Cloudflare
DNS, Workers, R2, and edge deploys.
Verdict
Common use cases
- Add DNS records during incident response
- Block malicious IPs via WAF lists
- Onboard new domains to Cloudflare
- Audit account members before offboarding
- Delete stale DNS entries after migrations
Integration
- Vendor
- Cloudflare
- Category
- developer-tools
- Auth
- API_KEY
- Tools
- 16
- Composio slug
cloudflare
Tools
- Create DNS record
Tool to create a new dns record within a specific zone. use after obtaining the zone id to programmatically add dns entries.
- Create WAF List
Tool to create a new empty waf list for the account. use after confirming the account id. example: create list(account id="<id>", kind="ip", name="blocklist")
- Create Zone
Tool to create a new zone. use after confirming account id when adding a domain to cloudflare.
- Delete DNS Recorddestructive
Tool to delete a dns record within a specific zone. use after confirming zone and record ids. example: "delete dns record 372e6795... from zone 023e105f4ecef..."
- Delete WAF Listdestructive
Tool to delete a waf list. use when you need to remove a list after verifying no filters reference it. example: delete list(account id="<account id>", list id="<list id>")
- Delete Zonedestructive
Tool to delete a zone. use after confirming the zone identifier to permanently remove a dns zone from your cloudflare account. example: delete zone(zone identifier="023e105f4ecef8ad9ca31a8372d0c353")
- List Account Members
Tool to list members of a given cloudflare account. use after confirming the account id.
- List Accounts
Tool to list all accounts accessible to the user. use when you need to enumerate cloudflare accounts for selection or auditing.
- List Firewall Rules
Tool to list firewall rules for a specific zone. use after confirming the zone id to retrieve and audit current firewall rules.
- List Monitors
Tool to list all load-balancer monitors in a cloudflare account. use after creating or updating monitors to retrieve a paginated list.
- List Pools
Tool to list all load balancer pools in a cloudflare account. use after confirming account id to discover pool ids.
- List WAF Lists
Tool to fetch all waf lists (no items) for an account. use after confirming account id.
- List Zones
This tool lists, searches, sorts, and filters your zones.
- Update DNS record
Tool to update an existing dns record within a specific zone. use after confirming both zone and record identifiers; only provided fields are modified.
- Update WAF List
Tool to update the description of a waf list (cannot update items). use after confirming list metadata.
- Update Zone
Tool to update properties of an existing zone. use after confirming the zone id; only one field can be modified per call.
Setup
Setup guide
- 11. In Switchy, open your workspace settings and navigate to the Integrations tab. 2. Find Cloudflare in the MCP directory and click Connect. 3. You'll be prompted to paste your Cloudflare API key — generate one from your Cloudflare dashboard under My Profile > API Tokens (use a token with Zone:Edit and Account:Read permissions, or a legacy API key if you prefer broader access). 4. Paste the key into Switchy and click Authorize. 5. Switchy will verify the key by listing your accessible accounts; if this succeeds, the connection is live. 6. Open any Space, type @Cloudflare in a message, and ask it to list your accounts or zones to confirm it responds. 7. From there, you can invoke any of the 16 tools by describing what you need in plain language — the MCP translates your request into the correct API call.
What teammates see: by default, memories from Cloudflare are scoped to the Space (PROJECT visibility) - you can mark any memory PRIVATE or share it ORG-wide.
Works well with
Top models
Compatibility data appears once enough Spaces have used this MCP together with a given model.
How Switchy teams use it
Starter prompts
List All Zones
@Cloudflare list all zones in my account and show me their IDs and statusOpen in a Space →
Create A Record
@Cloudflare create an A record for api.example.com pointing to 203.0.113.42 in zone ID 023e105f4ecef8ad9ca31a8372d0c353Open in a Space →
Block IP Address
@Cloudflare add 198.51.100.99 to the blocklist WAF list for account ID abc123def456Open in a Space →
Delete DNS Record
@Cloudflare delete DNS record 372e6795fea7e5d72d0b1c9c9e5e5e5e from zone 023e105f4ecef8ad9ca31a8372d0c353Open in a Space →
Audit Account Access
@Cloudflare show me all members of account ID abc123def456 with their roles and email addressesOpen in a Space →
Example outputs
Illustrative - representative of the model's voice and quality, not literal recordings.
@cloudflare list all DNS records for example.com and show me which ones point to our staging environment
Found 47 DNS records in the example.com zone. 8 records appear to point to staging infrastructure: staging.example.com (A → 203.0.113.45), api-staging.example.com (CNAME → staging-lb.example.com), and 6 additional subdomains with 'staging' or 'dev' prefixes. All staging A records resolve to the 203.0.113.0/24 block. The remaining 39 records include production services, MX records, and TXT verification entries.
This example demonstrates read-only zone enumeration. Requires API token with Zone:Read permission for the target domain. Cloudflare returns paginated results for zones with hundreds of records; the MCP handles pagination automatically but may take several seconds for large zones.
