Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"cloudflare": {
"env": {
"CLOUDFLARE_API_TOKEN": "your-api-token-here",
"CLOUDFLARE_ACCOUNT_ID": "your-account-id"
},
"args": [
"/path/to/mcp-cloudflare/dist/index.js"
],
"command": "node"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Slim Cloudflare MCP Server for managing DNS, zones, tunnels, WAF, Zero Trust, and security via Cloudflare API v4.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'cp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked cp against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in cloud / devops
MCP server for using the GitLab API
MCP Server for kubernetes management commands
MCP server for Hostinger API
MCP server for Dynatrace Managed to access logs, events, and metrics.
MCP Security Weekly
Get CVE alerts and security updates for io.github.itunified-io/cloudflare and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Slim Cloudflare MCP Server for managing DNS, zones, tunnels, WAF, Zero Trust, and security via Cloudflare API v4.
No SSH. No shell execution. API-only. 3 runtime dependencies.
75 tools across 11 domains:
npm install
cp .env.example .env # Edit with your Cloudflare API token
npm run build
node dist/index.js # stdio transport for MCP
mcp-cloudflare supports loading Cloudflare credentials from a central
HashiCorp Vault instance at startup via AppRole
authentication. This is optional — the server works fine with plain environment
variables alone.
On startup, if NAS_VAULT_ADDR is set the server performs an AppRole login,
fetches the KV v2 secret at <mount>/data/cloudflare/api, and injects the
values into the process environment before the MCP transport starts. The
loader is fully opportunistic:
NAS_VAULT_ADDR is unset, the loader is a silent no-op. No Vault
calls are made and the server behaves exactly as before.fetch (Node 20+) — no additional runtime dependencies.Explicit env vars (CLOUDFLARE_API_TOKEN etc.) > Vault > error (missing creds)
If you set CLOUDFLARE_API_TOKEN directly, the Vault loader will not
overwrite it. Vault only fills in credentials that are not already present in
the environment.
| Variable | Required | Description |
|---|---|---|
| `NA |