CLOUDFLARE · MCP-NATIVE

Cloudflare DNS, callable from Claude. Edge-fast ops, zero dashboard.

Authwright is the MCP server that drives your Cloudflare DNS, SSL, and zone management directly from your editor. Diff before write. Snapshot before edit. Every API call typed end-to-end. No more "let me just check the dashboard real quick."

Start free Check a domain free

A real Cloudflare implementation. Talks to the Cloudflare v4 API directly. Origin CA, zone ID resolution, scoped tokens — all of it.

Lookup · on duty

mcp · authwright + cloudflare

add CNAME api.acme.com → svc.fly.dev, TTL auto
zone_id resolved · acme.com
dns_changeset_preview · 1 add, 0 del
apply
record live · txn_8a31f2c4
›

2 live · 3 early access

GoDaddy
NamecheapEarly
Cloudflare
PorkbunEarly
Route 53Early

Cloudflare is where you start.

THE DNS TAB

Cloudflare's dashboard is fine. You just don't want to be in it.

You picked Cloudflare for the DNS speed and the developer-respecting API. The dashboard is competent — but it's still a dashboard. You're still clicking through a zone list to find the one record you want to edit. You're still copy-pasting the validation TXT for a certificate. You're still wondering whether the proof you just added is for the right zone.

Terraform is one answer. It works, until you need an interactive edit. The CLI is another. It works, until you need to remember its eight subcommands. Authwright is a third: an MCP server that turns the Cloudflare API into something you tell Claude to do.

“The dashboard was always meant to be a fallback. With MCP, you almost never need it.”

42 TOOLS, ONE MCP SESSION

Cloudflare DNS, SSL, and zone ops — type once, ship.

42 MCP tools wired to the Cloudflare v4 API, callable from any MCP-compatible AI client.

list_records()Any zone, by type, by name, or by tag — with pagination handled.
dns_changeset()Add, update, replace, delete records. dns_changeset_preview returns the diff before the write.
origin_ca()List, get, revoke, delete Origin CA certificates. zone_id resolution cached so you call by domain.
dnssec()Toggle at zone level. Standard CF1 flow handled cleanly.
zone_snapshot()Snapshot a zone before a risky migration; restore from snapshot if something goes wrong.
health_score()0-100 score on expiry, DNSSEC, SSL, MX, SPF, DKIM, DMARC, MTA-STS, BIMI, nameserver drift.
email_auth()And — if you want — DMARC / SPF / DKIM / MTA-STS in one call without leaving your editor.

You stay in your editor. The Cloudflare dashboard becomes the place you visit twice a year.

MCP, not SaaS

If your team lives in Claude, Cursor, or ChatGPT, this is the tool your stack was missing.

Every other DMARC vendor shipped a web dashboard in 2019 and never looked up. Authwright is built as a Model Context Protocol server — which means it's callable directly from the AI environments your operators already use.

A tech in Cursor can resolve a deliverability ticket without opening a browser tab. A founder in Claude can onboard a new client domain in a single prompt.

This is not a wrapper around someone else's API. It's a first-class MCP server designed for the way technical teams actually work in 2026.

Claude CodeLookup online

> Set up DMARC on acme.com with a reject policy.

Lookup calling email_auth_wizard...
  [ok] diagnose - score 32/100
  [ok] propose - 4 changes (SPF, DKIM, DMARC, MTA-STS)
  [ok] apply   - GoDaddy adapter, snapshot saved
  [ok] host    - mta-sts.acme.com live
  [ok] propagation - 8/8 resolvers
  [ok] re-diagnose - score 94/100

Email EasyPass complete in 47s.

What makes it different

Four things wrangler and Terraform won't do for you.

01DIFF
Diff before write, every time.
dns_changeset_preview returns exactly the set of records that will be added, modified, and deleted. No "apply" surprises. No "run the plan, hope for the best."
02ZONE_CERT
Zone-aware certificate ops.
Cloudflare's Origin CA endpoints require ?zone_id=X on cert operations. We resolve and cache the zone ID per domain so you never see a code=1012. Just call by domain.
03ROLLBACK
Snapshot-and-rollback for zones.
Every DNS change carries a rollback point. You're not relying on Terraform state files or git history — the rollback is a single call.
04REGISTRAR
Every registrar, one tool surface.
The same replace_dns_records works on GoDaddy, Namecheap, Porkbun, and Route 53. Multi-registrar zone migration is now boring.

How a pilot works

Two weeks. Your own domains. No contract.

01
Day 0: You sign up.
Email + password, or SSO. No card. No call. The free tier covers one account end-to-end so you can prove the value before you spend a dollar.
02
Day 1–3: You wire up MCP.
Drop one config block into Claude Desktop / Cursor / Windsurf. Add a scoped API token. Type your first sentence.
03
Day 4–14: You run your own Cloudflare zones.
Authorize Authwright on as many of your own domains as your tier covers. Start with one. Scale to all of them. We sit on Slack if you want it.
04
Day 14: Convert or walk.
No contract, no hooks. If it didn't earn its keep, you keep the snapshots and walk. If it did, pick a tier.

