# Cloudflare > Manage Workers, R2 buckets, DNS, and edge policies on Cloudflare. [Canonical HTML page](https://top-mcps.com/mcp/cloudflare) · [server.json](https://top-mcps.com/mcp/cloudflare.json) · [methodology](https://top-mcps.com/about/methodology) ## Install ### Claude Desktop — `claude_desktop_config.json` Paste under mcpServers. Fully quit and reopen Claude after editing. ```json { "mcpServers": { "cloudflare": { "command": "npx", "args": [ "-y", "@cloudflare/mcp-server-cloudflare" ], "env": { "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}", "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}" } } } } ``` ### Claude Code — `CLI or .mcp.json` Run from your repo. Commit .mcp.json to share with your team. ```shell # export CLOUDFLARE_API_TOKEN=your_scoped_token # export CLOUDFLARE_ACCOUNT_ID=your_account_id claude mcp add cloudflare -- npx -y @cloudflare/mcp-server-cloudflare ``` ### Cursor — `.cursor/mcp.json` Global path: ~/.cursor/mcp.json. Reload window after editing. ```json { "mcpServers": { "cloudflare": { "command": "npx", "args": [ "-y", "@cloudflare/mcp-server-cloudflare" ], "env": { "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}", "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}" } } } } ``` ### VS Code — `.vscode/mcp.json` VS Code uses the "servers" key (not "mcpServers"). ```jsonc { "servers": { "cloudflare": { "command": "npx", "args": [ "-y", "@cloudflare/mcp-server-cloudflare" ], "env": { "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}", "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}" } } } } ``` ### Windsurf — `~/.codeium/windsurf/mcp_config.json` Open via Cascade → hammer icon → Configure. ```json { "mcpServers": { "cloudflare": { "command": "npx", "args": [ "-y", "@cloudflare/mcp-server-cloudflare" ], "env": { "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}", "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}" } } } } ``` ### Cline — `cline_mcp_settings.json` Open via the Cline sidebar → MCP Servers → Edit. ```json { "mcpServers": { "cloudflare": { "command": "npx", "args": [ "-y", "@cloudflare/mcp-server-cloudflare" ], "env": { "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}", "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}" } } } } ``` ### Continue — `~/.continue/config.json` Continue uses modelContextProtocolServers with a transport block. ```json { "experimental": { "modelContextProtocolServers": [ { "transport": { "type": "stdio", "command": "npx", "args": [ "-y", "@cloudflare/mcp-server-cloudflare" ], "env": { "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}", "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}" } } } ] } } ``` ### Codex CLI — `~/.codex/config.toml` Codex uses TOML. Each server is a [mcp_servers.] subtable. ```shell # ~/.codex/config.toml [mcp_servers.cloudflare] command = "npx" args = [ "-y", "@cloudflare/mcp-server-cloudflare", ] env = { CLOUDFLARE_API_TOKEN = "${CLOUDFLARE_API_TOKEN}", CLOUDFLARE_ACCOUNT_ID = "${CLOUDFLARE_ACCOUNT_ID}" } ``` ### Zed — `~/.config/zed/settings.json` Zed calls them "context_servers". Settings live-reload on save. ```jsonc { "context_servers": { "cloudflare": { "command": { "path": "npx", "args": [ "-y", "@cloudflare/mcp-server-cloudflare" ] }, "env": { "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}", "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}" } } } } ``` ### ChatGPT — `ChatGPT → Settings → Connectors → Developer mode` Enable Developer mode (paid plans) and enter these values in the UI. ```json { "name": "Cloudflare", "transport": "stdio", "command": "npx", "args": [ "-y", "@cloudflare/mcp-server-cloudflare" ], "env": { "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}", "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}" } } ``` ## At a glance - **Maintainer:** Cloudflare - **Transport:** stdio, Streamable HTTP - **Auth model:** API key - **Required secrets:** CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID - **Supported clients:** Claude, Cursor, Any MCP-compatible client, Cloudflare accounts - **License:** Apache-2.0 - **Language:** TypeScript - **Latest version:** latest - **Last verified:** 2026-04-19 - **GitHub stars:** 3,643 (fetched 2026-04-19T20:32:56.415Z) - **Score:** 86/100 (rubric 2026-04 — see https://top-mcps.com/about/methodology) - **Source:** https://github.com/cloudflare/mcp-server-cloudflare ## Security & scope - **Access scope:** network - **Sandbox:** Authenticates with a Cloudflare API token; capabilities equal the token permissions (Workers, KV, R2, D1, DNS, etc). - **Gotchas:** - A global API key grants every permission on the account — prefer scoped tokens with the minimum permissions needed. - Destructive operations (delete Worker, purge zone) run immediately; there is no confirmation layer. ## Quick answer **What it does.** Surfaces Cloudflare's REST API for Workers, R2, KV, DNS, WAF, and analytics as MCP tools that agents can invoke. **Best for:** - Worker deployment - DNS record management - R2 bucket operations - WAF rule updates - Edge analytics queries **Not for:** - Unattended DNS changes on production domains - Compliance-audited infra flows without approval ## Recipes ### Audit deployed Workers ``` List every Worker deployed on my Cloudflare account with: name, last deployment date, and whether it has a custom route or just a workers.dev URL. Flag any that have not been deployed in over 180 days. ``` _Tested with: Claude Desktop, Cursor_ ## Description The official Cloudflare MCP lets AI agents manage your Cloudflare account: deploy Workers, read R2 and KV storage, adjust DNS records, and tweak WAF rules — a direct control plane for edge infrastructure. ## Why it matters Cloudflare is one of the most widely-used edge platforms. Direct agent control means infra changes no longer require a human in the dashboard for every tweak. ## Key features - Workers deploy + logs - R2 + KV namespace operations - DNS record CRUD - Zone + account analytics - Official Cloudflare maintenance ## FAQ ### Which API token permissions does it need? The minimum depends on what you want the agent to do. For read-only: `Account Analytics:Read`, `Zone:Read`. For Workers deploys add `Workers Scripts:Edit`. Create scoped tokens per use case rather than using the global key. ### Can it deploy Workers from source? Yes. The MCP can publish a Worker from either inline code or a bundle path, set env vars and bindings (KV, R2, D1), and roll back to a previous version if the deploy fails. ### Is this safe to run against production DNS? Only with approval turned on and a scoped token. DNS mistakes propagate quickly and can black-hole traffic. Pair it with Cloudflare's Change History so every agent-initiated change is auditable. ### Does it support the Zero Trust / Access APIs? Yes for the most common endpoints (Access applications, policies, users). Some newer Zero Trust features land on the REST API first and in the MCP shortly after — check the release notes for coverage. ## Changelog - **2026-04-19** — Refreshed install snippets and fact sheet; verified for 2026. - **2025-03-20** — Initial directory listing.