/ Verzeichnis / Playground / Cloudflare API
← Alle Server ↗ GitHub
● Offiziell cloudflare 🔑 Eigener Schlüssel nötig

Cloudflare API

von cloudflare · cloudflare/mcp

Manage Cloudflare DNS, zones, WAF, analytics, and Workers from Claude — with scoped API tokens and a dry-run habit.

Cloudflare's API MCP turns the full Cloudflare REST API into tools: zones, DNS records, page rules, firewall rules, analytics, SSL, Workers, R2, KV, and more. Use a scoped API token (not a Global API Key) and treat writes like infrastructure changes — preview, apply, verify.

▶ Demo ansehen 📦 Installieren 💡 Anwendungsfälle

Warum nutzen

Hauptfunktionen

Live-Demo

In der Praxis

cloudflare-api.replay ▶ bereit
0/0

Installieren

Wählen Sie Ihren Client

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "cloudflare-api": {
      "command": "npx",
      "args": [
        "-y",
        "@cloudflare/mcp"
      ]
    }
  }
}

Öffne Claude Desktop → Settings → Developer → Edit Config. Nach dem Speichern neu starten.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "cloudflare-api": {
      "command": "npx",
      "args": [
        "-y",
        "@cloudflare/mcp"
      ]
    }
  }
}

Cursor nutzt das gleiche mcpServers-Schema wie Claude Desktop. Projektkonfiguration schlägt die globale.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "cloudflare-api": {
      "command": "npx",
      "args": [
        "-y",
        "@cloudflare/mcp"
      ]
    }
  }
}

Klicken Sie auf das MCP-Servers-Symbol in der Cline-Seitenleiste, dann "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "cloudflare-api": {
      "command": "npx",
      "args": [
        "-y",
        "@cloudflare/mcp"
      ]
    }
  }
}

Gleiche Struktur wie Claude Desktop. Windsurf neu starten zum Übernehmen.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "cloudflare-api",
      "command": "npx",
      "args": [
        "-y",
        "@cloudflare/mcp"
      ]
    }
  ]
}

Continue nutzt ein Array von Serverobjekten statt einer Map.

~/.config/zed/settings.json
{
  "context_servers": {
    "cloudflare-api": {
      "command": {
        "path": "npx",
        "args": [
          "-y",
          "@cloudflare/mcp"
        ]
      }
    }
  }
}

In context_servers hinzufügen. Zed lädt beim Speichern neu.

claude mcp add cloudflare-api -- npx -y @cloudflare/mcp

Einzeiler. Prüfen mit claude mcp list. Entfernen mit claude mcp remove.

Anwendungsfälle

Praxisnahe Nutzung: Cloudflare API

Audit DNS records across every zone for drift

👤 Platform / SRE teams ⏱ ~25 min intermediate

Wann einsetzen: You own 40 zones and want to know which have weird TTLs, missing SPF/DMARC, or dangling CNAMEs.

Voraussetzungen
  • API token with Zone:Zone:Read, Zone:DNS:Read — Cloudflare dashboard → My Profile → API Tokens → Create
Ablauf
  1. List zones and count records per type
    List all zones in my account. For each, count records by type (A, CNAME, TXT, MX).✓ Kopiert
    → Inventory matrix
  2. Check email-auth hygiene
    For each zone used for email, check presence of SPF (TXT containing 'v=spf1'), DMARC TXT at _dmarc, and DKIM selector TXT records. Flag missing.✓ Kopiert
    → Email-auth gap report
  3. Find dangling CNAMEs
    For each CNAME in every zone, resolve the target. Flag NXDOMAIN or SERVFAIL as dangling.✓ Kopiert
    → List of risky CNAMEs

Ergebnis: A zone-by-zone DNS hygiene report you can hand to the team that owns each domain.

Fallstricke
  • Dangling CNAMEs are subdomain-takeover risks — Any NXDOMAIN CNAME gets escalated immediately — delete or fix
Kombinieren mit: filesystem

Add or update a DNS record with a preview/apply workflow

👤 Anyone about to make a DNS change they're nervous about ⏱ ~10 min beginner

Wann einsetzen: Switching mail provider, adding a new CNAME for a service — high-stakes DNS changes.

