# Cloudflare MCP Server — 200 tools via DADL

The Cloudflare DADL turns Cloudflare's API into an MCP server that Claude, GPT or any MCP-compatible agent can consume directly. One YAML file declares all 200 tools — page, zone, worker, account, custom, firewall, and more — and ToolMesh serves them at runtime. No Python boilerplate, no per-endpoint code, no separate MCP server process.

Below: the endpoint coverage matrix, a two-block ToolMesh setup, the full tool reference grouped by Cloudflare feature area, required credential scopes.

**Source:** [Cloudflare REST API v4](https://developers.cloudflare.com/api/)

**Updated:** 2026-03-30

**Tags:** cloud, dns, storage, security, crud, search, authentication, deployment, auth:bearer

## Which Cloudflare endpoints are covered?

**17%** (248 of ~1500 endpoints).

**Focus:** zones, DNS records, DNSSEC, DNS settings, Pages projects/deployments/domains, Workers scripts/routes/secrets/cron/deployments/tails, KV namespaces/keys, R2 buckets/lifecycle/CORS/domains, D1 databases/queries, SSL/TLS certificates/custom hostnames, cache purge/settings, load balancers/pools/monitors, firewall rules/rulesets/rate limits, page rules, Access apps/policies/groups, accounts/members/roles

**Missing:** Argo, Spectrum, Stream, Images (transformations), Email Routing, Waiting Room, Web3, Registrar, Turnstile, Queues, Hyperdrive, Vectorize, AI Gateway, Durable Objects, Zone Lockdown, IP Access Rules, User-Agent Blocking, Logpush, Notifications, Audit Logs

*Last reviewed: 2026-03-30*

## How do you configure the Cloudflare DADL?

1. Log in to Cloudflare dashboard at https://dash.cloudflare.com
2. Go to My Profile (top right) → API Tokens
3. Click 'Create Token'
4. Use a template (e.g. 'Edit zone DNS') or create a custom token with specific permissions
5. Copy the token immediately -- it is shown only once

**Environment variable:** `CREDENTIAL_CLOUDFLARE_API_TOKEN`

[Authentication docs](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/)

*API Tokens (scoped) are preferred over Global API Key. Tokens can be restricted to specific zones and permissions. The Global API Key uses X-Auth-Email + X-Auth-Key headers instead of Bearer token.*

## How do you install the Cloudflare MCP server with ToolMesh?

Add to your `backends.yaml`:

```yaml
- name: cloudflare
  transport: rest
  dadl: /app/dadl/cloudflare.dadl

