value

    Read the value for a specific key in a KV namespace.

  • Delete KV Value

    Delete a key-value pair from a KV namespace.

Load Balancers

  • List Load Balancers

    List all load balancers for a zone.

  • Get Load Balancer

    Retrieve details for a specific load balancer.

  • Delete Load Balancer

    Delete a load balancer by ID.

Load Balancer Pools

  • List Load Balancer Pools

    List all load balancer pools in the account.

  • Get Load Balancer Pool

    Retrieve details for a specific load balancer pool.

Load Balancer Monitors

  • List Load Balancer Monitors

    List all load balancer monitors in the account.

  • Get Load Balancer Monitor

    Retrieve details for a specific load balancer monitor.

Logpush Jobs

  • Create Logpush Job

    Create a new Logpush job to deliver logs from a dataset to an external destination.

  • List Logpush Jobs

    List all Logpush jobs configured for a zone for log delivery to external destinations.

  • Get Logpush Job

    Retrieve details for a specific Logpush job including dataset, destination, and status.

  • Update Logpush Job

    Update an existing Logpush job's configuration including destination, fields, filters, and enabled status.

  • Delete Logpush Job

    Delete a Logpush job to stop log delivery to the configured destination.

Account Members

  • List Account Members

    List all members of a Cloudflare account with their roles and status.

  • Get Account Member

    Retrieve details for a specific account member.

  • Remove Account Member

    Remove a member from the Cloudflare account.

Pages Projects

  • Create Pages Project

    Create a new Cloudflare Pages project.

  • List Pages Projects

    List all Cloudflare Pages projects in the account.

  • Get Pages Project

    Retrieve details for a specific Pages project by name.

  • Delete Pages Project

    Delete a Pages project by name.

Pages Deployments

  • List Pages Deployments

    List all deployments for a Pages project.

  • Get Pages Deployment

    Retrieve details for a specific Pages deployment.

R2 Buckets

  • Create R2 Bucket

    Create a new R2 storage bucket.

  • List R2 Buckets

    List all R2 storage buckets in the account.

  • Get R2 Bucket

    Retrieve details for a specific R2 bucket by name.

  • Delete R2 Bucket

    Delete an R2 bucket by name.

Rules Lists

  • Create Rules List

    Create a new rules list for use in firewall rules and security features.

  • List Rules Lists

    List all rules lists (IP lists, hostname lists, etc.) in the account.

  • Get Rules List

    Retrieve details for a specific rules list by ID.

  • Delete Rules List

    Delete a rules list by ID.

SSL Certificate Packs

  • Get SSL Certificate Pack

    Retrieve details for a specific SSL/TLS certificate pack including status, hostnames, and expiration.

  • Delete SSL Certificate Pack

    Delete an Advanced Certificate Manager certificate pack.

Universal SSL Settings

  • Get Universal SSL Settings

    Retrieve the Universal SSL settings for a zone including whether it is enabled.

  • Update Universal SSL Settings

    Enable or disable Universal SSL for a zone.

Tunnels

  • Create Tunnel

    Create a new Cloudflare Tunnel for securely connecting origin servers to the Cloudflare network.

  • List Tunnels

    List all Cloudflare Tunnels in the account for securely exposing applications without opening inbound ports.

  • Get Tunnel

    Retrieve details for a specific Cloudflare Tunnel including status, connections, and configuration.

  • Delete Tunnel

    Delete a Cloudflare Tunnel. The tunnel must have no active connections before deletion.

Waiting Rooms

  • Create Waiting Room

    Create a new waiting room for a zone to manage traffic surges and protect origin servers.

  • List Waiting Rooms

    List all waiting rooms configured for a zone for managing traffic surges.

  • Get Waiting Room

    Retrieve details for a specific waiting room including its configuration and queue settings.

  • Update Waiting Room

    Update a waiting room's configuration including capacity limits, queue settings, and session duration.

  • Delete Waiting Room

    Delete a waiting room from a zone.

Workers Scripts

  • List Workers Scripts

    List all Workers scripts deployed to the account.

  • Delete Workers Script

    Delete a Workers script by name.

Workers Routes

  • Create Workers Route

    Create a Workers route to map a URL pattern to a Workers script.

  • List Workers Routes

    List all Workers routes for a zone.

  • Delete Workers Route

    Delete a Workers route by ID.

Workers Builds

  • List Workers Builds

    List all builds for a Workers script to track deployment pipeline history.

  • Get Workers Build

    Retrieve details for a specific Workers build including status and metadata.

Workers Cron Triggers

  • List Workers Cron Triggers

    List all cron triggers (scheduled executions) for a Workers script.

  • Update Workers Cron Triggers

    Replace all cron triggers for a Workers script with a new set of schedules.

Workers Secrets

  • List Workers Secrets

    List all secret bindings for a Workers script (names only, values are not returned).