Voraussetzungen
  • Token with Zone:DNS:Edit on the target zone — Scope token to only the one zone you're changing
Ablauf
  1. Show current state
    For zone <zone>, show every record for name '<name>' and type <type>. Proxied status and TTL.✓ Kopiert
    → Current record state
  2. Propose the change, don't apply
    Propose a patch: <describe change>. Show the exact API call and the before/after. Do NOT execute yet.✓ Kopiert
    → Preview diff
  3. Apply after confirmation
    I confirm. Apply the change. Then read back the record to confirm. Also flush cache for the impacted name.✓ Kopiert
    → Record updated + cache purged + verification read

Ergebnis: A DNS change with a review step and post-change verification — no surprises.

Fallstricke
  • Proxied (orange-cloud) CNAME to a mail server breaks email — Always proxied:false for MX, SPF-related CNAMEs, and non-HTTP records

Deploy an emergency rate-limit during a traffic spike

👤 SRE responding to an L7 DDoS or runaway client ⏱ ~15 min advanced

Wann einsetzen: Traffic is spiking and Origin is struggling. You need to dampen it in minutes.

Voraussetzungen
  • Token with Zone:Zone WAF:Edit on the zone — Dedicated incident-response token kept in a password manager
Ablauf
  1. Identify the pattern
    Pull last hour analytics for zone <zone>. Top 10 paths, top user agents, top countries by request count. Highlight anomalies.✓ Kopiert
    → Anomaly candidates
  2. Create a rate-limit rule
    Create a WAF rate-limit rule: 60 req/min per IP on path /<hot path>, action: challenge. Log match count after 2 minutes.✓ Kopiert
    → Rule created + matches streaming
  3. Roll back when safe
    Once origin health is green for 30 min, disable (not delete) the rule. Leave a description tagged 'incident-<id>' for audit.✓ Kopiert
    → Rule disabled; audit entry kept

Ergebnis: Attack mitigated with a rule you can re-enable or refine — no permanent config drift.

Fallstricke
  • Blanket block by country nukes legit users — Always start with Challenge or JS-Challenge, not Block; observe then tighten
Kombinieren mit: sentry

Purge Cloudflare cache for specific URLs after a deploy

👤 Frontend devs shipping static asset updates ⏱ ~10 min beginner

Wann einsetzen: Post-deploy: CSS/JS hashes changed, you want users to get the new version immediately.

Ablauf
  1. List files to purge
    My build changed these URLs: [list]. Confirm each is cached at CF edge (HEAD + cf-cache-status).✓ Kopiert
    → Current cache hit/miss per URL
  2. Purge by URL
    Purge exactly those URLs on zone <zone>. Do NOT do purge-everything.✓ Kopiert
    → Purge job accepted
  3. Verify fresh fetch
    After 10 seconds, HEAD each URL again — cf-cache-status should be MISS or REVALIDATED.✓ Kopiert
    → Fresh cache state

Ergebnis: Targeted cache bust, no accidental full-zone purge (which kills your origin on reload).

Fallstricke
  • Purge-everything sends a thundering-herd to origin — Never call purge_all unless you've warmed an alternative path; purge-by-url is almost always enough
Kombinieren mit: github

Seed Workers KV from a local JSON file

👤 Engineers deploying a Workers-based API ⏱ ~15 min intermediate

Wann einsetzen: You maintain config/feature-flag data in KV and want to sync from a local source of truth.

Voraussetzungen
  • Token with Workers KV Storage: Edit — Scope to the specific namespace id
Ablauf
  1. Read the local source
    Read /config/kv.json. Validate it as {key: value} object.✓ Kopiert
    → Parsed config
  2. Diff against current KV
    List keys in namespace <id>. Compute adds / updates / deletes vs my local file.✓ Kopiert
    → Change plan
  3. Apply via bulk write
    Use bulk write for the changes. Deletes only if I confirm — show which keys would be deleted first.✓ Kopiert
    → Bulk write ok; deletes reviewed

Ergebnis: KV namespace reconciled to your source file, atomically enough.

Fallstricke
  • KV eventual consistency means readers may still see old values for ~60s — If you need strong consistency, use D1 or Durable Objects instead
Kombinieren mit: filesystem

Weekly traffic and threat summary from Cloudflare Analytics

👤 Product / growth + security ⏱ ~20 min intermediate

Wann einsetzen: Friday digest: what's our traffic pattern, what threats did we block?