```

Set the credential:

```
CREDENTIAL_CLOUDFLARE_API_TOKEN=your-token-here
```

## What 200 tools does the Cloudflare DADL expose?

- **GET** `list_accounts` — List all accounts you have access to
- **GET** `get_account` — Get account details
- **PUT** `update_account` — Update account settings
- **GET** `list_account_members` — List all account members
- **GET** `get_account_member` — Get account member details
- **POST** `add_account_member` — Add a member to an account
- **PUT** `update_account_member` — Update account member roles
- **DELETE** `remove_account_member` — Remove a member from an account
- **GET** `list_account_roles` — List all available roles for an account
- **GET** `get_account_role` — Get role details and permissions
- **GET** `list_zones` — List, search, sort, and filter zones. Returns zone_id needed for all zone-scoped endpoints.
- **GET** `get_zone` — Get zone details
- **POST** `create_zone` — Create a new zone (add a domain to Cloudflare)
- **PATCH** `update_zone` — Edit zone properties (paused, type, vanity nameservers)
- **DELETE** `delete_zone` — Delete a zone and all associated settings. Irreversible.
- **PUT** `check_zone_activation` — Trigger activation check for a PENDING zone. Rate limited (5min paygo/enterprise, 1hr free).
- **GET** `list_zone_settings` — Get all zone settings
- **GET** `get_zone_setting` — Get a single zone setting by ID
- **PATCH** `update_zone_setting` — Update a single zone setting
- **GET** `get_zone_hold` — Get zone hold status and metadata
- **POST** `create_zone_hold` — Enforce a zone hold (block zone creation with this hostname)
- **DELETE** `delete_zone_hold` — Remove zone hold (permanently or temporarily)
- **GET** `list_zone_plans` — List available plans the zone can subscribe to
- **GET** `get_zone_subscription` — Get zone subscription details
- **POST** `create_zone_subscription` — Create zone subscription (plan/add-on)
- **GET** `list_dns_records` — List, search, sort, and filter DNS records for a zone
- **GET** `get_dns_record` — Get a single DNS record
- **POST** `create_dns_record` — Create a new DNS record
- **PATCH** `update_dns_record` — Update (partial) a DNS record
- **PUT** `overwrite_dns_record` — Overwrite (full replace) a DNS record
- **DELETE** `delete_dns_record` — Delete a DNS record
- **POST** `batch_dns_records` — Batch create/update/delete DNS records atomically in one transaction
- **POST** `import_dns_records` — Import DNS records from a BIND config file
- **GET** `export_dns_records` — Export DNS records as BIND zone file
- **POST** `scan_dns_records` — Scan for common DNS records and auto-add them
- **GET** `get_dnssec` — Get DNSSEC status and configuration
- **PATCH** `update_dnssec` — Enable or disable DNSSEC
- **DELETE** `delete_dnssec` — Delete DNSSEC records
- **GET** `get_zone_dns_settings` — Get DNS settings for a zone
- **PATCH** `update_zone_dns_settings` — Update DNS settings for a zone
- **GET** `get_account_dns_settings` — Get DNS settings for an account
- **PATCH** `update_account_dns_settings` — Update DNS settings for an account
- **GET** `get_dns_analytics` — Get summarized aggregate DNS metrics over a time period
- **GET** `get_dns_analytics_by_time` — Get aggregate DNS metrics grouped by time interval
- **GET** `list_pages_projects` — List all Cloudflare Pages projects
- **GET** `get_pages_project` — Get a Pages project by name
- **POST** `create_pages_project` — Create a new Pages project
- **PATCH** `update_pages_project` — Update Pages project attributes
- **DELETE** `delete_pages_project` — Delete a Pages project and all deployments. Irreversible.
- **POST** `purge_pages_build_cache` — Purge all cached build artifacts for a Pages project
- **GET** `list_pages_deployments` — List all deployments for a Pages project
- **GET** `get_pages_deployment` — Get a specific deployment
- **POST** `create_pages_deployment` — Create a new deployment (direct upload via multipart or trigger Git build)
- **DELETE** `delete_pages_deployment` — Delete a deployment
- **POST** `retry_pages_deployment` — Retry a failed deployment
- **POST** `rollback_pages_deployment` — Rollback production to a previous deployment
- **GET** `get_pages_deployment_logs` — Get build/deployment logs for a specific deployment
- **GET** `list_pages_domains` — List all custom domains for a Pages project
- **GET** `get_pages_domain` — Get a specific Pages domain
- **POST** `add_pages_domain` — Add a custom domain to a Pages project
- **PATCH** `retry_pages_domain_validation` — Retry domain validation for a Pages custom domain
- **DELETE** `delete_pages_domain` — Remove a custom domain from a Pages project
- **GET** `list_worker_scripts` — List all uploaded Worker scripts
- **GET** `get_worker_script` — Fetch raw Worker script content
- **PUT** `upload_worker_script` — Upload or update a Worker script (multipart: module content + metadata with bindings)
- **DELETE** `delete_worker_script` — Delete a Worker script
- **GET** `get_worker_script_content` — Fetch Worker script content only (without metadata)
- **PUT** `update_worker_script_content` — Update Worker script content without changing settings/bindings
- **GET** `list_worker_routes` — List all Worker routes for a zone
- **GET** `get_worker_route` — Get a specific Worker route
- **POST** `create_worker_route` — Create a Worker route (map URL pattern to a Worker script)
- **PUT** `update_worker_route` — Update a Worker route
- **DELETE** `delete_worker_route` — Delete a Worker route
- **GET** `list_worker_cron_triggers` — List cron triggers for a Worker
- **PUT** `update_worker_cron_triggers` — Set cron triggers for a Worker (replaces all existing triggers)
- **GET** `list_worker_secrets` — List secrets bound to a Worker (names only, values not returned)
- **PUT** `put_worker_secret` — Add or update a secret binding for a Worker
- **DELETE** `delete_worker_secret` — Remove a secret binding from a Worker
- **GET** `list_worker_deployments` — List deployments for a Worker (latest first)
- **POST** `create_worker_deployment` — Create a Worker deployment (percentage-based rollout)
- **GET** `list_worker_tails` — List active tails (live log streams) for a Worker
- **POST** `create_worker_tail` — Start a tail to receive live logs and exceptions from a Worker
- **DELETE** `delete_worker_tail` — Delete a Worker tail
- **GET** `get_worker_subdomain` — Check workers.dev subdomain status for a Worker
- **POST** `set_worker_subdomain` — Enable or disable workers.dev subdomain for a Worker
- **GET** `list_kv_namespaces` — List all Workers KV namespaces
- **GET** `get_kv_namespace` — Get a KV namespace
- **POST** `create_kv_namespace` — Create a KV namespace
- **PUT** `rename_kv_namespace` — Rename a KV namespace
- **DELETE** `delete_kv_namespace` — Delete a KV namespace and all its keys
- **GET** `list_kv_keys` — List keys in a KV namespace
- **GET** `kv_read_value` — Read a value from KV by key name
- **PUT** `kv_write_value` — Write a key-value pair to KV. Eventually consistent (up to 60s propagation).
- **DELETE** `kv_delete_value` — Delete a key from KV
- **GET** `kv_get_metadata` — Get metadata for a KV key
- **PUT** `kv_bulk_write` — Write multiple key-value pairs to KV in one request
