Cloudflare One CASB

Connect AI tools to Cloudflare One CASB (Cloud Access Security Broker) to quickly identify security misconfigurations for SaaS applications and safeguard users and data. The Cloudflare One CASB MCP server gives AI assistants secure access to CASB findings and controls through the Model Context Protocol (MCP).

1. Overview

Cloudflare One CASB is a remote, vendor-hosted MCP server provided by Cloudflare. You connect to it from Cequence AI Gateway; the server uses Streamable HTTP (the standard transport for remote MCP per Cloudflare’s MCP docs).

• Server URL: https://casb.mcp.cloudflare.com/mcp
• Transport: HTTP (Streamable HTTP)
• Hosted by: Cloudflare

2. Supported authentication types

Type	Supported	Notes
OAuth 2.0	Yes	Required. Uses Dynamic Client Registration (DCR); sign in with your Cloudflare account.
API key	No	Not used for this remote MCP server.

When you add Cloudflare One CASB in Cequence AI Gateway, authentication is handled via OAuth 2.0 with Dynamic Client Registration. You sign in with your Cloudflare account and grant access during the gateway flow.

3. What can you do with this MCP server

With the Cloudflare One CASB MCP server, you can:

• Identify misconfigurations — Find security misconfigurations across connected SaaS applications to safeguard users and data.
• Explore users, files, and assets — Query across users, files, and other asset categories that transcend a single SaaS app.
• Understand relationships — Understand relationships from data that exists across many different CASB integrations (e.g. “Tell me about [user] and what SaaS tools they appear to have accessed”).
• Discover assets — Discover assets and surface security misconfigurations from your organization’s SaaS and cloud applications.
• Query and report — Ask questions about SaaS app security posture and generate summaries for security teams.

4. Prerequisites

Before adding Cloudflare One CASB in Cequence AI Gateway, ensure you have:

• Access to Cequence AI Gateway (e.g. beta.aigateway.cequence.ai)
• A Cloudflare account with Cloudflare One and CASB enabled
• A modern browser to complete the OAuth authorization flow
• For OAuth authentication: an auth app with client credentials (client ID and client secret) in your Cloudflare (vendor) account, unless the server supports Dynamic Client Registration (DCR).

5. Example workflows

• “List high-severity CASB findings for my connected SaaS apps.”
• “Summarize security misconfigurations for [app name].”
• “Show CASB findings that affect user data handling.”

6. Connecting MCP server from Cequence AI Gateway

1. Log in to Cequence AI Gateway.
2. Choose your tenant.
3. Go to App catalogue.
4. Filter by Remote MCP server.
5. Search for Cloudflare One CASB and then select it.
6. Click Create MCP server.
7. Choose auth method. If OAuth, you need an auth app with client credentials in your vendor account (see Prerequisites).
8. Complete the setup as prompted, select tools, and deploy.

Use the generated MCP server URL in your client as described in the Client Configuration docs. For detailed UI steps and screenshots, see Create a third-party MCP Server.

7. Additional information

• Transport: Streamable HTTP. See Transport.
• Timeout: 30-second timeout for requests.
• Cloudflare MCP: Model Context Protocol (MCP), Build a Remote MCP server.
• Official repository: mcp-server-cloudflare.