Scaling MCP adoption: Our reference architecture for simpler, safer and cheaper enterprise deployments of MCP

Cloudflare has introduced Managed OAuth for Access, allowing internal apps to be agent-ready in one click. This solves a problem where agents couldn't access internal app data behind Cloudflare Access. With Managed OAuth, agents that speak OAuth 2.0 can discover how to authenticate, send the user through the auth flow, and receive a JWT token. Enabling Managed OAuth for an Access app involves a one-click process, where Cloudflare Access acts as the authorization server and returns the www-authenticate header directing agents to the OAuth authorization server. The agent then dynamically registers itself, sends the human through a PKCE authorization flow, and receives a token to make authenticated requests on behalf of the user. This solution makes internal apps agent-ready instantly, without requiring code changes or retrofitting, ensuring secure and immediate access to internal ecosystems. Cloudflare Access has a generous free tier, and the solution will soon allow bridging identity providers across Cloudflare accounts through the Organizations beta.

Here's a 2-3 sentence summary of the blog post on securing non-human identities: To secure non-human identities, such as agents and scripts, Cloudflare has introduced updates to manage their entire lifecycle, including scannable tokens, OAuth visibility, and resource-scoped RBAC to fine-tune policies. The company's new token formats, with a scannable "cf" prefix and checksum, enable automated security tools to easily identify and revoke leaked API tokens, and its partnership with GitHub detects and revokes leaked tokens in public and private repositories. Cloudflare One customers also benefit from these features, as DLP profiles can detect and block credential leaks across network traffic, email, and SaaS applications, and the company's AI Gateway scans and blocks AI traffic in real-time.