/ Directory / Playground / Cloudflare API
← All servers ↗ GitHub
● Official cloudflare 🔑 Needs your key

Cloudflare API

by cloudflare · cloudflare/mcp

Manage Cloudflare DNS, zones, WAF, analytics, and Workers from Claude — with scoped API tokens and a dry-run habit.

Cloudflare's API MCP turns the full Cloudflare REST API into tools: zones, DNS records, page rules, firewall rules, analytics, SSL, Workers, R2, KV, and more. Use a scoped API token (not a Global API Key) and treat writes like infrastructure changes — preview, apply, verify.

▶ Watch demo 📦 Install 💡 Use Cases

Why use it

Key features

Live Demo

What it looks like in practice

cloudflare-api.replay ▶ ready
0/0

Install

Pick your client

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "cloudflare-api": {
      "command": "npx",
      "args": [
        "-y",
        "@cloudflare/mcp"
      ]
    }
  }
}

Open Claude Desktop → Settings → Developer → Edit Config. Restart after saving.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "cloudflare-api": {
      "command": "npx",
      "args": [
        "-y",
        "@cloudflare/mcp"
      ]
    }
  }
}

Cursor uses the same mcpServers schema as Claude Desktop. Project config wins over global.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "cloudflare-api": {
      "command": "npx",
      "args": [
        "-y",
        "@cloudflare/mcp"
      ]
    }
  }
}

Click the MCP Servers icon in the Cline sidebar, then "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "cloudflare-api": {
      "command": "npx",
      "args": [
        "-y",
        "@cloudflare/mcp"
      ]
    }
  }
}

Same shape as Claude Desktop. Restart Windsurf to pick up changes.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "cloudflare-api",
      "command": "npx",
      "args": [
        "-y",
        "@cloudflare/mcp"
      ]
    }
  ]
}

Continue uses an array of server objects rather than a map.

~/.config/zed/settings.json
{
  "context_servers": {
    "cloudflare-api": {
      "command": {
        "path": "npx",
        "args": [
          "-y",
          "@cloudflare/mcp"
        ]
      }
    }
  }
}

Add to context_servers. Zed hot-reloads on save.

claude mcp add cloudflare-api -- npx -y @cloudflare/mcp

One-liner. Verify with claude mcp list. Remove with claude mcp remove.

Use Cases

Real-world ways to use Cloudflare API

Audit DNS records across every zone for drift

👤 Platform / SRE teams ⏱ ~25 min intermediate

When to use: You own 40 zones and want to know which have weird TTLs, missing SPF/DMARC, or dangling CNAMEs.

Prerequisites
  • API token with Zone:Zone:Read, Zone:DNS:Read — Cloudflare dashboard → My Profile → API Tokens → Create
Flow
  1. List zones and count records per type
    List all zones in my account. For each, count records by type (A, CNAME, TXT, MX).✓ Copied
    → Inventory matrix
  2. Check email-auth hygiene
    For each zone used for email, check presence of SPF (TXT containing 'v=spf1'), DMARC TXT at _dmarc, and DKIM selector TXT records. Flag missing.✓ Copied
    → Email-auth gap report
  3. Find dangling CNAMEs
    For each CNAME in every zone, resolve the target. Flag NXDOMAIN or SERVFAIL as dangling.✓ Copied
    → List of risky CNAMEs

Outcome: A zone-by-zone DNS hygiene report you can hand to the team that owns each domain.

Pitfalls
  • Dangling CNAMEs are subdomain-takeover risks — Any NXDOMAIN CNAME gets escalated immediately — delete or fix
Combine with: filesystem

Add or update a DNS record with a preview/apply workflow

👤 Anyone about to make a DNS change they're nervous about ⏱ ~10 min beginner

When to use: Switching mail provider, adding a new CNAME for a service — high-stakes DNS changes.

