@enrichedlab/mcp-cloudflare

MCP server for managing Cloudflare infrastructure. Works with any MCP-compatible client (Claude Code, Cursor, Cline, etc.).

Disclaimer: This software is provided for testing, research, and development purposes only. It is not intended for production or enterprise use. Use at your own risk. The authors assume no liability for data loss, security incidents, or any damages resulting from use of this software. Review the source code before running.

126 tools across 14 modular categories. Enable only the categories you need -- fewer categories means less context for the LLM and a smaller API token scope.

Setup

# Install and run the setup wizard
npx @enrichedlab/mcp-cloudflare --setup

The wizard walks through:

1. Creating the config directory (~/.enrichedlab/)
2. Entering your Cloudflare API token
3. Validating the token and selecting a default account
4. Optionally selecting a default zone
5. Choosing tool categories (presets or custom)
6. Optional OS keychain storage for the API token
7. Writing config with 0600 permissions

Modular Categories

You don't have to load all 126 tools. The setup wizard offers presets:

| Preset | Categories | Tools | |--------|-----------|-------| | AI Inference | ai-gateway, tunnels, dns, access | ~43 | | Web Hosting | pages, workers, dns, zones, ssl | ~43 | | Security | access, waf, ssl, tunnels, analytics | ~43 | | All | everything | 126 |

Or pick individual categories. The config stores your selection in enabledCategories and only those tools are registered at startup. You can edit the config file to change categories without re-running setup.

API Token Permissions

Create a custom token at https://dash.cloudflare.com/profile/api-tokens with these permissions:

| Scope | Permission | |-------|------------| | Account > AI Gateway | Edit | | Account > Access: Apps and Policies | Edit | | Account > Cloudflare Tunnel | Edit | | Zone > DNS | Edit |

Config File

Default location: ~/.enrichedlab/cloudflare-config.json

Override with ENRICHEDLAB_CLOUDFLARE_CONFIG env var.

{
  "apiToken": "your-cf-api-token",
  "defaultAccountId": "abc123",
  "defaultZoneId": "xyz789",
  "accounts": {
    "production": { "accountId": "abc123", "label": "Production" }
  },
  "defaults": {
    "gatewayId": null,
    "tunnelId": null
  }
}

Registration

# Global (all projects)
claude mcp add enrichedlab-cloudflare -- npx @enrichedlab/mcp-cloudflare

# Project-scoped
claude mcp add --scope project enrichedlab-cloudflare -- npx @enrichedlab/mcp-cloudflare

# Local dev (from repo)
claude mcp add enrichedlab-cloudflare -- node /path/to/packages/mcp-cloudflare/dist/index.js

Tools (126 across 16 categories)

AI Gateway (6)

• gateway_list - List all AI Gateways
• gateway_get - Get gateway details
• gateway_create - Create a new gateway
• gateway_update - Update gateway settings (cache, rate limiting, auth)
• gateway_delete - Delete a gateway
• gateway_logs - Get recent gateway request logs

Custom Providers (5)

• provider_list - List providers for a gateway
• provider_get - Get provider details
• provider_create - Register a self-hosted model origin
• provider_update - Update provider name or URL
• provider_delete - Remove a provider

Dynamic Routes (4)

• route_list - List routes for a gateway
• route_create - Add a route mapping (provider, model, endpoint)
• route_update - Update route configuration
• route_delete - Remove a route

Zero Trust Access (10)

• access_app_list - List Access applications
• access_app_get - Get application details
• access_app_create - Create an application (self_hosted, saas, ssh, etc.)
• access_app_delete - Delete an application
• access_policy_list - List policies for an application
• access_policy_create - Create a policy (allow/deny with email, domain, service token rules)
• service_token_list - List service tokens
• service_token_create - Create a service token (displays secret once)
• service_token_rotate - Rotate a token's secret
• service_token_delete - Revoke a service token

Tunnels (7)

• tunnel_list - List tunnels (with optional name/deleted filters)
• tunnel_get - Get tunnel details and health
• tunnel_connections - Get active tunnel connections
• tunnel_config_get - Get tunnel ingress configuration
• tunnel_config_update - Update ingress rules (fetch-merge-PUT)
• tunnel_create - Create a new tunnel
• tunnel_delete - Delete a tunnel

DNS (4)

• dns_record_list - List DNS records (filterable by type, name)
• dns_record_create - Create a record (CNAME for tunnels, A, AAAA, TXT, MX, etc.)
• dns_record_update - Update a record
• dns_record_delete - Delete a record

Pages (9)

• pages_project_list/get/create/delete - Cloudflare Pages project management
• pages_deployment_list/get/retry/rollback/logs - Deployment management

Workers (13)

• worker_list/get/delete - Worker script management
• worker_settings_get/update - Script settings
• worker_route_list/create/delete - Zone-level route mapping
• worker_secret_list/put/delete - Encrypted secrets
• worker_cron_get/update - Scheduled triggers

WAF & Security (8)

• waf_ruleset_list/get/create/update/delete - WAF rulesets
• waf_ip_rule_list/create/delete - IP access rules

SSL/TLS (8)

• ssl_setting_get/update - SSL mode management
• ssl_verification_get - Certificate verification status
• ssl_universal_get/update - Universal SSL
• ssl_cert_list/upload/delete - Custom certificates

Zones (9)

• zone_list/get/create/delete - Zone CRUD
• zone_activation_check - Trigger activation check
• cache_purge - Purge by URL, tag, host, prefix, or everything
• zone_setting_list/get/update - Zone settings

Analytics & Audit (3)

• audit_log_list - Account audit logs with filtering
• zone_analytics_get - Traffic, bandwidth, threats, pageviews
• dns_analytics_get - DNS query analytics

Account Members (5)

• member_list/get/invite/update/remove - Account member management

Load Balancers (14)

• lb_pool_list/get/create/update/delete - Origin pools
• lb_monitor_list/get/create/delete - Health monitors
• lb_list/get/create/update/delete - Load balancers

R2 Object Storage (4)

• r2_bucket_list/get/create/delete - Bucket management

Email Routing (10)

• email_routing_get/enable/disable - Email routing settings
• email_rule_list/create/update/delete - Routing rules
• email_address_list/create/delete - Destination addresses

All tools accept an optional account_id (or zone_id for zone-scoped tools) parameter, falling back to config defaults.

Architecture

• No external HTTP deps - uses Node 24 native fetch
• Thin API client - unwraps CF response envelope { success, result, errors }
• Zod validation - config schema validated at startup
• Stdio transport - standard MCP server lifecycle

Development

# From monorepo root
npm install
npm run build --workspace=packages/mcp-cloudflare
npm run typecheck --workspace=packages/mcp-cloudflare