  • Delete Workers Secret

    Delete a secret binding from a Workers script.

Zones

  • Create Zone

    Add a new zone (domain) to the Cloudflare account.

  • List Zones

    List all zones (domains) in the account with optional filtering by name, status, and pagination.

  • Get Zone

    Retrieve details for a specific zone by ID.

  • Delete Zone

    Remove a zone (domain) from Cloudflare.

Zone Settings

  • List Zone Settings

    List all settings for a zone including SSL mode, security level, caching, and more.

  • Get Zone Setting

    Retrieve the value of a specific zone setting by its ID.

  • Update Zone Setting

    Update the value of a specific zone setting such as SSL mode, security level, or caching.

Other (38)

  • List AI Gateway Logs

    List request/response logs for an AI Gateway with filtering by model, provider, date range, and status.

  • Get DNS Analytics Report

    Retrieve DNS analytics data for a zone including query volume, response codes, and record types over time.

  • Get DNS Analytics By Time

    Retrieve DNS analytics data grouped by time intervals for visualizing query trends over time.

  • List Firewall Rules

    List all firewall rules for a zone.

  • List Account Rulesets

    List all rulesets at the account level.

  • List KV Keys

    List all keys in a KV namespace with optional prefix filtering and pagination.

  • Get Pool Health

    Retrieve the health status of a load balancer pool and its origins.

  • List Account Roles

    List all available roles for the Cloudflare account.

  • List Audit Logs

    List audit log events for the account showing who made changes and when.

  • Get Radar L3 Attack Summary

    Get a summary of Layer 3 DDoS attack activity including top protocols and attack vectors.

  • Get Radar L7 Attack Summary

    Get a summary of Layer 7 application-layer attack activity including HTTP methods and mitigation techniques.

  • Get Radar Traffic Anomalies

    Get internet traffic anomalies detected by Cloudflare Radar for monitoring outages and disruptions.

  • Get URL Scan Result

    Retrieve the results of a URL scan including threat verdicts, page details, and detected technologies.

  • Search URL Scans

    Search previously submitted URL scans with filters for hostname, path, and date range.

  • Get Radar Domain Ranking

    Get Cloudflare Radar domain popularity ranking for a specific domain.

  • Get Radar Top Domains

    Get the top ranked domains globally or by location from Cloudflare Radar.

  • Get Radar BGP Hijacks

    Get BGP hijack events detected by Cloudflare Radar for monitoring routing security.

  • Get Radar BGP Leaks

    Get BGP route leak events detected by Cloudflare Radar for monitoring routing integrity.

  • Get Radar IP Info

    Look up IP address information including ASN, geolocation, and network details from Cloudflare Radar.

  • Get Radar ASN Info

    Look up ASN (Autonomous System Number) information including organization, country, and network size.

  • List Rules List Items

    List all items in a rules list with pagination.

  • List SSL Certificates

    List all SSL/TLS certificate packs for a zone including Universal, Advanced, and custom certificates.

  • Get SSL Verification Status

    Get the SSL verification status and validation records for a zone's certificate pack.

  • List Tunnel Connections

    List active connections (cloudflared connectors) for a specific Cloudflare Tunnel.

  • Get Tunnel Configuration

    Retrieve the configuration for a remotely-managed Cloudflare Tunnel including ingress rules.

  • Get Waiting Room Status

    Get the real-time status of a waiting room including queue length, estimated wait time, and active users.

  • Get Workers Script Settings

    Retrieve settings and metadata for a specific Workers script.

  • Get Workers Build Logs

    Retrieve build logs for a specific Workers build to diagnose build failures or review output.

  • Query Workers Telemetry

    Execute a saved Workers observability query to retrieve logs, errors, and invocation events.

  • Get Workers Telemetry Keys

    Retrieve available telemetry keys (filterable fields) for Workers observability queries.

  • Get Workers Telemetry Values

    Retrieve distinct values for a specific telemetry key to understand available filter options.

  • Verify Token

    Verify that the API token is valid and active.

  • Rename KV Namespace

    Rename an existing KV namespace.

  • Write KV Values (Bulk)

    Write multiple key-value pairs to a KV namespace in a single request with optional expiration settings.

  • Scan URL

    Submit a URL for scanning by Cloudflare Radar to analyze for phishing, malware, and other threats.

  • Order SSL Certificate Pack

    Order an Advanced Certificate Manager certificate pack for specific hostnames.

  • Put Workers Secret

    Create or update a secret binding for a Workers script.

  • Purge Zone Cache

    Purge cached content for a zone. Purge everything or specific files/tags/hosts.

Set Up Your Cloudflare MCP Server in Minutes

One endpoint. Any framework. Your agent is talking to Cloudflare in under 10 lines of code.