Prerequisites
  • Token with Zone:DNS:Edit on the target zone — Scope token to only the one zone you're changing
Flow
  1. Show current state
    For zone <zone>, show every record for name '<name>' and type <type>. Proxied status and TTL.✓ Copied
    → Current record state
  2. Propose the change, don't apply
    Propose a patch: <describe change>. Show the exact API call and the before/after. Do NOT execute yet.✓ Copied
    → Preview diff
  3. Apply after confirmation
    I confirm. Apply the change. Then read back the record to confirm. Also flush cache for the impacted name.✓ Copied
    → Record updated + cache purged + verification read

Outcome: A DNS change with a review step and post-change verification — no surprises.

Pitfalls
  • Proxied (orange-cloud) CNAME to a mail server breaks email — Always proxied:false for MX, SPF-related CNAMEs, and non-HTTP records

Deploy an emergency rate-limit during a traffic spike

👤 SRE responding to an L7 DDoS or runaway client ⏱ ~15 min advanced

When to use: Traffic is spiking and Origin is struggling. You need to dampen it in minutes.

Prerequisites
  • Token with Zone:Zone WAF:Edit on the zone — Dedicated incident-response token kept in a password manager
Flow
  1. Identify the pattern
    Pull last hour analytics for zone <zone>. Top 10 paths, top user agents, top countries by request count. Highlight anomalies.✓ Copied
    → Anomaly candidates
  2. Create a rate-limit rule
    Create a WAF rate-limit rule: 60 req/min per IP on path /<hot path>, action: challenge. Log match count after 2 minutes.✓ Copied
    → Rule created + matches streaming
  3. Roll back when safe
    Once origin health is green for 30 min, disable (not delete) the rule. Leave a description tagged 'incident-<id>' for audit.✓ Copied
    → Rule disabled; audit entry kept

Outcome: Attack mitigated with a rule you can re-enable or refine — no permanent config drift.

Pitfalls
  • Blanket block by country nukes legit users — Always start with Challenge or JS-Challenge, not Block; observe then tighten
Combine with: sentry

Purge Cloudflare cache for specific URLs after a deploy

👤 Frontend devs shipping static asset updates ⏱ ~10 min beginner

When to use: Post-deploy: CSS/JS hashes changed, you want users to get the new version immediately.

Flow
  1. List files to purge
    My build changed these URLs: [list]. Confirm each is cached at CF edge (HEAD + cf-cache-status).✓ Copied
    → Current cache hit/miss per URL
  2. Purge by URL
    Purge exactly those URLs on zone <zone>. Do NOT do purge-everything.✓ Copied
    → Purge job accepted
  3. Verify fresh fetch
    After 10 seconds, HEAD each URL again — cf-cache-status should be MISS or REVALIDATED.✓ Copied
    → Fresh cache state

Outcome: Targeted cache bust, no accidental full-zone purge (which kills your origin on reload).

Pitfalls
  • Purge-everything sends a thundering-herd to origin — Never call purge_all unless you've warmed an alternative path; purge-by-url is almost always enough
Combine with: github

Seed Workers KV from a local JSON file

👤 Engineers deploying a Workers-based API ⏱ ~15 min intermediate

When to use: You maintain config/feature-flag data in KV and want to sync from a local source of truth.

Prerequisites
  • Token with Workers KV Storage: Edit — Scope to the specific namespace id
Flow
  1. Read the local source
    Read /config/kv.json. Validate it as {key: value} object.✓ Copied
    → Parsed config
  2. Diff against current KV
    List keys in namespace <id>. Compute adds / updates / deletes vs my local file.✓ Copied
    → Change plan
  3. Apply via bulk write
    Use bulk write for the changes. Deletes only if I confirm — show which keys would be deleted first.✓ Copied
    → Bulk write ok; deletes reviewed

Outcome: KV namespace reconciled to your source file, atomically enough.

Pitfalls
  • KV eventual consistency means readers may still see old values for ~60s — If you need strong consistency, use D1 or Durable Objects instead
Combine with: filesystem

Weekly traffic and threat summary from Cloudflare Analytics

👤 Product / growth + security ⏱ ~20 min intermediate

When to use: Friday digest: what's our traffic pattern, what threats did we block?

