Cloudflare Access and MCP Integration

Created 2026-02-19

Updated 2026-02-19

Status active

Tags agent-systemcloudflaremcpinfrastructureclaude-reference

Cloudflare Access & MCP Integration

Reference for Claude sessions — read this file when you need Cloudflare access.

Quick Summary

Cloudflare MCP tools are available through Docker MCP on Patrick’s Mac. They authenticate via a CLOUDFLARE_PERSONAL_ACCESS_TOKEN environment variable stored in Docker’s secret store. These are remote MCP servers hosted by Cloudflare (SSE endpoints), not local containers.

How to Access Cloudflare via Docker MCP

The Docker MCP catalog at ~/.docker/mcp/catalogs/docker-mcp.yaml contains multiple Cloudflare MCP servers. They all use the same CLOUDFLARE_PERSONAL_ACCESS_TOKEN secret.

Setup (one-time)

Generate a Cloudflare API Token at: https://dash.cloudflare.com/profile/api-tokens
Store it in Docker’s secret store as CLOUDFLARE_PERSONAL_ACCESS_TOKEN
Enable the desired Cloudflare MCP servers in Docker Desktop MCP settings

Available Cloudflare MCP Tools

Tool	SSE Endpoint	Use For
Cloudflare DNS Analytics	`dns-analytics.mcp.cloudflare.com/sse`	DNS record management & analytics
Cloudflare GraphQL	`graphql.mcp.cloudflare.com/sse`	General Cloudflare API (analytics, DNS, settings)
Cloudflare AI Gateway	`ai-gateway.mcp.cloudflare.com/sse`	AI gateway management
Cloudflare Audit Logs	`auditlogs.mcp.cloudflare.com/sse`	Security audit logs
Cloudflare Browser Rendering	`browser.mcp.cloudflare.com/sse`	Browser rendering service
Cloudflare Container	`containers.mcp.cloudflare.com/sse`	Container management
Cloudflare Docs	`docs.mcp.cloudflare.com/sse`	Search Cloudflare documentation (no auth needed)
Cloudflare Logpush	`logs.mcp.cloudflare.com/sse`	Log management
Cloudflare Observability	`observability.mcp.cloudflare.com/sse`	Monitoring & observability
Cloudflare Radar	`radar.mcp.cloudflare.com/sse`	Internet traffic insights
Cloudflare Workers Bindings	`bindings.mcp.cloudflare.com/sse`	Workers resource bindings
Cloudflare Workers Builds	`builds.mcp.cloudflare.com/sse`	Workers build management

Claude Desktop Config

The MCP_DOCKER gateway is already configured in Claude Desktop at: ~/Library/Application Support/Claude/claude_desktop_config.json

"MCP_DOCKER": {
    "command": "docker",
    "args": ["mcp", "gateway", "run"]
}

This is the bridge that gives Claude Desktop (and potentially Claude Code) access to all Docker MCP catalog tools, including Cloudflare.

Current Cloudflare Setup for Baseworks Agent System

Domain: baseworks.com

DNS Records (agent system):

n8n.baseworks.com → A record → 167.235.236.99 (Cloudflare proxy ON)
mcp.baseworks.com → (Phase 6 — not yet created)

Origin Certificate (wildcard):

Covers: *.baseworks.com and baseworks.com
Expires: 2041-02-15
Installed at (on VPS):
- Certificate: /etc/ssl/cloudflare/baseworks.com.pem
- Private key: /etc/ssl/cloudflare/baseworks.com.key
This cert works for any future subdomain — no need to create a new one

SSL/TLS Mode: Full or Full (strict) — do NOT change to Flexible (affects all Baseworks sites)

TODO

Create Cloudflare API Token with appropriate scopes for automation
Store token in Docker MCP secret store
Enable Cloudflare DNS Analytics MCP server in Docker Desktop
Test DNS management via Claude Desktop / Claude Code
Create mcp.baseworks.com DNS record when Phase 6 begins