Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/XxYouDeaDPunKxX/cloudflare-r2-remote-mcp-worker/llms.txt

Use this file to discover all available pages before exploring further.

The admin tools expose bucket and account metadata by calling the Cloudflare API on behalf of the MCP client. All ten tools are strictly read-only — they surface configuration and metrics but never create, update, or delete any account resource. This constraint is intentional: read-only access limits the blast radius of a compromised session to information disclosure only. The tools are disabled by default and require a Cloudflare API token with a narrowly scoped R2 permission. See Tools Overview for the full tool surface and Deployment Configuration for API token setup details.

Enabling Admin Tools

Add the following to the vars block of your wrangler.jsonc:
"vars": {
  "ENABLE_ACCOUNT_TOOLS": "true",
  "CLOUDFLARE_ACCOUNT_ID": "your-account-id",
  "R2_BUCKET_NAME": "your-bucket-name"
}
Then store the API token as a Wrangler secret:
npx wrangler secret put CLOUDFLARE_API_TOKEN -c wrangler.jsonc
Use the narrowest readable R2 scope available when creating the API token. A token scoped to R2 Read (or equivalent) is sufficient for all ten admin tools. Never use a global or zone-level token — if the token is ever compromised, the damage is contained to read-only R2 data.

All Admin Tools

Every admin tool carries readOnlyHint: true in its MCP annotations, signalling to clients that no state will be mutated.
ToolDescription
r2_bucket_listList R2 buckets in the configured Cloudflare account.
r2_bucket_getGet metadata for one R2 bucket.
r2_cors_getGet CORS rules for one R2 bucket.
r2_lifecycle_getGet lifecycle rules for one R2 bucket.
r2_domain_custom_listList custom domains attached to one R2 bucket.
r2_domain_custom_getGet custom domain settings for one R2 bucket.
r2_domain_managed_getGet r2.dev managed domain settings for one R2 bucket.
r2_notifications_listList event notification rules for one R2 bucket.
r2_notifications_getGet one event notification queue configuration for an R2 bucket.
r2_metrics_getGet account-level R2 storage metrics.

Tool Reference

r2_bucket_list

List R2 buckets in the configured Cloudflare account. Supports pagination and server-side filtering by name.
cursor
string
Pagination cursor returned by a previous r2_bucket_list response. Omit for the first page.
direction
string
Sort direction for the bucket list. Accepted values: "asc" or "desc".
nameContains
string
Filter results to buckets whose names contain this substring.
perPage
integer
Maximum number of buckets to return per page. Must be between 1 and 1000.
Example call:
{
  "nameContains": "prod",
  "direction": "asc",
  "perPage": 50
}

r2_bucket_get

Get metadata for one R2 bucket, including creation time and location hint.
bucketName
string
Name of the bucket to inspect. Defaults to the value of R2_BUCKET_NAME when omitted.
Example call:
{
  "bucketName": "my-assets"
}

r2_cors_get

Get CORS rules for one R2 bucket. Useful for verifying that browser-origin restrictions are set correctly before enabling presigned URL flows.
bucketName
string
Name of the target bucket. Defaults to R2_BUCKET_NAME when omitted.
Example call:
{
  "bucketName": "my-assets"
}

r2_lifecycle_get

Get lifecycle rules for one R2 bucket, including expiration and transition policies.
bucketName
string
Name of the target bucket. Defaults to R2_BUCKET_NAME when omitted.

r2_domain_custom_list

List custom domains attached to one R2 bucket.
bucketName
string
Name of the target bucket. Defaults to R2_BUCKET_NAME when omitted.

r2_domain_custom_get

Get custom domain settings for one R2 bucket. Returns the configuration for a specific custom domain attached to the bucket.
bucketName
string
Name of the target bucket. Defaults to R2_BUCKET_NAME when omitted.
domain
string
required
The custom domain name to look up (e.g., "assets.example.com").
Example call:
{
  "bucketName": "my-assets",
  "domain": "assets.example.com"
}

r2_domain_managed_get

Get r2.dev managed domain settings for one R2 bucket, including whether public access is enabled.
bucketName
string
Name of the target bucket. Defaults to R2_BUCKET_NAME when omitted.

r2_notifications_list

List event notification rules for one R2 bucket. Each rule maps bucket events (such as object creation or deletion) to a Cloudflare Queue.
bucketName
string
Name of the target bucket. Defaults to R2_BUCKET_NAME when omitted.

r2_notifications_get

Get one event notification queue configuration for an R2 bucket. Returns the full configuration for the specified queue.
bucketName
string
Name of the target bucket. Defaults to R2_BUCKET_NAME when omitted.
queueId
string
required
The Queue ID of the notification configuration to retrieve.
Example call:
{
  "bucketName": "my-assets",
  "queueId": "abc123def456"
}

r2_metrics_get

Get account-level R2 storage metrics, including total object count and storage bytes consumed across all buckets in the account. This tool takes no parameters. Example call:
{}

Intentional Omissions

All admin tools are annotated with readOnlyHint: true. No tool in this surface will ever mutate account state.
The following mutating account operations are deliberately not implemented:
CategoryOmitted operations
BucketsCreate bucket, delete bucket
CORSPut CORS rules, delete CORS rules
LifecyclePut lifecycle rules, delete lifecycle rules
Custom domainsAttach domain, update domain, remove domain
Managed domainEnable/disable r2.dev public access
NotificationsCreate notification rule, update notification rule, delete notification rule
These omissions are by design. A read-only tool surface means:
  • A compromised MCP session or API token cannot alter bucket configuration, destroy data pipelines, or expose buckets publicly.
  • The blast radius of any incident is limited to information disclosure of account metadata.
  • Operators can safely enable admin tools in production without gating them behind additional change-control workflows.
If you need to perform any of the omitted operations, use the Cloudflare Dashboard or the Cloudflare API directly outside of the MCP session.

Build docs developers (and LLMs) love