Cloudflare Blog1 min readApr 14, 2026

Managed OAuth for Access: make internal apps agent-ready in one click

Managed OAuth for Cloudflare Access helps AI agents securely navigate internal applications. By adopting RFC 9728, agents can authenticate on behalf of users without using insecure service accounts.

Cloud Security AI

OAuthCloudflare AccessAPI SecurityAuthenticationAccess Management

AI Summary

Cloudflare has introduced Managed OAuth for Access, allowing internal apps to be agent-ready in one click. This solves a problem where agents couldn't access internal app data behind Cloudflare Access. With Managed OAuth, agents that speak OAuth 2.0 can discover how to authenticate, send the user through the auth flow, and receive a JWT token. Enabling Managed OAuth for an Access app involves a one-click process, where Cloudflare Access acts as the authorization server and returns the www-authenticate header directing agents to the OAuth authorization server. The agent then dynamically registers itself, sends the human through a PKCE authorization flow, and receives a token to make authenticated requests on behalf of the user. This solution makes internal apps agent-ready instantly, without requiring code changes or retrofitting, ensuring secure and immediate access to internal ecosystems. Cloudflare Access has a generous free tier, and the solution will soon allow bridging identity providers across Cloudflare accounts through the Organizations beta.

Read full article →Share

Securing non-human identities: automated revocation, OAuth, and scoped permissions

Here's a 2-3 sentence summary of the blog post on securing non-human identities: To secure non-human identities, such as agents and scripts, Cloudflare has introduced updates to manage their entire lifecycle, including scannable tokens, OAuth visibility, and resource-scoped RBAC to fine-tune policies. The company's new token formats, with a scannable "cf" prefix and checksum, enable automated security tools to easily identify and revoke leaked API tokens, and its partnership with GitHub detects and revokes leaked tokens in public and private repositories. Cloudflare One customers also benefit from these features, as DLP profiles can detect and block credential leaks across network traffic, email, and SaaS applications, and the company's AI Gateway scans and blocks AI traffic in real-time.

CloudSecurityBackend

OAuthAPI tokensGA for resource-scoped permissionsIdentity ManagementAccess ControlLeast Privilege Architecture

Cloudflare BlogNew1 min22h ago

Scaling MCP adoption: Our reference architecture for simpler, safer and cheaper enterprise deployments of MCP

Cloudflare developed a unified security architecture to govern AI usage with Model Context Protocol (MCP) across its enterprise, addressing security risks such as authorization sprawl and supply chain risks. To achieve this, they built a centralized team to manage MCP server deployment, using a shared MCP platform with governed infrastructure, CI/CD pipelines, secrets management, and audit logging. This centralized approach enabled rapid adoption and provided visibility into MCP server usage while maintaining control over software sources.

CloudBackendAI

AccessAI GatewayMCPCode ModeCloud Native Architecture

Weekly Brief

Get the top 10 engineering articles delivered every Monday.