cloudflare-access-mcplisted

# Cloudflare → MCP server OAuth/SSO Three real paths, pick by use case. ## Decision matrix | Path | When | Effort | Limit | | --- | --- | --- | --- | | **A — AI Controls MCP Portal** (REST) | You have one or more MCP URLs that already exist (public Workers MCPs, vendor MCPs). You want one portal URL fronting them with OAuth, plus per-tool/per-prompt toggles and Access logging. | 1 IdP step + 1 POST per server + 1 dashboard step | `auth_type` is `oauth` / `bearer` / `unauthenticated` only — **no Cloudflare Access service-token (dual-header) auth to upstream**. Portal composition is dashboard-driven; only server registration is REST today. | | **B — Self-hosted Access app + Managed OAuth** (REST) | Per-hostname OAuth on your own origin. No portal hop. Origin can be private (behind cloudflared tunnel) or any public URL. Native MCP-spec OAuth (DCR, /authorize, /token, .well-known/*) at your hostname. | ~6 API calls per server (+ tunnel if private) | More moving parts. Five known footguns — see Hard rules. | | **C — Same as B, in Terraform/OpenTofu** | You already have IaC for Cloudflare. Multi-environment parity matters. PR-reviewed access changes. | Heaviest setup, smallest per-server delta | Wrong for one-offs. If a project has no Cloudflare IaC yet, pick A or B. | The `cf` CLI also exposes these endpoints — preview only; the REST recipes here are the stable contract. See the `cloudflare-cf-cli` skill for `cf` posture. ## When to invoke - "Put my MCP server behind Cloudfl