Ablauf
  1. Pull totals
    For zone <zone> last 7 days: total requests, bandwidth, threats blocked, top 10 countries.✓ Kopiert
    → Headline numbers
  2. Top paths and referrers
    Top 20 paths by requests; top 10 referrers. Highlight changes vs previous week.✓ Kopiert
    → Growth/regression table
  3. Firewall events summary
    Top firewall rule triggers in the last 7 days. Any rules never triggered — candidates for cleanup.✓ Kopiert
    → Ruleset health report

Ergebnis: One-page weekly with traffic, threats, and rule health.

Fallstricke
  • Free plan analytics are sampled — For precise data, use Logpush / GraphQL Analytics API with a Pro+ plan
Kombinieren mit: notion

Kombinationen

Mit anderen MCPs für 10-fache Wirkung

cloudflare-api + github

On merge to main, purge cache for deployed asset URLs

PR #342 merged; its diff changed /static/app.a1b2.js. Purge that URL on zone <zone>, verify with HEAD.✓ Kopiert
cloudflare-api + sentry

Correlate a Sentry traffic spike with firewall event data

Sentry shows 5xx spike at 14:02. Pull CF analytics for 14:00-14:05 for the same zone; correlate with firewall events.✓ Kopiert
cloudflare-api + filesystem

Sync a local zone-config file into Cloudflare (GitOps-lite)

Read /dns/mydomain.yaml; reconcile against current zone state; apply safely with review.✓ Kopiert

Werkzeuge

Was dieses MCP bereitstellt

WerkzeugEingabenWann aufrufenKosten
list_zones Discover zones in the account free
list_dns_records zone_id, type?, name? Before any DNS edit — inspect current free
create_dns_record / update_dns_record / delete_dns_record zone_id, record DNS mutations (require Edit token) free
purge_cache zone_id, files?|tags?|hosts?|everything? Cache bust after deploy free
list_firewall_rules / create_firewall_rule zone_id, ... Incident response / hardening free
analytics_dashboard zone_id, since, until Traffic reports free
kv_list / kv_get / kv_put / kv_bulk namespace_id, key/value Workers KV ops metered beyond free tier
deploy_worker script name, script content, bindings? Ship a Worker free up to limits

Kosten & Limits

Was der Betrieb kostet

API-Kontingent
1200 requests per 5 minutes per user (Cloudflare global rate limit)
Tokens pro Aufruf
DNS listing: 200–1000 tokens per page. Analytics: up to 3000.
Kosten in €
API free. Paid for Workers paid/KV beyond free tier; plans start Free / Pro $20/mo / Business $200/mo.
Tipp
Prefer listing + filtering server-side (type, name) over client-side to save tokens and pagination.

Sicherheit

Rechte, Secrets, Reichweite

Minimale Scopes: Zone:Zone:Read Zone:DNS:Read (add :Edit only for specific zones that need writes)
Credential-Speicherung: CLOUDFLARE_API_TOKEN in env — never the Global API Key
Datenabfluss: All calls to api.cloudflare.com
Niemals gewähren: Global API Key (full account control) Account:Access:Edit without account-level review

Fehlerbehebung

Häufige Fehler und Lösungen

10000 Authentication error

Token invalid or lacks required permission. Recreate with the specific zone + permission.

Prüfen: curl -H 'Authorization: Bearer $CLOUDFLARE_API_TOKEN' https://api.cloudflare.com/client/v4/user/tokens/verify
81057 Record already exists

A record with that name+type+content already exists. Update the existing one by id, don't create.

Purge-by-URL returns success but cache still hits

URL must match exactly including query string ordering. Also check cf-cache-status — 'DYNAMIC' means it wasn't cached anyway.

Rate limited (429)

Hit Cloudflare's global API rate limit. Back off, batch, or split workload over multiple tokens for different workflows.

Alternativen

Cloudflare API vs. andere

AlternativeWann stattdessenKompromiss
Cloudflare official MCP (other)You prefer Cloudflare's documentation/Workers-observability-focused MCPNarrower API surface
Route 53 MCPYou're on AWS and want Route53 DNSDifferent ecosystem; no CDN/WAF baked in

Mehr

Ressourcen

📖 Offizielle README auf GitHub lesen

🐙 Offene Issues ansehen

🔍 Alle 400+ MCP-Server und Skills durchsuchen