List all Cloudflare zones with pagination. Optionally filter by status or name.

Get zone details including status, nameservers, and plan.

Get a specific zone setting by name (e.g., 'ssl', 'security_level', 'minify').

Update a specific zone setting (e.g., change SSL mode, security level).

Purge cached files from Cloudflare's edge. Purge specific URLs (files), cache tags, URL prefixes, or everything. CAUTION: purge_everything causes a temporary origin load spike as the entire cache is rebuilt.

List DNS records for a zone. Optionally filter by type, name, content, or proxied status.

Get a single DNS record by its record ID.

Create a new DNS record in a zone.

Update an existing DNS record (full replacement via PUT).

Delete a DNS record from a zone.

Search DNS records by name pattern. Returns all records whose name contains the given string.

Export all DNS records for a zone in BIND zone file format. Returns raw text.

Import DNS records from a BIND zone file. Sends the file content as multipart/form-data.

Get the DNSSEC status for a zone.

DESTRUCTIVE: Enable DNSSEC for a zone. After enabling, you must add the DS record at your domain registrar for DNSSEC to become fully active.

DESTRUCTIVE: Disable DNSSEC for a zone. Also remove the DS record at your domain registrar to avoid DNS resolution failures.

Get Cloudflare account details (account name, ID, settings). No zone_id needed.

Validate the configured Cloudflare API token and check its permissions.

Check the health of a zone: combines zone status, DNSSEC configuration, and SSL mode into a single health report.

Check Cloudflare API rate limit consumption. Returns current limit, remaining requests, and reset time from response headers.

List Cloudflare Tunnels for the account. Optionally filter by name or deleted status.

Get details for a specific Cloudflare Tunnel by its ID.

Create a new Cloudflare Tunnel. A secure 32-byte tunnel secret is automatically generated.

Delete a Cloudflare Tunnel by its ID. This action cannot be undone.

Get the connector token for a Cloudflare Tunnel. This JWT token is used by cloudflared to authenticate with the Cloudflare edge. Store securely — treat as a credential.

Get the ingress configuration for a Cloudflare Tunnel.

Update the ingress configuration for a Cloudflare Tunnel.

List all WAF rulesets for a zone (managed, custom, rate-limiting, etc.).

Get a specific WAF ruleset by ID, including all rules within the ruleset.

List all custom WAF firewall rules for a zone (http_request_firewall_custom phase entrypoint).

Add a new custom WAF firewall rule to a zone. Uses Cloudflare Rules Language for the expression.

Delete a custom WAF firewall rule from a zone ruleset.

List all Zero Trust Access applications for the account.

Get details for a specific Zero Trust Access application by its ID.

Create a new Zero Trust Access application. Protects a domain with identity-based access control.

List all access policies attached to a Zero Trust Access application.

Create an access policy for a Zero Trust Access application. Policies define who can access the application.

List all identity providers (IdPs) configured for Zero Trust Access on the account.

Create a new identity provider (IdP) for Zero Trust Access. Supports GitHub, Google, SAML, OIDC, Azure AD, Okta, and one-time PIN.

Get the Zero Trust Gateway (DNS/HTTP filtering) configuration status for the account.

DESTRUCTIVE: Delete a Zero Trust Access application. This removes the application and all its associated policies.

DESTRUCTIVE: Delete an access policy from a Zero Trust Access application.

DESTRUCTIVE: Delete an identity provider (IdP) from Zero Trust Access.

Get the current security level setting for a zone (off, essentially_off, low, medium, high, under_attack).

DESTRUCTIVE: Update the security level for a zone. Changes affect live traffic immediately. Use 'under_attack' only during active DDoS attacks.

Query recent security/firewall events for a zone using Cloudflare GraphQL Analytics.

Query DDoS attack analytics for a zone using Cloudflare GraphQL Analytics. Returns aggregated attack traffic data.

List IP access rules (firewall rules) for a zone. Filter by mode (block, challenge, whitelist, js_challenge).

Create an IP access rule for a zone. Targets can be a specific IP, CIDR range, ASN, or country code.

Delete an IP access rule from a zone by its rule ID.

Check whether a zone is currently in 'Under Attack' mode. Returns the current security level and whether DDoS protection is maximized.

