Feature request: API token management tools (create, list, update, delete) #323
Description
Use Case
When building Cloudflare-hosted applications via Claude Code (or any MCP client), it's common to need minimum-scoped API tokens for specific projects — e.g., a deployment token for a Workers AI + Vectorize + D1 application that shouldn't have DNS or zone access.
Currently, token creation requires either the CF dashboard or raw curl calls to api.cloudflare.com/client/v4/user/tokens, including looking up permission group IDs manually.
Requested Tools
| Tool | Purpose |
|---|---|
tokens_list |
List all API tokens on the account |
tokens_create |
Create a new token with specified name, policies, and permission groups |
tokens_update |
Modify an existing token's permissions |
tokens_delete |
Revoke a token |
token_permission_groups_list |
List available permission groups (needed to build policies) |
tokens_verify |
Verify a token is valid and show its scopes |
Why This Matters
The MCP server already supports Workers, KV, R2, D1, and Vectorize management. Token management is the missing piece for a complete infrastructure-as-code workflow through the MCP. Without it, users must break out of the MCP workflow to create tokens in the dashboard.
This is especially important for:
- Minimum-privilege deployments — creating project-scoped tokens with only the permissions needed
- CI/CD setup — generating deploy tokens for GitHub Actions
- Multi-project isolation — separate tokens per Worker/application
- Rotation — revoking and replacing tokens without dashboard access
Context
Discovered while building a Workers AI + Vectorize + D1 application via Claude Code. Had to fall back to curl against the REST API to create a min-scoped token, which required manually looking up 9 permission group UUIDs from the /user/tokens/permission_groups endpoint.
Related
- docs: document required OAuth scopes and API token permissions per server #307 (document required OAuth scopes per server) — token creation would complement this by letting users create properly-scoped tokens programmatically