- **POST** `kv_bulk_delete` — Delete multiple keys from KV in one request
- **POST** `kv_bulk_read` — Read multiple keys from KV in one request (up to 100)
- **GET** `list_r2_buckets` — List all R2 buckets
- **GET** `get_r2_bucket` — Get R2 bucket properties
- **POST** `create_r2_bucket` — Create an R2 bucket
- **DELETE** `delete_r2_bucket` — Delete an R2 bucket (must be empty)
- **GET** `get_r2_lifecycle` — Get R2 bucket lifecycle rules
- **PUT** `set_r2_lifecycle` — Set R2 bucket lifecycle rules
- **GET** `get_r2_cors` — Get R2 bucket CORS policy
- **PUT** `set_r2_cors` — Set R2 bucket CORS policy
- **DELETE** `delete_r2_cors` — Delete R2 bucket CORS policy
- **GET** `list_r2_custom_domains` — List custom domains for an R2 bucket
- **POST** `add_r2_custom_domain` — Add a custom domain to an R2 bucket
- **DELETE** `delete_r2_custom_domain` — Remove a custom domain from an R2 bucket
- **GET** `get_r2_managed_domain` — Get r2.dev public domain status
- **PUT** `set_r2_managed_domain` — Enable or disable r2.dev public access
- **GET** `list_d1_databases` — List all D1 databases
- **GET** `get_d1_database` — Get D1 database details
- **POST** `create_d1_database` — Create a D1 database
- **DELETE** `delete_d1_database` — Delete a D1 database
- **POST** `d1_query` — Execute SQL query on D1 (results as objects)
- **POST** `d1_raw_query` — Execute SQL query on D1 (results as arrays, more compact)
- **POST** `d1_export` — Export D1 database as SQL dump
- **POST** `d1_import` — Import SQL into a D1 database
- **GET** `d1_time_travel_bookmark` — Get current or historical D1 database bookmark (point-in-time)
- **POST** `d1_time_travel_restore` — Restore D1 database to a point in time. Overwrites current state.
- **GET** `list_custom_certificates` — List all custom SSL certificates for a zone
- **GET** `get_custom_certificate` — Get custom certificate details
- **POST** `upload_custom_certificate` — Upload a new custom SSL certificate
- **PATCH** `update_custom_certificate` — Update a custom SSL certificate or private key
- **DELETE** `delete_custom_certificate` — Remove a custom SSL certificate
- **PUT** `prioritize_certificates` — Set priority order for custom certificates
- **GET** `list_certificate_packs` — List all certificate packs for a zone
- **GET** `get_certificate_pack` — Get a specific certificate pack
- **POST** `order_certificate_pack` — Order an advanced certificate pack
- **DELETE** `delete_certificate_pack` — Delete a certificate pack
- **GET** `list_custom_hostnames` — List all custom hostnames for a zone
- **GET** `get_custom_hostname` — Get custom hostname details including SSL status and verification
- **POST** `create_custom_hostname` — Create a custom hostname and request SSL certificate
- **PATCH** `update_custom_hostname` — Update custom hostname SSL config or trigger DCV
- **DELETE** `delete_custom_hostname` — Delete a custom hostname and revoke its SSL certificates
- **GET** `get_ssl_recommendation` — Get SSL/TLS mode recommendation for a zone
- **GET** `get_ssl_verification` — Get SSL verification info and DCV status
- **GET** `get_universal_ssl_settings` — Get Universal SSL settings for a zone
- **PATCH** `update_universal_ssl_settings` — Update Universal SSL settings (enable/disable)
- **POST** `purge_cache` — Purge cached content. Use purge_everything for full purge, or files/tags/hosts/prefixes for selective.
- **GET** `get_cache_reserve` — Get Cache Reserve status
- **PATCH** `update_cache_reserve` — Enable or disable Cache Reserve
- **GET** `get_tiered_cache` — Get Smart Tiered Cache setting
- **PATCH** `update_tiered_cache` — Enable or disable Smart Tiered Cache
- **GET** `list_load_balancers` — List all load balancers for a zone
- **GET** `get_load_balancer` — Get load balancer details
- **POST** `create_load_balancer` — Create a load balancer
- **PUT** `update_load_balancer` — Update a load balancer
- **DELETE** `delete_load_balancer` — Delete a load balancer
- **GET** `list_lb_pools` — List all load balancer pools
- **GET** `get_lb_pool` — Get load balancer pool details
- **POST** `create_lb_pool` — Create a load balancer pool
- **PUT** `update_lb_pool` — Update a load balancer pool
- **DELETE** `delete_lb_pool` — Delete a load balancer pool
- **GET** `get_lb_pool_health` — Get pool health status
- **GET** `list_lb_monitors` — List all load balancer monitors
- **GET** `get_lb_monitor` — Get load balancer monitor details
- **POST** `create_lb_monitor` — Create a load balancer health monitor
- **PUT** `update_lb_monitor` — Update a load balancer monitor
- **DELETE** `delete_lb_monitor` — Delete a load balancer monitor
- **GET** `list_firewall_rules` — List firewall rules for a zone
- **GET** `get_firewall_rule` — Get a specific firewall rule
- **POST** `create_firewall_rules` — Create one or more firewall rules
- **PUT** `update_firewall_rule` — Update a firewall rule
- **DELETE** `delete_firewall_rule` — Delete a firewall rule
- **GET** `list_account_rulesets` — List all account-level rulesets
- **GET** `list_zone_rulesets` — List all zone-level rulesets
- **GET** `get_zone_ruleset` — Get a specific zone ruleset
- **POST** `create_zone_ruleset` — Create a zone ruleset
- **PUT** `update_zone_ruleset` — Update/deploy a zone ruleset (replaces all rules)
- **DELETE** `delete_zone_ruleset` — Delete a zone ruleset
- **GET** `get_zone_ruleset_phase` — Get the entry point ruleset for a phase (e.g. http_ratelimit, http_request_firewall_custom)
- **PUT** `update_zone_ruleset_phase` — Update the entry point ruleset for a phase
- **GET** `list_page_rules` — List all page rules for a zone
- **GET** `get_page_rule` — Get a specific page rule
- **POST** `create_page_rule` — Create a page rule
- **PUT** `update_page_rule` — Replace a page rule entirely
- **DELETE** `delete_page_rule` — Delete a page rule
- **GET** `list_access_apps` — List all Cloudflare Access applications
- **GET** `get_access_app` — Get Access application details
- **POST** `create_access_app` — Create an Access application
- **PUT** `update_access_app` — Update an Access application
- **DELETE** `delete_access_app` — Delete an Access application
- **GET** `list_access_policies` — List all reusable Access policies
- **GET** `get_access_policy` — Get a reusable Access policy
- **POST** `create_access_policy` — Create a reusable Access policy
- **PUT** `update_access_policy` — Update a reusable Access policy
- **DELETE** `delete_access_policy` — Delete a reusable Access policy
- **GET** `list_access_app_policies` — List policies for a specific Access application
- **GET** `get_access_app_policy` — Get a specific policy for an Access application
- **POST** `create_access_app_policy` — Create a policy for a specific Access application
- **PUT** `update_access_app_policy` — Update a policy for an Access application
- **DELETE** `delete_access_app_policy` — Delete a policy for an Access application
- **GET** `list_access_groups` — List all Access groups
- **GET** `get_access_group` — Get Access group details
- **POST** `create_access_group` — Create an Access group
- **PUT** `update_access_group` — Update an Access group
- **DELETE** `delete_access_group` — Delete an Access group

