---
title: Changelogs
image: https://developers.cloudflare.com/cf-twitter-card.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

All products

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

Mar 24, 2026
1. ### [Advanced WAF customization for AI Crawl Control blocks](https://developers.cloudflare.com/changelog/post/2026-03-24-waf-rule-preservation/)  
[ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/)  
AI Crawl Control now supports extending the underlying WAF rule with custom modifications. Any changes you make directly in the WAF custom rules editor — such as adding path-based exceptions, extra user agents, or additional expression clauses — are preserved when you update crawler actions in AI Crawl Control.  
If the WAF rule expression has been modified in a way AI Crawl Control cannot parse, a warning banner appears on the **Crawlers** page with a link to view the rule directly in WAF.  
For more information, refer to [WAF rule management](https://developers.cloudflare.com/ai-crawl-control/features/manage-ai-crawlers/#waf-rule-management).

Mar 24, 2026
1. ### [Cache Response Rules](https://developers.cloudflare.com/changelog/post/2026-03-24-cache-response-rules/)  
[ Cache / CDN ](https://developers.cloudflare.com/cache/)  
You can now control how Cloudflare handles origin responses without changing your origin. Cache Response Rules let you modify `Cache-Control` directives, manage cache tags, and strip headers like `Set-Cookie` from origin responses _before_ they reach Cloudflare's cache. Whether traffic is cached or passed through dynamically, these rules give you control over origin response behavior that was previously out of reach.  
#### What changed  
Cache Rules previously only operated on request attributes. Cache Response Rules introduce a new response phase that evaluates origin responses and lets you act on them before caching. You can now:

  * **Modify `Cache-Control` directives**: Set or remove individual directives like `no-store`, `no-cache`, `max-age`, `s-maxage`, `stale-while-revalidate`, `immutable`, and more. For example, remove a `no-cache` directive your origin sends so Cloudflare can cache the asset, or set an `s-maxage` to control how long Cloudflare stores it.
  * **Set a different browser `Cache-Control`**: Send a different `Cache-Control` header downstream to browsers and other clients than what Cloudflare uses internally, giving you independent control over edge and browser caching strategies.
  * **Manage cache tags**: Add, set, or remove cache tags on responses, including converting tags from another CDN's header format into Cloudflare's `Cache-Tag` header. This is especially useful if you are migrating from a CDN that uses a different tag header or delimiter.
  * **Strip headers that block caching**: Remove `Set-Cookie`, `ETag`, or `Last-Modified` headers from origin responses before caching, so responses that would otherwise be treated as uncacheable can be stored and served from cache.  
#### Benefits

  * **No origin changes required**: Fix caching behavior entirely from Cloudflare, even when your origin configuration is locked down or managed by a different team.
  * **Simpler CDN migration**: Match caching behavior from other CDN providers without rewriting your origin. Translate cache tag formats and override directives that do not align with Cloudflare's defaults.
  * **Native support, fewer workarounds**: Functionality that previously required workarounds is now built into Cache Rules with full Tiered Cache compatibility.
  * **Fine-grained control**: Use expressions to match on request and response attributes, then apply precise cache settings per rule. Rules are stackable and composable with existing Cache Rules.  
#### Get started  
Configure Cache Response Rules in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/?to=/:account/:zone/caching/cache-rules) under **Caching** \> **Cache Rules**, or via the [Rulesets API ↗](https://developers.cloudflare.com/ruleset-engine/rulesets-api/). For more details, refer to the [Cache Rules documentation ↗](https://developers.cloudflare.com/cache/how-to/cache-response-rules/).

Mar 24, 2026
1. ### [Use Docker Hub images with Containers](https://developers.cloudflare.com/changelog/post/2026-03-24-docker-hub-images/)  
[ Containers ](https://developers.cloudflare.com/containers/)  
Containers now support [Docker Hub ↗](https://hub.docker.com/) images. You can use a fully qualified Docker Hub image reference in your [Wrangler configuration ↗](https://developers.cloudflare.com/workers/wrangler/configuration/#containers) instead of first pushing the image to Cloudflare Registry.

  * [  wrangler.jsonc ](#tab-panel-4759)
  * [  wrangler.toml ](#tab-panel-4760)  
JSONC  
```  
{  "containers": [    {      // Example: docker.io/cloudflare/sandbox:0.7.18      "image": "docker.io/<NAMESPACE>/<REPOSITORY>:<TAG>",    },  ],}  
```  
TOML  
```  
[[containers]]image = "docker.io/<NAMESPACE>/<REPOSITORY>:<TAG>"  
```  
Containers also support private Docker Hub images. To configure credentials, refer to [Use private Docker Hub images](https://developers.cloudflare.com/containers/platform-details/image-management/#use-private-docker-hub-images).  
For more information, refer to [Image management](https://developers.cloudflare.com/containers/platform-details/image-management/).

Mar 24, 2026
1. ### [OIDC Claims filtering now available in Gateway Firewall, Resolver, and Egress policies](https://developers.cloudflare.com/changelog/post/2026-03-24-oidc-claims-filtering-gateway-policies/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
Cloudflare Gateway now supports [OIDC Claims](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#oidc-claims) as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types.  
With this update, you can:

  * Filter traffic in [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/), and [Network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) firewall policies based on OIDC claim values.
  * Apply custom [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to route DNS queries to specific resolvers depending on a user's OIDC claims.
  * Control [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) to assign dedicated egress IPs based on OIDC claim attributes.  
For example, you can create a policy that routes traffic differently for users with `department=engineering` in their OIDC claims, or restrict access to certain destinations based on a user's role claim.  
To get started, configure [custom OIDC claims](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) on your identity provider and use the **OIDC Claims** selector in the Gateway policy builder.  
For more information, refer to [Identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/).

