Cloudflare MCP Connection

Overview

The Cloudflare Model Context Protocol (MCP) server provides natural language access to Cloudflare services including DNS management, security configuration, analytics, and Workers through WorkBuddy. This local command MCP server runs via npm and enables AI assistants to manage Cloudflare infrastructure.

Key Features: - DNS record management - Security rule and firewall configuration - Analytics and logging access - Workers deployment and management - Page Rules and caching configuration - Load balancing and DDoS protection

Connection Type

Local Command MCP Server – Runs via npx with @cloudflare/mcp@latest package

Prerequisites

1. Cloudflare Account: A Cloudflare account with administrative access
2. API Token: Cloudflare API token with appropriate permissions
3. Account ID: Your Cloudflare account ID
4. Node.js: Node.js 16+ installed (node --version)
5. npm/npx: npm 7+ for package installation
6. WorkBuddy: Desktop version with MCP support enabled

Installation & Configuration

1. Node.js Verification

Verify Node.js and npm are installed:

node --version  # Should be 16+
npm --version   # Should be 7+

2. MCP Server Registration

Update your WorkBuddy MCP configuration (~/.workbuddy/mcp.json):

{
  "mcpServers": {
    "cloudflare": {
      "timeout": 600,
      "command": "npx",
      "args": ["-y", "@cloudflare/mcp@latest"],
      "env": {
        "CLOUDFLARE_API_TOKEN": "your_api_token_here",
        "CLOUDFLARE_ACCOUNT_ID": "your_account_id_here"
      }
    }
  }
}

3. Create Cloudflare API Token

1. Log into Cloudflare Dashboard
2. Go to My Profile → API Tokens
3. Click Create Token
4. Use Edit zone DNS template or create custom token with these permissions:

Minimum Required Permissions: - Zone: DNS:Edit - Zone: Analytics:Read - Account: Workers:Edit (if using Workers) - Account: Access:Edit (if using Zero Trust)

1. Copy the generated token (only shown once)
2. Note your Account ID from dashboard URL or account settings

4. Set Environment Variables

Replace placeholders with actual values:

"env": {
  "CLOUDFLARE_API_TOKEN": "AbCdEfGhIjKlMnOpQrStUvWxYz0123456789",
  "CLOUDFLARE_ACCOUNT_ID": "1234567890abcdef1234567890abcdef"
}

Security Best Practice: Use environment variables outside mcp.json:

# Set in your shell profile or environment
export CLOUDFLARE_API_TOKEN="your_token"
export CLOUDFLARE_ACCOUNT_ID="your_account_id"

Then reference them in mcp.json:

"env": {
  "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}",
  "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}"
}

5. Verify Installation

Test the MCP server package:

npx -y @cloudflare/mcp@latest --help

Usage Examples

DNS Management

User: "Add an A record for app.example.com pointing to 192.0.2.1"
Assistant: (Creates DNS A record with TTL and proxy status)

User: "List all DNS records for example.com"
Assistant: (Returns formatted table of DNS records)

User: "Update the MX records for mail delivery"
Assistant: (Modifies MX records with priority values)

Security Configuration

User: "Create a firewall rule to block traffic from country X"
Assistant: (Creates zone firewall rule with geographic filter)

User: "Enable Under Attack mode for the website"
Assistant: (Activates enhanced DDoS protection)

User: "Review security events from the last 24 hours"
Assistant: (Provides security analytics summary)

Workers Management

User: "Deploy the latest version of the API worker"
Assistant: (Deploys Worker from specified source)

User: "Check Worker invocations and errors"
Assistant: (Returns Workers analytics and logs)

User: "Create a new Worker route for /api/*"
Assistant: (Configures Worker route with pattern)

Analytics & Logs

User: "Show bandwidth usage for this month"
Assistant: (Provides bandwidth analytics with trends)

User: "Find top requested URLs with 404 errors"
Assistant: (Analyzes logs for error patterns)

User: "Compare performance metrics before/after cache change"
Assistant: (Generates performance comparison report)

Supported Services

Service	Supported Operations	Notes
DNS	CRUD operations, bulk updates	All record types supported
Firewall Rules	Create, list, update, delete	WAF and zone firewall
Page Rules	Manage caching and redirect rules	Pattern-based rules
Workers	Deploy, manage, monitor	KV, Durable Objects, R2
Access	Zero Trust policies and groups	Application access rules
Load Balancing	Monitor and configure load balancers	Pool health checks
Analytics	Zone and account analytics	Real-time and historical
Stream	Video management and delivery	Upload, encode, deliver
R2 Storage	Object storage operations	S3-compatible API

Troubleshooting

Common Issues

1. Authentication Failed

   Error: Authentication error: Invalid API token
   

2. Verify token is correct and hasn't expired
3. Check token permissions match required scopes

4. Ensure account ID is correct

5. Package Installation Error

   Error: Cannot find package @cloudflare/mcp@latest
   

6. Check npm registry access (may need proxy configuration)
7. Verify network connectivity to npm registry

8. Try clearing npm cache: npm cache clean --force

9. Permission Denied

   Error: You do not have permission to perform this action
   

10. Review API token permissions
11. Check zone/account access levels

12. Verify the token has necessary scopes for the operation

13. Rate Limiting

    Error: Too many requests
    

14. Cloudflare API has rate limits (1200 requests/5 minutes per token)
15. Implement exponential backoff for retries
16. Cache responses where appropriate

Debug Mode

Enable verbose logging:

"env": {
  "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}",
  "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}",
  "CLOUDFLARE_LOG_LEVEL": "DEBUG"
}

Security Considerations

API Token Security

• Use fine-grained API tokens with minimal required permissions
• Implement token rotation schedule (every 90 days recommended)
• Store tokens in secure secret management systems
• Never commit tokens to version control

Access Control

• Create separate tokens for different environments (prod, staging, dev)
• Use different tokens for different privilege levels
• Regularly audit token usage and permissions

Network Security

• Restrict API token usage by IP range if possible
• Monitor API access logs for unusual patterns
• Implement alerting for suspicious activities

Performance Optimization

Caching Strategy

• Cache DNS records and zone configurations
• Implement request coalescing for frequent operations
• Use Cloudflare's caching where appropriate (API responses)

Batch Operations

• Use bulk endpoints for multiple DNS record updates
• Group related configuration changes
• Schedule non-urgent updates during maintenance windows

Monitoring

• Monitor API rate limit usage
• Track response times and error rates
• Set up alerts for critical failures

Integration Patterns

CI/CD Pipeline

• Automate DNS updates for deployments
• Manage Worker deployments from version control
• Update security rules based on deployment phase

Monitoring & Alerting

• Create synthetic monitoring with Workers
• Set up alerting for DNS or SSL certificate changes
• Generate security posture reports

Infrastructure as Code

• Sync DNS records with infrastructure definitions
• Manage security policies declaratively
• Version control Cloudflare configurations

Related Resources

• Cloudflare API Documentation
• Cloudflare Workers Documentation
• Cloudflare Token Permissions Guide
• Canonical MCP Structures – Standardized setup patterns
• WorkBuddy Cloudflare Skill – Additional Cloudflare capabilities

Support

Cloudflare Support

• Cloudflare API Status
• Cloudflare Community
• Cloudflare Documentation

WorkBuddy Support

• WorkBuddy logs for MCP connection issues
• Organization platform team for internal support
• WorkBuddy Documentation

---

Last Updated: 2026‑05‑19
Maintainer: Platform Team
Connection Type: Local Command MCP Server (npx)
Authentication: Cloudflare API Token
Package: @cloudflare/mcp@latest
Status: 🔧 Configuration Required