# Cloudflare MCP Server

> A token-efficient MCP server for the entire Cloudflare API. 2500 endpoints in 1k tokens, powered by [Code Mode](https://blog.cloudflare.com/code-mode-mcp/).

## Token Comparison

| Approach                                    | Tools | Token cost | Context used (200K) |
| ------------------------------------------- | ----- | ---------- | ------------------- |
| Raw OpenAPI spec in prompt                  | —     | ~2,000,000 | 977%                |
| Native MCP (full schemas)                   | 2,594 | 1,170,523  | 585%                |
| Native MCP (minimal — required params only) | 2,594 | 244,047    | 122%                |
| Code mode                                   | 3     | ~1,100     | 0.5%                |

## Get Started

MCP URL: `https://mcp.cloudflare.com/mcp`

### Option 1: OAuth (Recommended)

Just connect to the MCP server URL - you'll be redirected to Cloudflare to authorize and select permissions.

#### Example JSON Configuration

```json
{
  "mcpServers": {
    "cloudflare-api": {
      "type": "http",
      "url": "https://mcp.cloudflare.com/mcp"
    }
  }
}
```

### Option 2: API Token

For CI/CD, automation, or if you prefer managing tokens yourself.

Create a [Cloudflare API token](https://dash.cloudflare.com/profile/api-tokens) with the permissions you need. Both **user tokens** and **account tokens** are supported. For account tokens, include the **Account Resources : Read** permission so the server can auto-detect your account ID.

> **Note:** API tokens with **Client IP Address Filtering** enabled are not currently supported.

### Add to Agent

| Setting      | Value                                                                       |
| ------------ | --------------------------------------------------------------------------- |
| MCP URL      | `https://mcp.cloudflare.com/mcp`                                            |
| Bearer Token | Your [Cloudflare API Token](https://dash.cloudflare.com/profile/api-tokens) |

### Disable Code Mode

If your MCP client already uses code mode, or you're composing this server with another server that uses code mode, you can disable it with the `?codemode=false` query parameter. This registers an individual tool for each of the ~2,500 Cloudflare API endpoints instead of the code mode API tools. The `docs` tool remains available in both modes.

```
https://mcp.cloudflare.com/mcp?codemode=false
```

#### Example JSON Configuration

```json
{
  "mcpServers": {
    "cloudflare-api": {
      "type": "http",
      "url": "https://mcp.cloudflare.com/mcp?codemode=false"
    }
  }
}
```

When code mode is disabled:
- Each API endpoint is registered as its own tool (e.g., `get_workers_scripts`, `post_d1_database`)
- Tool input schemas are derived from the endpoint's path parameters, query parameters, and request body
- Tools make direct API calls — no code execution involved
- Path parameters like `account_id` are auto-resolved when possible (single account)

> **Note:** Disabling code mode significantly increases the token cost (~244k tokens vs ~1k tokens). Only disable it when necessary for composition with other code mode systems.

## The Problem

The Cloudflare OpenAPI spec is **2 million tokens**. Even with native MCP tools using minimal schemas, it's still **~244k tokens**. Traditional MCP servers that expose every endpoint as a tool leak this entire context to the main agent.

This server solves the problem by using **code execution** in a [Code Mode](https://blog.cloudflare.com/code-mode-mcp/) pattern - the spec lives on the server, and only the result of the code execution is returned to the agent.

## Tools

Agent writes code to search the spec and execute API calls. It can also search Cloudflare's developer documentation directly.

| Tool      | Description                                                                   |
| --------- | ----------------------------------------------------------------------------- |
| `docs`    | Search Cloudflare developer documentation                                     |
| `search`  | Write JavaScript to query `spec.paths` and find endpoints                     |
| `execute` | Write JavaScript to call `cloudflare.request()` with the discovered endpoints |

```
Agent                         MCP Server
  │                               │
  ├──search({code: "..."})───────►│ Execute code against spec.json
  │◄──[matching endpoints]────────│
  │                               │
  ├──execute({code: "..."})──────►│ Execute code against Cloudflare API
  │◄──[API response]──────────────│
```

## Supported Products

Workers, KV, R2, D1, Pages, DNS, Firewall, Load Balancers, Stream, Images, AI Gateway, Vectorize, Access, Gateway, and more. See the full [Cloudflare API schemas](https://github.com/cloudflare/api-schemas).

## Usage

Once configured, just ask your agent to do things with Cloudflare:

- "List all my Workers"
- "Create a KV namespace called 'my-cache'"
- "Add an A record for api.example.com pointing to 192.0.2.1"

The agent will search for the right endpoints and execute the API calls. Here's what happens behind the scenes:

```javascript
// 1. Search for endpoints
search({
  code: `async () => {
    const results = [];
    for (const [path, methods] of Object.entries(spec.paths)) {
      for (const [method, op] of Object.entries(methods)) {
        if (op.tags?.some(t => t.toLowerCase() === 'workers')) {
          results.push({ method: method.toUpperCase(), path, summary: op.summary });
        }
      }
    }
    return results;
  }`,
});

// 2. Execute API call (user token - account_id required)
execute({
  code: `async () => {
    const response = await cloudflare.request({
      method: "GET",
      path: \`/accounts/\${accountId}/workers/scripts\`
    });
    return response.result;
  }`,
  account_id: "your-account-id",
});

// 2. Execute API call (account token - account_id auto-detected)
execute({
  code: `async () => {
    const response = await cloudflare.request({
      method: "GET",
      path: \`/accounts/\${accountId}/workers/scripts\`
    });
    return response.result;
  }`,
});
```

### GraphQL Analytics API

The server automatically detects and handles Cloudflare's GraphQL Analytics API endpoints. GraphQL queries work seamlessly through the same `execute` tool:

```javascript
execute({
  code: `async () => {
    const response = await cloudflare.request({
      method: "POST",
      path: "/client/v4/graphql",
      body: {
        query: \`query {
          viewer {
            zones(filter: { zoneTag: "your-zone-id" }) {
              httpRequests1dGroups(limit: 7, orderBy: [date_ASC]) {
                dimensions {
                  date
                }
                sum {
                  requests
                  bytes
                  cachedBytes
                }
              }
            }
          }
        }\`,
        variables: {}
      }
    });
    return response.result;
  }`,
  account_id: "your-account-id",
});
```

## Build a Code Mode MCP Server

Code execution uses Cloudflare's [Dynamic Worker Loader API](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/) to run generated code in isolated Workers, following the [Code Mode pattern](https://github.com/cloudflare/agents/tree/main/packages/codemode).

Read the [Code Mode SDK docs](https://developers.cloudflare.com/agents/api-reference/codemode/) for more info.

### Resources

- [Code Mode blog post](https://blog.cloudflare.com/code-mode/)
- [Build your own remote MCP server](https://developers.cloudflare.com/agents/guides/remote-mcp-server/)
- [Cloudflare's own MCP Servers](https://github.com/cloudflare/mcp-server-cloudflare)