List Security Center insights (configuration issues, vulnerabilities, misconfigurations) for the account. Requires CLOUDFLARE_ACCOUNT_ID.

Get Security Center insight counts grouped by severity (low, moderate, critical). Quick overview without fetching all issues. Requires CLOUDFLARE_ACCOUNT_ID.

List all Workers KV namespaces in the account.

Create a new Workers KV namespace in the account.

DESTRUCTIVE: Delete a Workers KV namespace by its ID. This removes all keys in the namespace.

List keys stored in a Workers KV namespace. Supports prefix filtering and cursor-based pagination.

Read the value of a key from a Workers KV namespace. Returns the raw string value.

Write a value to a key in a Workers KV namespace. Optionally set a TTL for automatic expiration.

Delete a key from a Workers KV namespace.

List all Workers scripts deployed in the account.

Deploy a Workers script. Creates or updates the named script with the provided source code.

DESTRUCTIVE: Delete a Workers script by name. This action cannot be undone.

List all Workers routes for a zone. Routes map URL patterns to Worker scripts.

Create a Workers route that maps a URL pattern to a Worker script for a zone.

Deploy a multi-file Workers project using wrangler. Runs 'npx wrangler deploy' in the given project directory. Requires wrangler installed in the project (devDependency) and a wrangler.toml config file. Uses the CLOUDFLARE_API_TOKEN from the MCP server environment.

List all secrets bound to a Workers script. Only secret names are returned, not values.

Set a secret for a Workers script. Creates or updates the named secret. The secret value is NOT echoed in the response for security.

Delete a secret from a Workers script by name.

Query Workers invocation analytics (time-series). Returns per-script metrics including requests, errors, subrequests, and CPU time percentiles ordered by time.

Query Workers usage summary (per-script aggregated). Returns scripts ranked by total request count, with error rates and CPU time percentiles.

List all Web Analytics (RUM) sites for the account. Returns site IDs, hostnames, and creation dates.

Create/enable a Web Analytics (RUM) site. Enables privacy-first, cookie-free analytics beacon auto-injection for the specified hostname.

Get details of a specific Web Analytics (RUM) site by ID.

Delete a Web Analytics (RUM) site and stop collecting analytics.

Query Web Analytics traffic stats for a zone. Returns page views, visits, and bandwidth grouped by time.

List all R2 buckets in the account. Supports filtering by name and pagination.

Create a new R2 storage bucket. Name must be 3-63 lowercase alphanumeric characters with hyphens.

Get details of an R2 bucket including creation date and location.

DESTRUCTIVE: Delete an R2 bucket. The bucket must be empty before deletion.

List objects in an R2 bucket. Supports prefix filtering, delimiter for directory-like listing, and pagination.

Get metadata of an object in an R2 bucket (size, etag, content type, last modified). Does not return object body.

Delete an object from an R2 bucket.

List custom domains attached to an R2 bucket. Shows domain name, status, and zone info.

Attach a custom domain to an R2 bucket, enabling public access via that domain. The domain must belong to a zone in the same account. Cloudflare automatically creates a CNAME record.

Remove a custom domain from an R2 bucket. This disables public access via that domain.

List SSL/TLS certificate packs for a zone. Shows all certificates including Universal SSL, Advanced, and custom uploads.

Get details of a specific SSL/TLS certificate pack including hosts, status, validity, and issuer.

Get the current SSL/TLS encryption mode for a zone (off, flexible, full, strict).

DESTRUCTIVE: Set the SSL/TLS encryption mode for a zone. Changes affect live traffic immediately. 'strict' is recommended for production.

Get SSL/TLS verification status for a zone. Shows certificate validation progress, hostname coverage, and brand check status.

Get the minimum TLS version setting for a zone (1.0, 1.1, 1.2, or 1.3).

DESTRUCTIVE: Set the minimum TLS version for a zone. Changes affect live traffic immediately. Higher versions are more secure but may break older clients.

List all rate limiting rules for a zone with pagination.

Get details of a specific rate limiting rule including threshold, period, action, and match conditions.

Get a summary of all rate limiting rules for a zone — total count, enabled/disabled breakdown, and action types.