Pricing

Priced for the way developers actually work.

Per-account pricing, not per-seat. Same tools, same pricing, every registrar.

RECOMMENDED

Team$99 /mo

25 domains · 5 registrars

RBAC + SSO
Up to 10 seats
30-day snapshots

Choose Team

Free$0 /mo

1 domain · 1 registrar

Public audit, unlimited
MCP server access
7-day snapshots

Choose Free

Pro$29 /mo

5 domains · 1 registrar

Everything in Free
30-day snapshots
Email + chat support

Choose Pro

Agency$299 /mo

100 domains · 15 registrars

Multi-tenant workspaces
Priority support

Choose Agency

Agency Plus$799 /mo

500 domains · unlimited

Dedicated success mgr
99.95% SLA

Choose Agency Plus

EnterpriseTalk to us

500+ · unlimited

Custom contract
VPC peering

Contact sales

Free
$0 /mo
1 account
- Public audit, unlimited
- MCP server access
- 7-day snapshot history
- Single user
Start free
Pro
$29 /mo
Up to 25 domains
- Everything in Free
- 30-day snapshots
- Bulk ops + portfolio audit
- Single user
Start free
MOST START HERE
Team
$99 /mo
Up to 100 domains
- Everything in Pro
- RBAC + SSO
- Audit log export
- Up to 10 seats
Start free
Agency
$299 /mo
Up to 500 domains
- Everything in Team
- Per-client workspaces
- White-labeled audits
- Up to 25 seats
Start free
Agency Plus
$799 /mo
Unlimited
- Everything in Agency
- Dedicated support
- Custom SLA
- Unlimited seats
Start free

Enterprise

500+ domains, custom contract, on-prem broker, dedicated CSM.

Talk to the founder →

Free public audit

Not ready to sign up? Audit a domain in 30 seconds.

Drop any domain into our free checker. We'll show you the current DMARC posture, SPF lookup count, DKIM selector status, MTA-STS presence, and a grade against the current Gmail and Yahoo requirements. No login. No email gate. No upsell pop-up.

Run a free check →

FAQ

Questions Cloudflare developers actually ask.

Technically accurate against the broker's capability matrix. If something is unsupported: today, we say so here.

Q1What kind of token does Authwright need?

A scoped API token with Zone:Read, DNS:Edit, and (if you want cert ops) SSL and Certificates:Edit at the zone scope you care about. Account-level tokens work too. We never request global tokens.

Q2How does this compare to Terraform's cloudflare provider?

Terraform is the right answer for declarative, audited, peer-reviewed infrastructure changes. Authwright is the right answer for the interactive 80% — the "add a CNAME real quick" moves nobody is going to PR. Run both.

Q3Cloudflare's API has zone_id everywhere. Do I need to track it?

No. Authwright resolves and caches the zone ID per domain inside the broker. You call by hostname.

Q4What about R2, Workers, Pages, Access?

v1 covers DNS, SSL/Origin CA, and zone-level operations. Workers and the rest of the developer-platform surface is on the roadmap.

Q5Can I script bulk operations across all my zones?

portfolio_analysis returns every zone you have access to with a structured inventory; bulk_update_dns operates on a filtered subset. The bulk tools batch internally so you don't manage pagination.

Q6How are the writes atomic?

DNS changes are issued per-record against the v4 API. We snapshot the zone state before the changeset so a partial failure is recoverable. We do not pretend the underlying API has multi-record transactions.

Q7Can I use this from a shell script, not just Claude?

MCP is the front door, but the underlying tools are HTTP — anything that speaks MCP works (Claude Desktop, Claude Code, Cursor, Windsurf). Headless scripting through an SDK is on the roadmap.

Pilot

Try it on your own zones.

Tell us about your setup; we'll reply within one business day.

Already convinced? Skip the form and start free.

Cloudflare DNS, callable from Claude. Edge-fast ops, zero dashboard.

Cloudflare's dashboard is fine. You just don't want to be in it.

Cloudflare DNS, SSL, and zone ops — type once, ship.

If your team lives in Claude, Cursor, or ChatGPT, this is the tool your stack was missing.

Four things wrangler and Terraform won't do for you.

Diff before write, every time.

Zone-aware certificate ops.

Snapshot-and-rollback for zones.

Every registrar, one tool surface.

Two weeks. Your own domains. No contract.

Day 0: You sign up.

Day 1–3: You wire up MCP.

Day 4–14: You run your own Cloudflare zones.

Day 14: Convert or walk.

Priced for the way developers actually work.

Not ready to sign up? Audit a domain in 30 seconds.

Questions Cloudflare developers actually ask.

Try it on your own zones.