Cloudflare MCP
Benchmarked against: Anthropic โ Claude on 3rd-party platforms (Vertex AI / Bedrock) Provider: Cloudflare official MCP server Tools:
search(OpenAPI spec search) +execute(API execution) Authentication: Cloudflare API token
The Cloudflare MCP server gives SuperPortia agents direct access to the Cloudflare API. This is the infrastructure control plane for SS3 (the cloud ship) โ managing Workers, D1 databases, R2 storage, Vectorize indexes, and all other Cloudflare services.
Why Cloudflare MCP?โ
SuperPortia's cloud infrastructure runs entirely on Cloudflare:
| Service | Usage in SuperPortia |
|---|---|
| Workers | Cloud UB API endpoint (worker.js) |
| D1 | Cloud UB database (entries, WOs, messages) |
| Vectorize | Semantic search embeddings |
| R2 | Backup storage |
| Pages | Docs site deployment (Phase 3) |
| KV | Configuration and caching |
The Cloudflare MCP allows agents to manage all of these services programmatically, without leaving the agent session.
Toolsโ
The Cloudflare MCP exposes exactly 2 tools:
search โ OpenAPI spec searchโ
Search the Cloudflare API specification to find the right endpoint for any operation.
// Find endpoints related to D1 databases
async () => {
const results = [];
for (const [path, methods] of Object.entries(spec.paths)) {
for (const [method, op] of Object.entries(methods)) {
if (op.tags?.some(t => t.toLowerCase() === 'd1')) {
results.push({ method: method.toUpperCase(), path, summary: op.summary });
}
}
}
return results;
}
The search tool has the complete Cloudflare OpenAPI spec with all $ref entries pre-resolved. This means agents can explore available APIs, check parameter schemas, and understand request/response formats before executing.
execute โ API executionโ
Execute JavaScript code against the Cloudflare API using a pre-authenticated client.
// List all D1 databases
async () => {
return cloudflare.request({
method: "GET",
path: `/accounts/${accountId}/d1/database`
});
}
The execute tool provides:
cloudflare.request()โ pre-authenticated API clientaccountIdโ your Cloudflare account ID- Full JavaScript execution environment (async/await, JSON parsing, etc.)
Common operationsโ
D1 database managementโ
// Query Cloud UB entries count
async () => {
const dbId = "your-d1-database-id";
return cloudflare.request({
method: "POST",
path: `/accounts/${accountId}/d1/database/${dbId}/query`,
body: { sql: "SELECT COUNT(*) as total FROM entries" }
});
}
Workers managementโ
// List all Workers
async () => {
return cloudflare.request({
method: "GET",
path: `/accounts/${accountId}/workers/scripts`
});
}
R2 bucket operationsโ
// List R2 buckets
async () => {
return cloudflare.request({
method: "GET",
path: `/accounts/${accountId}/r2/buckets`
});
}
Vectorize index managementโ
// List Vectorize indexes
async () => {
return cloudflare.request({
method: "GET",
path: `/accounts/${accountId}/vectorize/v2/indexes`
});
}
Security considerationsโ
| Rule | Why |
|---|---|
| API token scoped to account | Cannot access other Cloudflare accounts |
| Read-before-write | Always search first to understand the API, then execute |
| Pre-Flight Check for destructive ops | Deleting D1 databases, Workers = PFC ๐ด zone |
| Captain approval for infrastructure changes | HITL boundary for production changes |
Destructive operations (deleting databases, dropping Workers, purging R2 buckets) should always require Captain confirmation per Company Constitution ยง5.
Related pagesโ
| Page | Relationship |
|---|---|
| MCP Servers Overview | All servers in the fleet |
| Cloud UB MCP | The Worker that runs on Cloudflare |
| Data Residency | Where data lives on Cloudflare |
| SRE Status | Health monitoring of Cloudflare services |