Set up Claude Managed Agents
Cloudflare provides a self-managed environment for Claude Managed Agents ↗. The agent loop runs on the Anthropic platform, while Cloudflare provides the runtime — sandboxes, egress control, browser access, email, and custom tools — that the agent's actions execute in.
This integration ships as an open-source deployment template. Fork the repo, deploy it to your Cloudflare account, and customize it as needed.
Get Started
Deploy a Workers-based control plane that gives you:
- Two sandbox backends — Each agent can run on a full MicroVM (Containers) or a lightweight isolate (Dynamic Workers). MicroVMs give the agent a full Linux environment with bash and arbitrary processes. Isolates cold-start in milliseconds and costs a fraction of a container session.
- Private service connectivity — Connect agents to private internal services over Workers VPC and Mesh without exposing them to the public internet.
- Egress control — Run all agent traffic through customizable proxies. Inject credentials into outbound requests without the agent ever seeing them, restrict access to specific domains, or write arbitrary proxy middleware.
- Agent Email — Give each agent session its own email address for sending and receiving messages with Cloudflare Email Service.
- Browser Run tools — Give agents headless browsers powered by Browser Run for web fetches, screenshots, and CDP control. Session recordings provide an audit trail of every browser action.
- Image generation — Generate images with Workers AI.
- Custom tools — Extend agents with your own tools by adding a function definition to a single file. Tools run in the Workers runtime with access to all your bindings. No additional infrastructure required.
- Dashboard — A built-in UI for managing agents, viewing sessions, inspecting logs, and SSH-ing into running MicroVM sandboxes.
When a Claude agent starts a session, Anthropic sends a webhook to the Workers-based control plane running in your Cloudflare account. The control plane gives each session its own sandbox, routes outbound traffic through a per-session egress policy, and persists state across session sleeps.
Anthropic describes this as decoupling the brain from the hands — the agent loop runs on Anthropic (the brain), but the infrastructure for running and executing code (the hands) runs on Cloudflare.
Use a self-managed Cloudflare environment when you need:
- Control over the sandbox infrastructure your agents run in
- Secure connections to private internal services
- Custom egress policies for credential injection and domain restrictions
- Custom tools that use Cloudflare bindings (R2, D1, KV, Vectorize, and others)
- The ability to choose between MicroVM and isolate backends per agent
Follow the onboarding guide ↗ in the repository to deploy the control plane to your account. The guide walks through creating an Anthropic environment, setting secrets, provisioning storage, deploying the Worker, and configuring webhooks.
The repository includes detailed documentation on each capability:
| Topic | What it covers |
|---|---|
| Connecting to private services ↗ | Reach services in other clouds, on-prem, or on your laptop with Workers VPC bindings |
| Applying egress policies ↗ | Inject credentials and lock down agent sessions. Set up allow/deny lists, header injection, custom Worker proxies, and VPC routing |
| Isolate vs VM-based sandboxes ↗ | Pick the best agent execution environment |
| Agent email ↗ | Give agents their own email addresses and sending abilities |
| Browser rendering tools ↗ | Observable agent browser interactions with Browser Run |
| Adding custom tools ↗ | New tools are declared in a single file — src/tools/custom-tools.ts ↗ |
| Customizing sandboxes ↗ | Change Dockerfile and instance_type knobs for the MicroVM backend |
| Snapshots and state persistence ↗ | State persistence across both sandbox types |
| Architecture ↗ | Request lifecycle from webhook ingress through dispatch to either sandbox backend, and every Worker binding the control plane uses |
| Securing access ↗ | Secure access to the CMA control plane |