This guide walks you through every step needed to go from a fresh clone to a live MCP endpoint that an AI client such as ChatGPT can reach and authenticate against. By the end you will have a Cloudflare Worker running on your account with a bound R2 bucket, GitHub OAuth protecting theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/cloudflare-r2-remote-mcp-worker/llms.txt
Use this file to discover all available pages before exploring further.
/mcp route, and a verified connection from an MCP client.
Prerequisites
Before you begin, make sure you have the following:- Node.js 20 or newer — required by Wrangler and the project’s build toolchain
- Wrangler 4 — the Cloudflare Workers CLI (
npm install -g wrangler) - Cloudflare account with R2 enabled — R2 must be active on your account (free tier is sufficient for getting started)
- GitHub account — used to create the OAuth App that gates MCP access
Setup steps
Install dependencies and log in to Cloudflare
Install the project’s Node.js dependencies, then authenticate Wrangler with your Cloudflare account.Wrangler will open a browser window. Approve the access request for your Cloudflare account. Wrangler stores credentials locally so subsequent commands run without prompting.
Create R2 buckets
Create one bucket for production and one for Wrangler’s local preview environment. Replace the placeholder names with names that suit your project.
The preview bucket is only used by
wrangler dev. It keeps local development writes isolated from your production bucket.Configure wrangler.jsonc
Copy the example configuration file, then edit it with your bucket names and GitHub login.Open The fields you must change are:
wrangler.jsonc and update these values:| Field | What to set |
|---|---|
r2_buckets[0].bucket_name | Your production R2 bucket name |
r2_buckets[0].preview_bucket_name | Your preview R2 bucket name |
vars.R2_BUCKET_NAME | Same value as bucket_name above |
vars.ALLOWED_GITHUB_LOGINS | Your GitHub username (comma-separated for multiple) |
vars.AUTH_MODE | github for production; none for local dev only |
Set up local development variables
Copy the example local dev vars file. This file is used by The example file contains:Do not commit
wrangler dev and is not deployed to Cloudflare.The
.dev.vars.example file sets AUTH_MODE=none so you can reach the local /mcp endpoint without completing an OAuth flow. Never use AUTH_MODE=none on a deployed Worker URL unless the Worker is protected by another access control layer such as Cloudflare Access..dev.vars—it is already listed in .gitignore.Create the OAuth KV namespace
The Worker stores OAuth session state in a Cloudflare KV namespace. Create one with Wrangler:Wrangler prints output similar to:Copy the
id value and paste it into the kv_namespaces entry in your wrangler.jsonc:Create a GitHub OAuth App
The Worker uses a GitHub OAuth App to verify the identity of whoever connects to the MCP endpoint.
- Go to GitHub → Settings → Developer settings → OAuth Apps → New OAuth App.
-
Fill in the form:
Field Value Application name Any name (e.g. My R2 MCP Worker)Homepage URL https://<worker-name>.<account-subdomain>.workers.devAuthorization callback URL https://<worker-name>.<account-subdomain>.workers.dev/callback - Click Register application.
- On the app page, note the Client ID.
- Click Generate a new client secret and copy the secret immediately—it is only shown once.
/callback endpoint on your deployed Worker. Replace <worker-name> with the value of name in your wrangler.jsonc and <account-subdomain> with your Cloudflare Workers subdomain.See GitHub OAuth setup for detailed instructions and screenshots.Set Worker secrets
Push the GitHub OAuth credentials and a cookie encryption key to Cloudflare as Worker secrets. Secrets are encrypted at rest and never appear in your Each command prompts you to paste the value. For
wrangler.jsonc.COOKIE_ENCRYPTION_KEY, generate at least 32 random bytes. A quick way using Node.js:Deploy the Worker
Build and publish the Worker to Cloudflare:Wrangler compiles the TypeScript source, bundles it, and uploads the Worker. On success it prints your Worker URL:Your MCP endpoint is now live at:
Connect ChatGPT (or another MCP client)
With the Worker deployed, add it as a custom MCP connector in ChatGPT:
- In ChatGPT, open Settings → Connectors → Add connector.
- Enter the MCP URL:
- Set Auth to OAuth.
- Complete the GitHub authorization flow. Use a GitHub login that is listed in
ALLOWED_GITHUB_LOGINS. - After authorization, refresh the connector and confirm that tools such as
r2_object_listappear.
What’s next
You now have a deployed, OAuth-protected MCP server connected to your R2 bucket. From here you can:- Read the full deployment guide for production hardening options such as
R2_ROOT_PREFIX, size limits, and optional tool groups. - Review the authentication overview to understand how to manage allowed logins and rotate secrets.
- Explore the tools reference for a complete list of every MCP tool the Worker exposes, including optional account and presign tools.