Official Cloudflare CLI for creating and running tunnels, routing hostnames or private networks, and accessing protected services.
$brew install cloudflared
Agent Compatibility
JSON Output
Agent Skill
MCP Support
AI Analysis
cloudflared is Cloudflare's tunnel and access client for connecting private services to Cloudflare without opening inbound ports. It can publish local HTTP services, route private TCP or IP traffic through Cloudflare, and authenticate clients into Access-protected apps.
What It Enables
- Create named tunnels, run tunnel connectors, and map public hostnames, load balancers, or private network routes to local services.
- Expose localhost or internal apps for development or production, including quick temporary tunnels and durable DNS-backed routes.
- Authenticate into Access-protected apps, proxy SSH or other TCP traffic through Cloudflare, and stream logs or run diagnostics against connectors.
Agent Fit
- The CLI maps well to inspect, change, and verify loops: you can create, list, inspect, delete, route, and health-check tunnels directly from the shell.
- Structured output is present but uneven: tunnel listings and route queries support
--output json|yaml,tailsupports--output json, and token commands emit JSON, while many setup and run flows are plain text or logs. - Works best when account, zone, and tunnel conventions are already captured in skills; browser login, origin certs, and long-running service management make unattended use more involved than a pure CRUD API CLI.
Caveats
- Production use requires Cloudflare account setup and credentials;
tunnel loginandaccess logincan open browser-based flows, while named tunnels depend on certs or tokens. - Quick tunnels are for testing only, and the core
tunnel runworkflow is a daemon-style process rather than a short request-response command.