MCP Clients

Agent Frameworks

Claude Desktop
{
  "mcpServers": {
    "stackone": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://api.stackone.com/mcp?x-account-id=<account_id>",
        "--header",
        "Authorization: Basic <YOUR_BASE64_TOKEN>"
      ]
    }
  }
}

More Developer Tools MCP Servers

Azure DevOps

172+ actions

Bitbucket

134+ actions

Supabase

128+ actions

GitLab

125+ actions

Terraform

118+ actions

OneLogin

109+ actions

LaunchDarkly

85+ actions

All Developer Tools MCP Servers →

Cloudflare MCP Server Resources

We Rebuilt Our Marketing Site with Astro, Claude Code, and Cloudflare. In a couple of evenings.

We replaced Webflow with Astro 5 + Cloudflare Pages in two weeks using Claude Code as the primary builder. 42 pages, 50 PRs — non-engineers ship independently.

15 min

MCP Code Mode: Keeping Tool Responses Out of Agent Context

Anthropic's code_execution processes data already in context. Custom MCP code mode keeps raw tool responses in a sandbox. 14K tokens vs 500.

11 min

Comparing BM25, TF-IDF, and Hybrid Search for MCP Tool Discovery

Benchmarking BM25, TF-IDF, and hybrid search for MCP tool discovery across 916 tools. The 80/20 TF-IDF/BM25 hybrid hits 21% Top-1 accuracy in under 1ms.

10 min

Indirect Prompt Injection Defense for MCP Tools: A Technical Guide

MCP tools that read emails, CRM records, and tickets are indirect prompt injection vectors. Here's how we built a two-tier defense that scans tool results in ~11ms.

12 min

Cloudflare MCP Server FAQ

Cloudflare MCP server vs direct API integration — what's the difference?
A Cloudflare MCP server and direct API integration serve different use cases. Direct API integration is for software-to-software — backend code calling Cloudflare. A Cloudflare MCP server is for AI agents — MCP clients like Claude and Cursor, plus framework agents built with OpenAI, LangChain, or Vercel AI — discovering and calling Cloudflare at runtime. StackOne provides both.
How does Cloudflare authentication work for AI agents?
Cloudflare authentication for AI agents works through a StackOne Connect Session. Create one via the dashboard or the SDK — you get an auth link and ready-to-paste config for Claude Desktop, Cursor, and other MCP clients. Your user authenticates their own Cloudflare account; StackOne handles token exchange, storage, and refresh. Credentials never reach the LLM, and each user is isolated via origin_owner_id.
Are Cloudflare MCP tools vulnerable to prompt injection?
Yes — Cloudflare MCP tools can be vulnerable to indirect prompt injection. Any tool that reads user-written content — documents, messages, tickets, records, or free-text fields — is a potential vector. StackOne Defender scans every tool response before it enters the agent's context — regex patterns in ~1ms, then a MiniLM classifier in ~4ms. 88.7% accuracy, CPU-only.
What is the context bloat of a Cloudflare agent and how do I avoid it?
Context bloat happens when Cloudflare tool schemas and API responses eat your Cloudflare agent's memory, preventing it from reasoning effectively. A single Cloudflare query can return a massive JSON response, and connecting multiple tools compounds the problem. Tools Discovery and Code Mode reduce context bloat — loading only relevant tools per query and keeping raw responses out of the agent's context.
Can I limit which actions my Cloudflare agent can access?
Yes — you can limit which actions your Cloudflare agent can access directly from the StackOne dashboard. Toggle actions on or off, or restrict them to specific accounts, with no code changes to your agent. Session tokens can be scoped to exact actions so if one leaks, exposure stays contained.
Can I create custom agent actions for my Cloudflare MCP server?
Yes — you can create custom agent actions for your Cloudflare MCP server using Connector Builder. It's an integration agent your coding assistant (Claude Code, Cursor, or Copilot) can invoke to research Cloudflare's API, generate production-ready connector YAML, test against the live API, and validate before you ship.
When should I NOT use a Cloudflare MCP server?
Skip a Cloudflare MCP server if your integration is purely software-to-software — direct Cloudflare API integration is simpler when no AI agent is involved. For deterministic, compliance-critical operations (financial transactions, regulatory reporting), direct API gives you predictable behavior without agent-driven decision-making. MCP shines when AI agents need to dynamically discover and call Cloudflare actions at runtime.
What AI frameworks and AI clients does the StackOne Cloudflare MCP server support?
The StackOne Cloudflare MCP server supports both. MCP clients (paste-and-go apps): Claude Desktop, Claude Code, Cursor, VS Code, Goose. Agent frameworks (code SDKs you build with): OpenAI Agents SDK, Anthropic, Vercel AI, Google ADK, CrewAI, Pydantic AI, LangChain, LangGraph, Azure AI Foundry.

Put your AI agents to work

All the tools you need to build and scale AI agent integrations, with best-in-class connectivity, execution, and security.

Start Free Book Demo