Skip to main content

Documentation Index

Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt

Use this file to discover all available pages before exploring further.

Overview

OneCLI connects AI agents to Cloudflare so they can deploy Workers, manage DNS records, read and write KV namespaces, query D1 databases, deploy Pages sites, and interact with the full Cloudflare API. The gateway injects your API token into requests automatically.

Setup

1

Create an API token in Cloudflare

Go to the Cloudflare dashboard and click Create Token.Choose a template or create a custom token with the permissions your agents need. Common templates:
TemplatePermissionsUse case
Edit Cloudflare WorkersWorkers Scripts: Edit, Workers Routes: EditDeploying and managing Workers
Edit zone DNSDNS: EditManaging DNS records
Read All ResourcesAll zones and accounts: ReadAuditing, monitoring
CustomYou chooseFine-grained access
API tokens can be scoped to specific accounts and zones, so you can restrict what your agents can access.
2

Connect in OneCLI

Open the OneCLI dashboard, go to Connections > Cloudflare, and paste your API token.

How it works

  1. Your API token is encrypted and stored by OneCLI
  2. When an agent sends a request to api.cloudflare.com, the gateway intercepts it
  3. The gateway injects the token as an Authorization: Bearer header
  4. The request is forwarded to Cloudflare
Agents never see the raw token. The gateway handles injection transparently.

What agents can do

ServiceAPI pathExamples
Workers/client/v4/accounts/{id}/workers/scriptsDeploy scripts, manage bindings, set secrets
KV/client/v4/accounts/{id}/storage/kv/namespacesRead/write key-value pairs, list keys
D1/client/v4/accounts/{id}/d1/databaseCreate databases, run SQL queries
Pages/client/v4/accounts/{id}/pages/projectsDeploy static sites, manage projects
DNS/client/v4/zones/{id}/dns_recordsCreate, update, delete DNS records
Cache/client/v4/zones/{id}/purge_cachePurge cache by URL, tag, or everything
AI Gateway/client/v4/accounts/{id}/ai-gatewayManage AI proxy gateways
Queues/client/v4/accounts/{id}/queuesCreate queues, send messages
Zero Trust/client/v4/accounts/{id}/accessManage access policies

Use cases

  • Coding agents deploying Workers with wrangler deploy through the gateway
  • Agents managing DNS records during infrastructure provisioning
  • Reading and writing to KV stores during application workflows
  • Running D1 SQL queries for data operations
  • Deploying static sites to Cloudflare Pages

Token permissions

Cloudflare API tokens support fine-grained scoping:
  • Account level: Scope to a single account or all accounts
  • Zone level: Scope to a single zone (domain) or all zones
  • Permission groups: Combine multiple permissions (e.g., Workers Edit + DNS Read)
Create the narrowest token that covers your agents’ needs. For example, if agents only deploy Workers, use the “Edit Cloudflare Workers” template instead of a broad-access token.

Rate limits

Cloudflare enforces a global rate limit of 1,200 requests per 5-minute window per user. This applies across dashboard, API key, and API token usage combined. Use OneCLI rules to rate-limit agent requests if you need to stay well within this budget.

Controlling access with rules

Use OneCLI’s rules engine to control what agents can do:
  • Block write operations to specific API paths (e.g., block /purge_cache for read-only agents)
  • Rate limit API calls to stay within Cloudflare’s limits
  • Require manual approval for destructive operations (e.g., deleting Workers or DNS records)
Rules are evaluated before credential injection, so a blocked request never touches your API token.