Cloudflare MCP Server - MCP Servers

Content

Manage Cloudflare services and configurations through Claude for comprehensive infrastructure control.

Features

• Configure DNS settings and records
• Manage security rules and WAF
• Analyze traffic patterns and metrics
• Control caching behavior and purging
• Deploy Workers and Pages
• Advanced Cloudflare zone and DNS management with CDN configuration, security rules, and analytics integration
• Batch operations support for efficient bulk DNS record creation, updates, and cache purging with automatic rate limit handling and retry logic
• Real-time configuration synchronization capabilities with webhook integration support for monitoring zone changes and triggering automated workflows

Use Cases

• Deploy edge functions globally
• Configure WAF rules for security
• Manage DNS records programmatically
• Analyze attack patterns and threats
• Optimize site performance with caching
• Build automated infrastructure management workflows that sync external systems with Cloudflare zones for real-time DNS and security configuration

Installation

Claude Code

1. claude mcp add cloudflare --env CLOUDFLARE_API_TOKEN=YOUR_TOKEN --env CLOUDFLARE_ACCOUNT_ID=YOUR_ACCOUNT_ID
2. Verify installation: claude mcp list
3. Test connection: claude mcp status cloudflare

Claude Desktop

1. Get your Cloudflare API Token from https://dash.cloudflare.com/profile/api-tokens
2. Find your Account ID in the Cloudflare dashboard
3. Open Claude Desktop configuration file
4. Add the Cloudflare MCP server configuration with your credentials
5. Restart Claude Desktop

Requirements

• Cloudflare account with active zones
• Cloudflare API Token from https://dash.cloudflare.com/profile/api-tokens
• Cloudflare Account ID (found in Cloudflare dashboard)
• Node.js and npm/npx available for running the @cloudflare/mcp-server-cloudflare package
• Internet connection for accessing Cloudflare API (https://api.cloudflare.com endpoints)
• Claude Desktop 0.7.0+ or Claude Code with MCP support
• Rate limit awareness: 1,200 requests per 5 minutes (global limit, ~4 requests per second)
• Understanding of Cloudflare zones, DNS records, Workers, Pages, and security settings
• Appropriate API token permissions (read, write, deploy as needed for target operations)
• Content-Type: application/json header for API requests and Bearer authentication (not email/key pair)

Configuration

{
  "cloudflare": {
    "env": {
      "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}",
      "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}"
    },
    "args": ["-y", "@cloudflare/mcp-server-cloudflare"],
    "command": "npx"
  }
}

Examples

Add DNS record for subdomain

Common usage pattern for this MCP server

Ask Claude: "Add DNS record for subdomain"

Deploy Worker script

Common usage pattern for this MCP server

Ask Claude: "Deploy Worker script"

Show traffic analytics

Common usage pattern for this MCP server

Ask Claude: "Show traffic analytics"

Configure firewall rule

Common usage pattern for this MCP server

Ask Claude: "Configure firewall rule"

Create DNS Record

Create a new Cloudflare DNS A record with TTL configuration

// Create Cloudflare DNS record
const record = await cloudflare.dns.records.create({
  zone_id: "zone-id",
  type: "A",
  name: "example.com",
  content: "192.0.2.1",
  ttl: 3600,
});

Security

• Use API tokens with minimal scope
• Enable 2FA on Cloudflare account
• Regular security audits recommended
• Monitor API usage and rate limits
• Cloudflare API tokens and Global API keys must be securely stored and never exposed in client-side code or public repositories - use environment variables and secure credential management
• Cloudflare API tokens should be scoped with minimal required permissions following the principle of least privilege - regularly audit API token permissions and remove unused tokens
• Cloudflare zone IDs and account IDs may expose infrastructure architecture and domain information - ensure Cloudflare resource IDs are kept private and not shared in public configurations
• Rate limiting and API quota management are critical for Cloudflare MCP servers - implement proper rate limit handling, retry logic, and quota monitoring to prevent service disruption
• Cloudflare webhook configurations and payloads may contain sensitive DNS and security configuration data - ensure webhook endpoints are properly secured with authentication and HTTPS encryption

Troubleshooting

HTTP 429 error: API rate limit exceeded for 5 minutes

Cloudflare global rate limit is 1,200 requests per 5 minutes. Wait for 5-minute window to reset. Distribute API calls across time and implement request throttling to stay under 4 requests per second.

Rate limit API error: decoding not yet implemented

Add Content-Type: application/json header to your API request. Verify request body is properly formatted JSON and includes all required parameters for the endpoint.

Error: ratelimit.api.not_entitled for Enterprise features

Contact your Cloudflare Account Team to enable Enterprise rate limiting features. Verify your account tier supports advanced rate limiting or migrate to Ruleset Engine API.

Authentication error: token permission insufficient

Verify API token has Firewall Services Write permission for rate limiting. Check token hasn't expired and regenerate from Cloudflare dashboard if needed. Use Bearer authentication, not email/key pair.

Cannot configure rate limits or firewall rules

Ensure API token has correct zone and account-level permissions. Verify you're using Ruleset Engine API (not deprecated Rate Limiting API) and check account tier supports feature.

Cloudflare MCP server authentication errors with API tokens

Verify API token is valid and not expired. Check token permissions match required operations. Ensure token format is correct (Bearer token in Authorization header). For Global API keys, verify email and key combination is correct.

Cloudflare rate limit errors when managing large zones

Implement exponential backoff retry logic with jitter. Use batch operations to reduce API calls. Cache frequently accessed zone data. Monitor rate limit headers and adjust request frequency accordingly. Cloudflare allows 1,200 requests per 5 minutes per API token.

Cloudflare zone or DNS record access denied errors

Verify API token has access to the zone and account. Check zone permissions and account membership. Ensure API token scopes include required zone and DNS permissions.

Cloudflare MCP server connection timeouts or network errors

Check network connectivity and firewall settings. Verify Cloudflare API endpoints are accessible. Increase request timeout values. Implement connection pooling and retry mechanisms with exponential backoff.