Skip to content
stack
Get started
Provider · Deploy

Cloudflare — Ashlr Stack Provider

Cloudflare: Workers, R2, D1. Account id inferred from the token's scope. Wire it into your project with one command via Ashlr Stack.

Deploy · PAT
Cloudflare — Workers, R2, D1. Account id inferred from the token's scope.
Dashboard ↗

One command

Add Cloudflare to any Ashlr Stack project with a single command. Stack runs the auth flow, verifies the credential, and writes every secret slot into Phantom. 

stack add cloudflare

Or describe what you're building and let Claude pick it up via stack recommend: 

stack recommend "host a Next.js frontend"

Auth flow

Paste a personal access token (PAT) once. Stack verifies it against the provider's API before writing to Phantom.

How-to: Create a scoped API token at https://dash.cloudflare.com/profile/api-tokens.

Secret slots

stack add cloudflare writes these 2 secret slots into your Phantom vault:

  • CLOUDFLARE_API_TOKEN
  • CLOUDFLARE_ACCOUNT_ID

The values never leave Phantom in plaintext. Your .env file references slot names, and stack exec -- <cmd> swaps them in at process-spawn time via Phantom's local proxy.

MCP wiring

Cloudflare ships an MCP server. stack add cloudflare auto-wires it into .mcp.json so your Claude Code / Cursor / Windsurf session can use it immediately.

Cloudflare MCP (Workers Bindings + R2 + D1) with CLOUDFLARE_API_TOKEN piped from Phantom.

Starter templates that include Cloudflare

Apply a pre-wired stack with one command:

  • stack init --template cloudflare-turso-clerk
  • Modal — Serverless compute for AI + data. Token stored in Phantom.
  • Vercel — Frontend platform. Stores a scoped access token for deploys + env sync.
  • Railway — Infra from a repo. Project-level token stored in Phantom.
  • Fly.io — VMs at the edge. Machines API token stored in Phantom.
  • Render — Zero-config hosting. API key stored in Phantom.

FAQ

Do I need a Cloudflare account to use it with Stack?

Yes — Stack provisions Cloudflare on your behalf, but it authenticates as you. Paste a personal access token (PAT) once. Stack verifies it against the provider's API before writing to Phantom. If you don't have a credential yet, create one at https://dash.cloudflare.com and paste it once.

Where does Stack store my Cloudflare credentials?

In Phantom Secrets, an E2E-encrypted local vault. Stack writes the secret slot names (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID) into .stack.toml — the actual values live only in Phantom and never touch disk in plaintext.

Can I rotate or revoke this integration later?

Yes. Run `stack remove cloudflare` to pull the Cloudflare service back out (Phantom secrets deleted, MCP entry removed, .stack.toml cleaned up). Rotate the underlying Cloudflare credentials in their dashboard — https://dash.cloudflare.com — and Stack's next `doctor --fix` will pick up the new values.

Outbound