@cloudflare create a new A record for beta.example.com pointing to 198.51.100.10 with proxy enabled
Created DNS record successfully. beta.example.com now resolves to 198.51.100.10 with Cloudflare proxy enabled (orange-clouded). The record ID is a3f8c2e1b4d9... and propagation typically completes within 60 seconds globally. With proxying active, visitors will connect through Cloudflare's edge network, enabling WAF protection and caching for this subdomain.
This write operation requires Zone:DNS:Edit permission and immediately modifies live DNS configuration. The 'proxy enabled' flag routes traffic through Cloudflare's CDN; disabling it exposes the origin IP directly. Always verify the target IP before creating records in production zones to avoid outages.
@cloudflare review our WAF lists across all accounts and tell me which ones haven't been updated in over 90 days
Analyzed WAF lists across 3 accessible accounts. Found 12 total lists: 4 are actively maintained (updated within 30 days), 5 were last modified 31-90 days ago, and 3 are stale (no updates in 90+ days). The stale lists are 'legacy-blocklist' (147 days), 'temp-geoblock' (203 days), and 'old-bot-ips' (312 days). None of these stale lists are currently referenced by active firewall rules, suggesting they may be safe to archive or delete.
This synthesis example combines list enumeration with AI reasoning to surface maintenance issues. Requires Account:Firewall Services:Read across multiple accounts. The MCP cannot determine business context (whether a stale list is intentionally dormant), so human review is essential before deleting lists that might be referenced in disaster recovery runbooks.
Use-case deep-dives
When Cloudflare MCP handles launch-day DNS changes
A 6-person startup is launching a new product subdomain and needs to coordinate DNS records, WAF rules, and zone setup across engineering and ops. The Cloudflare MCP wins here because it surfaces zone IDs and record creation in the same context where the team is discussing the launch checklist. One person can create the zone, another can add the DNS entries, and a third can set up the WAF list without switching to the Cloudflare dashboard or Slack-pinging for credentials. The threshold: if your launch involves more than 3 zones or complex traffic routing, the MCP's 16-tool scope starts to feel narrow—you'll want Terraform or the full API. For a single-zone launch with straightforward DNS and basic WAF setup, this MCP keeps the launch thread moving without context-switching.
Why this MCP works for fast WAF list updates
A 10-person SaaS team detects a spike in malicious traffic from a known IP range during a customer support call. The on-call engineer needs to create a WAF blocklist and add entries without leaving the incident Slack channel. The Cloudflare MCP handles this well: the create and delete WAF list tools let the engineer confirm the account ID, spin up the list, and verify no filters reference it before cleanup—all in the same AI thread where the team is triaging. The trade-off: if your incident response involves bulk IP imports (500+ entries) or cross-zone policy changes, the MCP's manual tool calls get tedious. For sub-50 IP blocklists and single-account scopes, this MCP keeps your incident response in one place.
When Cloudflare MCP simplifies account member review
A 15-person agency runs quarterly access audits to confirm which team members have Cloudflare permissions across 4 client accounts. The compliance lead needs to list account members, cross-check against the HR roster, and document findings for SOC 2. The Cloudflare MCP works here because it exposes the list accounts and list members tools in a shared workspace where the compliance lead and IT admin can review together. One person pulls the member lists, another flags the discrepancies, and the audit log lives in the same thread. The boundary: if your audit spans more than 10 accounts or requires role-level permission diffs, the MCP's output gets verbose and hard to parse. For small-to-mid client rosters with straightforward member enumeration, this MCP turns a 2-hour dashboard crawl into a 20-minute AI-assisted review.
Frequently asked
What can the Cloudflare MCP do in Switchy?
It manages your Cloudflare infrastructure — DNS records, zones, WAF lists, and account members. Your team can create or delete DNS entries, spin up new zones, configure WAF blocklists, and audit who has access to your Cloudflare account. All from Switchy's chat interface, without logging into the Cloudflare dashboard.
Do I need admin access to connect Cloudflare?
You need a Cloudflare API key with permissions matching what you want to do. Creating zones or WAF lists requires account-level write access. Read-only keys work if you only want to list DNS records or audit members. Cloudflare uses API key auth, not OAuth, so you paste the key into Switchy once during setup.
Can it update existing DNS records or only create new ones?
The MCP can create and delete DNS records but doesn't expose an update tool. To change a record, you delete the old one and create a new one with the updated values. That's a two-step operation in Switchy. If you need atomic updates, use Cloudflare's API directly or their dashboard.
Why use this instead of the Cloudflare dashboard?
Speed and context. If you're already in Switchy discussing an outage or a deploy, you can create a DNS record or check WAF lists without switching tabs. The MCP also lets you script repetitive tasks — like bulk DNS changes — in plain English. For one-off edits, the dashboard is still faster.
Who on the team should connect this MCP?
Whoever manages your Cloudflare account and has the API key. Usually that's your DevOps lead or infrastructure engineer. Once connected, anyone in the Switchy workspace can invoke the tools, so set workspace permissions carefully. The MCP doesn't count against Cloudflare's seat limits, only Switchy's.