> ## Documentation Index
> Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Cloudflare Integration: DNS & Workers for Agents

> Agents can manage DNS records, deploy Workers, and configure page rules. API tokens are injected at the gateway.

## Overview

OneCLI connects AI agents to Cloudflare so they can deploy Workers, manage DNS records, read and write KV namespaces, query D1 databases, deploy Pages sites, and interact with the full Cloudflare API. The gateway injects your API token into requests automatically.

## Setup

<Steps>
  <Step title="Create an API token in Cloudflare">
    Go to the [Cloudflare dashboard](https://dash.cloudflare.com/profile/api-tokens) and click **Create Token**.

    Choose a template or create a custom token with the permissions your agents need. Common templates:

    | Template                    | Permissions                                 | Use case                       |
    | --------------------------- | ------------------------------------------- | ------------------------------ |
    | **Edit Cloudflare Workers** | Workers Scripts: Edit, Workers Routes: Edit | Deploying and managing Workers |
    | **Edit zone DNS**           | DNS: Edit                                   | Managing DNS records           |
    | **Read All Resources**      | All zones and accounts: Read                | Auditing, monitoring           |
    | **Custom**                  | You choose                                  | Fine-grained access            |

    API tokens can be scoped to specific accounts and zones, so you can restrict what your agents can access.
  </Step>

  <Step title="Connect in OneCLI">
    Open the OneCLI dashboard, go to **Connections** > **Cloudflare**, and paste your API token.
  </Step>
</Steps>

## How it works

1. Your API token is encrypted and stored by OneCLI
2. When an agent sends a request to `api.cloudflare.com`, the gateway intercepts it
3. The gateway injects the token as an `Authorization: Bearer` header
4. The request is forwarded to Cloudflare

Agents never see the raw token. The gateway handles injection transparently.

## What agents can do

| Service        | API path                                         | Examples                                     |
| -------------- | ------------------------------------------------ | -------------------------------------------- |
| **Workers**    | `/client/v4/accounts/{id}/workers/scripts`       | Deploy scripts, manage bindings, set secrets |
| **KV**         | `/client/v4/accounts/{id}/storage/kv/namespaces` | Read/write key-value pairs, list keys        |
| **D1**         | `/client/v4/accounts/{id}/d1/database`           | Create databases, run SQL queries            |
| **Pages**      | `/client/v4/accounts/{id}/pages/projects`        | Deploy static sites, manage projects         |
| **DNS**        | `/client/v4/zones/{id}/dns_records`              | Create, update, delete DNS records           |
| **Cache**      | `/client/v4/zones/{id}/purge_cache`              | Purge cache by URL, tag, or everything       |
| **AI Gateway** | `/client/v4/accounts/{id}/ai-gateway`            | Manage AI proxy gateways                     |
| **Queues**     | `/client/v4/accounts/{id}/queues`                | Create queues, send messages                 |
| **Zero Trust** | `/client/v4/accounts/{id}/access`                | Manage access policies                       |

## Use cases

* Coding agents deploying Workers with `wrangler deploy` through the gateway
* Agents managing DNS records during infrastructure provisioning
* Reading and writing to KV stores during application workflows
* Running D1 SQL queries for data operations
* Deploying static sites to Cloudflare Pages

## Token permissions

Cloudflare API tokens support fine-grained scoping:

* **Account level**: Scope to a single account or all accounts
* **Zone level**: Scope to a single zone (domain) or all zones
* **Permission groups**: Combine multiple permissions (e.g., Workers Edit + DNS Read)

Create the narrowest token that covers your agents' needs. For example, if agents only deploy Workers, use the "Edit Cloudflare Workers" template instead of a broad-access token.

## Rate limits

Cloudflare enforces a global rate limit of 1,200 requests per 5-minute window per user. This applies across dashboard, API key, and API token usage combined. Use OneCLI [rules](/guides/rules) to rate-limit agent requests if you need to stay well within this budget.

## Controlling access with rules

Use OneCLI's [rules engine](/guides/rules) to control what agents can do:

* Block write operations to specific API paths (e.g., block `/purge_cache` for read-only agents)
* Rate limit API calls to stay within Cloudflare's limits
* Require manual approval for destructive operations (e.g., deleting Workers or DNS records)

Rules are evaluated before credential injection, so a blocked request never touches your API token.