## Which DADLs are related to Cloudflare?

- [Linode](https://www.dadl.ai/d/linode/) — Linode (Akamai) cloud infrastructure API -- compute instances, volumes, DNS, networking, Kubernetes, databases, object storage, and account management
- [Tailscale](https://www.dadl.ai/d/tailscale/) — Tailscale API -- devices, users, auth keys, DNS, ACL/policy, webhooks, contacts, posture integrations, log streaming, and tailnet settings
- [DokuWiki](https://www.dadl.ai/d/dokuwiki/) — DokuWiki JSON-RPC API — wiki pages, media files, search, ACL management, and user administration
- [ELITEDOMAINS](https://www.dadl.ai/d/elitedomains/) — ELITEDOMAINS domain registrar API -- register/transfer/manage .de and gTLD domains, redirector & inline DNS, AuthInfo/AuthInfo2 transfer codes, RGP catcher backorders, contact handles, and marketplace offers (Sedo, sale pages)
- [GitLab](https://www.dadl.ai/d/gitlab/) — GitLab REST API v4 — projects, issues, merge requests, pipelines, CI/CD, and code search
- [Hetzner Cloud](https://www.dadl.ai/d/hetzner-cloud/) — Hetzner Cloud API -- servers, volumes, networks, load balancers, firewalls, floating IPs, primary IPs, images, SSH keys, placement groups, certificates, and infrastructure metadata

---

**Canonical URL:** https://www.dadl.ai/d/cloudflare/
**Raw DADL:** https://github.com/DunkelCloud/dadl-registry/blob/main/cloudflare.dadl