Flow
  1. Pull totals
    For zone <zone> last 7 days: total requests, bandwidth, threats blocked, top 10 countries.✓ Copied
    → Headline numbers
  2. Top paths and referrers
    Top 20 paths by requests; top 10 referrers. Highlight changes vs previous week.✓ Copied
    → Growth/regression table
  3. Firewall events summary
    Top firewall rule triggers in the last 7 days. Any rules never triggered — candidates for cleanup.✓ Copied
    → Ruleset health report

Outcome: One-page weekly with traffic, threats, and rule health.

Pitfalls
  • Free plan analytics are sampled — For precise data, use Logpush / GraphQL Analytics API with a Pro+ plan
Combine with: notion

Combinations

Pair with other MCPs for X10 leverage

cloudflare-api + github

On merge to main, purge cache for deployed asset URLs

PR #342 merged; its diff changed /static/app.a1b2.js. Purge that URL on zone <zone>, verify with HEAD.✓ Copied
cloudflare-api + sentry

Correlate a Sentry traffic spike with firewall event data

Sentry shows 5xx spike at 14:02. Pull CF analytics for 14:00-14:05 for the same zone; correlate with firewall events.✓ Copied
cloudflare-api + filesystem

Sync a local zone-config file into Cloudflare (GitOps-lite)

Read /dns/mydomain.yaml; reconcile against current zone state; apply safely with review.✓ Copied

Tools

What this MCP exposes

ToolInputsWhen to callCost
list_zones Discover zones in the account free
list_dns_records zone_id, type?, name? Before any DNS edit — inspect current free
create_dns_record / update_dns_record / delete_dns_record zone_id, record DNS mutations (require Edit token) free
purge_cache zone_id, files?|tags?|hosts?|everything? Cache bust after deploy free
list_firewall_rules / create_firewall_rule zone_id, ... Incident response / hardening free
analytics_dashboard zone_id, since, until Traffic reports free
kv_list / kv_get / kv_put / kv_bulk namespace_id, key/value Workers KV ops metered beyond free tier
deploy_worker script name, script content, bindings? Ship a Worker free up to limits

Cost & Limits

What this costs to run

API quota
1200 requests per 5 minutes per user (Cloudflare global rate limit)
Tokens per call
DNS listing: 200–1000 tokens per page. Analytics: up to 3000.
Monetary
API free. Paid for Workers paid/KV beyond free tier; plans start Free / Pro $20/mo / Business $200/mo.
Tip
Prefer listing + filtering server-side (type, name) over client-side to save tokens and pagination.

Security

Permissions, secrets, blast radius

Minimum scopes: Zone:Zone:Read Zone:DNS:Read (add :Edit only for specific zones that need writes)
Credential storage: CLOUDFLARE_API_TOKEN in env — never the Global API Key
Data egress: All calls to api.cloudflare.com
Never grant: Global API Key (full account control) Account:Access:Edit without account-level review

Troubleshooting

Common errors and fixes

10000 Authentication error

Token invalid or lacks required permission. Recreate with the specific zone + permission.

Verify: curl -H 'Authorization: Bearer $CLOUDFLARE_API_TOKEN' https://api.cloudflare.com/client/v4/user/tokens/verify
81057 Record already exists

A record with that name+type+content already exists. Update the existing one by id, don't create.

Purge-by-URL returns success but cache still hits

URL must match exactly including query string ordering. Also check cf-cache-status — 'DYNAMIC' means it wasn't cached anyway.

Rate limited (429)

Hit Cloudflare's global API rate limit. Back off, batch, or split workload over multiple tokens for different workflows.

Alternatives

Cloudflare API vs others

AlternativeWhen to use it insteadTradeoff
Cloudflare official MCP (other)You prefer Cloudflare's documentation/Workers-observability-focused MCPNarrower API surface
Route 53 MCPYou're on AWS and want Route53 DNSDifferent ecosystem; no CDN/WAF baked in

More

Resources

📖 Read the official README on GitHub

🐙 Browse open issues

🔍 Browse all 400+ MCP servers and Skills