Cloudflare admin tools for your MCP client. No API tokens.
A team-shared MCP server for Cloudflare admin work. You log in with your own Cloudflare account via OAuth; every tool call runs under your identity, with your permissions, attributed to you in Cloudflare's audit logs.
connect
Add this URL to your MCP client (Claude Code, Claude.ai, Cursor, ...):
https://cf.ophelos.ai/mcpFor Claude Code:
claude mcp add --transport http cloudflare https://cf.ophelos.ai/mcpOn first use your client opens a browser window: approve the connection, then sign in to Cloudflare and consent. You must be a member of the Ophelos Cloudflare account (the OAuth client is private to it).
what you get
- Named tools for accounts, zones, DNS records, Workers, KV, R2, D1 and cache purge.
cf_apipassthrough for everything else the Cloudflare API can do.- Your permissions, not shared ones - a read-only member cannot delete zones through this server, whatever scopes the server requests.
- Destructive calls need
confirm: true- deletes and purges refuse to run without it.
how it works
The Worker sits between two OAuth legs and stores no static credentials. Your MCP client authenticates to the Worker (OAuth #1); the Worker forwards you to Cloudflare's consent screen (OAuth #2) and keeps a per-user, short-lived, refreshable token. Revoke it any time from the Cloudflare dashboard.