Cloudflare Api Key
Cloudflare provides a suite of services to enhance the security, performance, and reliability of websites and applications.
Verdict
Common use cases
- Add DNS records during site migrations
- Audit firewall rules after security incidents
- Delete stale zones in bulk cleanups
- Configure Zone Lockdown for staging environments
- Troubleshoot DNSSEC misconfigurations with team
Integration
- Vendor
- Cloudflare Api Key
- Category
- other
- Auth
- API_KEY
- Tools
- 24
- Composio slug
cloudflare_api_key
Tools
- Create DNS Record
Tool to create a new DNS record in a Cloudflare zone. Use when you need to add a record (A, CNAME, TXT, MX, etc.) to a specified zone.
- Create Rule in Ruleset
Tool to add a rule to an existing ruleset. Use when you need to append or insert a new rule in a Cloudflare ruleset.
- Create Ruleset
Tool to create an account- or zone-scoped ruleset. Use after defining your ruleset details and selecting the correct scope.
- Create Zone Lockdown Rule
Tool to create a Zone Lockdown rule. Use when you need to restrict access to specific URL patterns to defined IPs/CIDR ranges. Use after confirming zone_id.
- Delete a zonedestructive
Tool to delete an existing zone. Use after confirming the zone_id to permanently remove the zone.
- Delete DNS Recorddestructive
Tool to delete a DNS record. Use when you need to remove a specific DNS record from a zone after confirming both zone and record IDs.
- Delete DNSSECdestructive
Tool to delete DNSSEC records for a zone. Use after disabling DNSSEC at the registrar to remove DNSSEC configuration.
- Delete Rule from Rulesetdestructive
Tool to delete a specific rule from a ruleset. Use when you need to remove an outdated or incorrect rule from an account or zone ruleset after confirming IDs.
- Delete Rulesetdestructive
Tool to delete all versions of a ruleset. Use when you need to remove a ruleset from an account or zone after confirming no references exist.
- Get Entrypoint Ruleset Version
Tool to get a specific version of an entry point ruleset. Use after determining the ruleset phase and version.
- Get Lockdown Rule
Tool to get a Zone Lockdown rule. Use when you need to fetch details of a specific lockdown rule by its ID within a Cloudflare zone.
- Get Regional Tiered Cache
Tool to get the regional tiered cache setting for a zone. Use when you need to verify if regional tiered cache is enabled for performance optimization after zone activation.
- Get Ruleset
Tool to fetch the latest version of a ruleset by ID. Use after you have the ruleset scope and ID.
- Get Zone Details
Tool to get details for a specific zone. Use when you need detailed zone metadata by ID.
- List Cloudflare Zones
Tool to list, search, sort, and filter Cloudflare zones. Use when you need to retrieve a paginated list of zones available to the authenticated user.
- List DNS Records
Tool to list DNS records for a given Cloudflare zone.
- Overwrite DNS Record
Tool to completely overwrite a DNS record. Use when you need to replace all record details after confirming record type and name.
- Rerun Zone Activation Check
Tool to trigger a new activation check for a PENDING zone. Use after initial zone creation to revalidate DNS activation. Limited rate: every 5 minutes on paygo/Enterprise or hourly on Free.
- Update Cloudflare Zone
Tool to edit a Cloudflare zone. Use when you need to update a single zone property at a time. Ensure only one of paused, type, or vanity_name_servers is provided per call.
- Update DNSSEC Status
Tool to update DNSSEC configuration for a zone. Use when you need to enable or disable DNSSEC or adjust DNSSEC options after confirming the zone ID.
- Update Lockdown Rule
Tool to update a zone lockdown rule. Use when you need to modify the IP or URL settings of an existing Zone Lockdown rule after confirming the rule exists.
- Update Rule in Ruleset
Tool to update a specific rule in a ruleset. Use when you need to modify a rule's configuration or reorder it after reviewing its current settings.
- Update Ruleset
Tool to update a Cloudflare ruleset, creating a new version. Use when you need to modify ruleset description or rules list.
- Upload File to S3
Tool to upload arbitrary file content to the app’s temporary R2/S3 bucket. Use when you need to stage files for actions requiring FileUploadable.
