API Reference

Zero Trust

Access

AI Controls

Mcp

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Servers

List MCP Servers

GET/accounts/{account_id}/access/ai-controls/mcp/servers

Create a new MCP Server

POST/accounts/{account_id}/access/ai-controls/mcp/servers

Read the details of a MCP Server

GET/accounts/{account_id}/access/ai-controls/mcp/servers/{id}

Update a MCP Server

PUT/accounts/{account_id}/access/ai-controls/mcp/servers/{id}

Delete a MCP Server

DELETE/accounts/{account_id}/access/ai-controls/mcp/servers/{id}

Sync MCP Server Capabilities

POST/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync

ModelsExpand Collapse

ServerListResponse object { id, auth_type, hostname, 16 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Operators manage this internal rollout flag through admin endpoints. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerCreateResponse object { id, auth_type, hostname, 16 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Operators manage this internal rollout flag through admin endpoints. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerReadResponse object { id, auth_type, hostname, 16 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Operators manage this internal rollout flag through admin endpoints. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerUpdateResponse object { id, auth_type, hostname, 16 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Operators manage this internal rollout flag through admin endpoints. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerDeleteResponse object { id, auth_type, hostname, 16 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Operators manage this internal rollout flag through admin endpoints. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerSyncResponse object { error, error_details, status }

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

status: optional string