How to Connect Cloudflare MCP to Claude Code (WSL Compatible)¶
Audience
- Developers using Claude Code who want to query Cloudflare data directly from the terminal
Key Points¶
- 3-File Setup Just edit config files and complete OAuth — no API keys needed
- Works on WSL Forward OAuth to Windows browser with wslview
- No Re-auth Needed Refresh tokens handle automatic renewal after initial login
What Cloudflare MCP Enables¶
You can ask Claude Code "show me the DNS records for this domain" and get Cloudflare data directly in your terminal.
Cloudflare hosts official MCP servers that use OAuth authentication, eliminating the need to manage API keys locally. As of writing, the DNS Analytics endpoint (dns-analytics.mcp.cloudflare.com) supports the following operations:
- Zone listing (List domains under the account)
- DNS report retrieval (Query counts, performance analysis)
- DNS settings reference (Account-level and zone-level)
The key benefit is that no API keys are stored locally — OAuth tokens are automatically refreshed.
Prerequisites¶
| Item | Requirement |
|---|---|
| Claude Code | Installed |
| Node.js | v20+ (npx available) |
| Cloudflare account | With at least one managed domain |
| WSL users | wslu package (wslview command) |
If you're on WSL and don't have wslview:
sudo apt install wslu
Setup Steps¶
Step 1: Create a Wrapper Script¶
Cloudflare MCP connects through an npm package called mcp-remote. Wrapping the launch command in a script keeps things manageable.
#!/bin/bash
# PATH: Change this to match your Node.js installation path
export PATH="$HOME/.nvm/versions/node/v22.19.0/bin:/usr/local/bin:/usr/bin:/bin"
export BROWSER=wslview
exec npx mcp-remote "$@"
Adjust the PATH to match your actual Node.js installation. If you're not using nvm, point to the bin directory from which node. You can also write it dynamically like this:
export PATH="$(dirname "$(which node)"):/usr/local/bin:/usr/bin:/bin"
BROWSER=wslview is only needed for WSL. Remove this line on native Linux/macOS.
Make the script executable:
chmod +x ~/.claude/mcp-cloudflare.sh
Step 2: Add to Claude Code Settings¶
Add the following cloudflare entry to the existing mcpServers object in ~/.claude/settings.json. Be careful not to overwrite the entire file.
{
"mcpServers": {
"cloudflare": {
"command": "/home/your-user/.claude/mcp-cloudflare.sh",
"args": [
"https://dns-analytics.mcp.cloudflare.com/mcp"
]
}
}
}
Use an absolute path for command — ~ is not expanded in JSON.
Change the URL in args to connect to other Cloudflare MCP endpoints. Note that while /sse (SSE transport) also works, Cloudflare officially recommends /mcp (Streamable HTTP).
Step 3: Complete OAuth Authentication¶
Restart Claude Code. The first connection triggers the OAuth flow.
Please authorize this client by visiting:
https://dns-analytics.mcp.cloudflare.com/oauth/authorize?...
Browser opened automatically.
Your Windows browser opens the Cloudflare login page. After granting permissions, you'll see:
Auth code received, resolving promise
Connected to remote server using SSEClientTransport
Proxy established successfully
If the Browser Doesn't Open on WSL¶
WSL defaults to Linux browser commands, which don't reach Windows. Setting BROWSER=wslview in Step 1 fixes this. If it still doesn't work, manually copy the authorization URL from the terminal and paste it into your browser.
The redirect target is localhost, so WSL2's port forwarding ensures the callback reaches the MCP process.
If authentication fails midway, delete the stale lock files and retry. The hash value in the directory name is generated from the endpoint URL, so the actual value depends on your environment.
# The hash part (f96b4928*) varies by environment
rm ~/.mcp-auth/mcp-remote-*/f96b4928*_lock.json
rm ~/.mcp-auth/mcp-remote-*/f96b4928*_code_verifier.txt
Token Lifetime¶
After authentication, tokens are saved to ~/.mcp-auth/.
| Token Type | Lifetime | Notes |
|---|---|---|
| access_token | 1 hour | Used for API calls |
| refresh_token | Long-lived (depends on Cloudflare config) | Auto-renews access_token |
mcp-remote handles automatic renewal via the refresh token. You typically only need to authenticate once. Re-authentication is mainly required in two cases:
- Cloudflare revokes the refresh token
- You delete the
~/.mcp-auth/directory
Summary¶
- Cloudflare MCP uses
mcp-remote+ OAuth for API-key-free connections. No local secrets means lower leak risk (OAuth tokens are stored in~/.mcp-auth/but auto-refresh/expire, reducing management cost) - On WSL, a single
BROWSER=wslviewline solves the OAuth browser forwarding problem. This technique applies to any OAuth-based MCP server - Refresh token auto-renewal means the setup is essentially maintenance-free after initial authentication