Setup
Setup guide
- 11. In Switchy, open your workspace settings and navigate to the Integrations tab. 2. Search for 'Cloudflare API Key' and click Connect. 3. Log into your Cloudflare account, go to My Profile > API Tokens, and copy your Global API Key (or create a scoped API token with Zone:Read and Zone:Edit permissions at minimum). 4. Paste the API key into Switchy's connection dialog along with your Cloudflare account email. 5. Click Authorize to complete the connection. 6. Open any Space, type '@Cloudflare' in a message, and try a command like 'list DNS records for example.com' to confirm the integration responds. 7. If a tool fails, check your API token's scopes — some operations (like deleting zones or managing rulesets) require Account-level permissions beyond basic Zone access.
What teammates see: by default, memories from Cloudflare Api Key are scoped to the Space (PROJECT visibility) - you can mark any memory PRIVATE or share it ORG-wide.
Works well with
Top models
Compatibility data appears once enough Spaces have used this MCP together with a given model.
How Switchy teams use it
Starter prompts
List All DNS Records
@Cloudflare list all DNS records for example.com and show their types, values, and TTLs in a tableOpen in a Space →
Create A Record
@Cloudflare create an A record for staging.example.com pointing to 203.0.113.42 with TTL 300 and proxy disabledOpen in a Space →
Check Ruleset Rules
@Cloudflare show me all rules in the zone-level firewall ruleset for example.com, including their actions and expressionsOpen in a Space →
Add Zone Lockdown Rule
@Cloudflare create a Zone Lockdown rule for example.com/admin/* allowing only 198.51.100.0/24 and describe the rule after creationOpen in a Space →
Delete Unused DNS Record
@Cloudflare delete the DNS record for old-app.example.com from the zone and confirm it's goneOpen in a Space →
Example outputs
Illustrative - representative of the model's voice and quality, not literal recordings.
@Cloudflare Api Key list all DNS records for example.com and show me which ones point to our old staging server at 203.0.113.45
Found 12 DNS records in the example.com zone. Three records currently point to 203.0.113.45: staging.example.com (A record), api-staging.example.com (A record), and test.example.com (CNAME → staging.example.com). The remaining records point to your production infrastructure at 198.51.100.10 or use Cloudflare's proxy. All three staging records were last modified 8 months ago.
This example demonstrates read-only DNS querying across a zone. The MCP requires zone:read scope and returns record metadata including type, content, TTL, and proxy status. Useful for auditing infrastructure before migrations, but won't show records from zones outside your API key's account access.
@Cloudflare Api Key create a new A record for beta.example.com pointing to 198.51.100.25 with proxying enabled and TTL set to auto
Successfully created DNS record for beta.example.com. Record ID: f1a2b3c4d5e6f7g8. Configuration: Type A, content 198.51.100.25, proxied through Cloudflare (orange-clouded), TTL automatic. The record is now active and will resolve globally within 1-2 minutes as DNS propagates. Cloudflare's WAF and DDoS protection are active for this hostname.
This write operation creates infrastructure changes immediately. The MCP requires zone:dns_records:edit scope. Be cautious: creating duplicate records or misconfiguring proxy settings can cause outages. Always verify zone_id before running creation commands, and consider testing in a staging zone first if your API key has access to multiple zones.
@Cloudflare Api Key review all active Zone Lockdown rules across my zones and tell me if any are blocking our new office IP range 203.0.113.0/24
Scanned 4 zones with Zone Lockdown rules enabled. Found a potential conflict in example.com: rule 'Admin Panel Protection' restricts /wp-admin/* to IP ranges 198.51.100.0/24 and 192.0.2.50/32, which excludes your new office range 203.0.113.0/24. The other three zones (staging.example.com, api.example.com, docs.example.com) have no lockdown rules that would block the new range. Recommend updating the example.com rule to include 203.0.113.0/24 before your team moves to the new office.
This synthesis example pairs the MCP's ruleset-reading capability with AI reasoning to identify access control gaps. Requires zone:read and firewall:read scopes across multiple zones. The analysis is only as complete as your API key's zone access—if the key doesn't cover all account zones, blind spots will exist in the security audit.
Use-case deep-dives
When this MCP saves you from launch-day DNS panic
A 6-person startup is launching a new product subdomain and needs to coordinate DNS records, WAF rules, and SSL in a 2-hour window. The Cloudflare MCP is the right call here because it lets your ops lead script the entire cutover sequence in a single AI conversation—create the A record, add the WAF ruleset, verify DNSSEC—without context-switching to the Cloudflare dashboard. The 24-tool scope covers the full DNS-to-security stack, so you're not stuck halfway through. This breaks down if you're managing more than 5 zones at once; the MCP doesn't batch well across accounts, and you'll spend more time confirming zone IDs than you save. If your launch is a single zone with a clear checklist, this MCP turns a 90-minute manual process into a 15-minute AI-assisted run.
Why this MCP matters when you need IP restrictions fast
Your 3-person SaaS team gets a midnight alert that a staging endpoint is being scraped. You need to lock it down to office IPs immediately, then audit what other endpoints are exposed. The Cloudflare MCP is built for this: the Create Zone Lockdown Rule and Create Rule in Ruleset tools let you describe the restriction in plain language and apply it in under 2 minutes, no dashboard hunting required. The API key auth means your on-call engineer doesn't need to fumble with OAuth flows at 2 AM. This stops being the right tool if you're locking down more than 10 endpoints in one go—the MCP doesn't surface bulk operations well, and you'll want Terraform instead. For emergency triage on a handful of URLs, this MCP is faster than opening the Cloudflare console.
When this MCP streamlines agency DNS setup
A 4-person dev shop onboards 2-3 new clients a month, each needing a fresh Cloudflare zone, DNS records for their staging and prod environments, and basic WAF rules. The Cloudflare MCP is the right fit because it collapses the 20-minute per-client setup into a 5-minute AI conversation: create the zone, add the records, configure the ruleset, done. The Delete DNS Record and Delete a zone tools also mean you can clean up test configs without leaving the chat. This starts to fall apart if your clients need custom Page Rules or Workers—the MCP's 24 tools skew toward DNS and rulesets, not the full Cloudflare product suite. If your onboarding is DNS-heavy and you're doing it repetitively, this MCP cuts the busywork and keeps your team in flow.
Frequently asked
What can the Cloudflare MCP do in Switchy?
It manages your Cloudflare infrastructure through AI prompts — creating and deleting DNS records, configuring rulesets for WAF or rate limiting, setting up Zone Lockdown rules, and managing DNSSEC. You can ask the AI to add a CNAME, block an IP range, or delete a zone without touching the Cloudflare dashboard. It's useful for teams that want to script infrastructure changes conversationally instead of clicking through the UI.
Do I need a Cloudflare API key with full account access?
Yes. The MCP uses an API key, not OAuth, so you'll generate a token in your Cloudflare account settings. You should scope it to the specific zones and permissions you need — the MCP can create and delete DNS records, modify rulesets, and delete entire zones, so don't use an unrestricted key. If your team shares one Switchy workspace, consider a service account token rather than a personal one.
Can it deploy Workers or manage R2 buckets?
No. This MCP focuses on DNS, security rulesets, and zone-level configuration. It won't deploy Workers, manage R2 storage, or configure Stream or Images. For those, you'd still use Cloudflare's CLI, API directly, or Wrangler. The MCP is best for infrastructure tasks you'd normally do in the DNS or Firewall tabs of the dashboard.
Why use this instead of the Cloudflare dashboard or Terraform?
Use the MCP when you want to make quick changes through conversation — "add a TXT record for domain verification" or "block this IP in the staging zone". It's faster than clicking through the dashboard for one-off tasks. For repeatable infrastructure-as-code, Terraform is still better. The MCP sits between ad-hoc dashboard clicks and formal IaC — good for exploratory work or urgent fixes.
Who on the team should connect this MCP?
Whoever manages your Cloudflare account and understands zone structure. The MCP can delete zones and DNS records, so don't connect it with a junior account's credentials. In Switchy, any workspace member can invoke the tools once connected, so treat the API key like production access. If multiple people need it, use a shared service account token with scoped permissions.