Mar 24, 2026
1. ### [Interconnects moved to Connectors](https://developers.cloudflare.com/changelog/post/2026-03-24-interconnects-navigation-update/)  
[ Network Interconnect ](https://developers.cloudflare.com/network-interconnect/)  
The top-level **Interconnects** page in the Cloudflare dashboard has been removed. Interconnects are now located under **Connectors** \> **Interconnects**.  
Your existing configurations and functionality remain the same.

Mar 24, 2026
1. ### [Dynamic Workers, now in open beta](https://developers.cloudflare.com/changelog/post/2026-03-24-dynamic-workers-open-beta/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
[Dynamic Workers](https://developers.cloudflare.com/dynamic-workers/) are now in [open beta ↗](https://blog.cloudflare.com/dynamic-workers/) for all paid Workers users. You can now have a Worker spin up other Workers, called Dynamic Workers, at runtime to execute code on-demand in a secure, sandboxed environment. Dynamic Workers start in milliseconds, making them well suited for fast, secure code execution at scale.  
#### Use Dynamic Workers for

  * **[Code Mode](https://developers.cloudflare.com/agents/tools/codemode/)**: LLMs are trained to write code. Run tool-calling logic written in code instead of stepping through many tool calls, which can save up to 80% in inference tokens and cost.
  * **AI agents executing code**: Run code for tasks like data analysis, file transformation, API calls, and chained actions.
  * **Running AI-generated code**: Run generated code for prototypes, projects, and automations in a secure, isolated sandboxed environment.
  * **Fast development and previews**: Load prototypes, previews, and playgrounds in milliseconds.
  * **Custom automations**: Create custom tools on the fly that execute a task, call an integration, or automate a workflow.  
#### Executing Dynamic Workers  
Dynamic Workers support two loading modes:

  * `load(code)` — for one-time code execution (equivalent to calling `get()` with a null ID).
  * `get(id, callback)` — caches a Dynamic Worker by ID so it can stay warm across requests. Use this when the same code will receive subsequent requests.

  * [  JavaScript ](#tab-panel-4771)
  * [  TypeScript ](#tab-panel-4772)  
JavaScript  
```  
export default {  async fetch(request, env) {    const worker = env.LOADER.load({      compatibilityDate: "2026-01-01",      mainModule: "src/index.js",      modules: {        "src/index.js": `          export default {            fetch() {              return new Response("Hello from a dynamic Worker");            },          };        `,      },      // Block all outbound network access from the Dynamic Worker.      globalOutbound: null,    });  
    return worker.getEntrypoint().fetch(request);  },};  
```  
TypeScript  
```  
export default {  async fetch(request: Request, env: Env): Promise<Response> {    const worker = env.LOADER.load({      compatibilityDate: "2026-01-01",      mainModule: "src/index.js",      modules: {        "src/index.js": `          export default {            fetch() {              return new Response("Hello from a dynamic Worker");            },          };        `,      },      // Block all outbound network access from the Dynamic Worker.      globalOutbound: null,    });  
    return worker.getEntrypoint().fetch(request);  },};  
```  
#### Helper libraries for Dynamic Workers  
Here are 3 new libraries to help you build with Dynamic Workers:

  * **[@cloudflare/codemode ↗](https://www.npmjs.com/package/@cloudflare/codemode)**: Replace individual tool calls with a single `code()` tool, so LLMs write and execute TypeScript that orchestrates multiple API calls in one pass.
  * **[@cloudflare/worker-bundler ↗](https://www.npmjs.com/package/@cloudflare/worker-bundler)**: Resolve npm dependencies and bundle source files into ready-to-load modules for Dynamic Workers, all at runtime.
  * **[@cloudflare/shell ↗](https://www.npmjs.com/package/@cloudflare/shell)**: Give your agent a virtual filesystem inside a Dynamic Worker with persistent storage backed by SQLite and R2.  
#### Try it out

**Dynamic Workers Starter**  
[![Deploy to Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/cloudflare/agents/tree/main/examples/dynamic-workers)  
Use this [starter ↗](https://github.com/cloudflare/agents/tree/main/examples/dynamic-workers) to deploy a Worker that can load and execute Dynamic Workers.

**Dynamic Workers Playground**  
[![Deploy to Workers](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=https://github.com/cloudflare/agents/tree/main/examples/dynamic-workers-playground)  
Deploy the [Dynamic Workers Playground ↗](https://github.com/cloudflare/agents/tree/main/examples/dynamic-workers-playground) to write or import code, bundle it at runtime with `@cloudflare/worker-bundler`, execute it through a Dynamic Worker, and see real-time responses and execution logs.  
For the full API reference and configuration options, refer to the [Dynamic Workers documentation](https://developers.cloudflare.com/dynamic-workers/).  
#### Pricing  
Dynamic Workers [pricing](https://developers.cloudflare.com/dynamic-workers/pricing/) is based on three dimensions: Dynamic Workers created daily, requests, and CPU time.

|                                   | Included                               | Additional usage                    |
| --------------------------------- | -------------------------------------- | ----------------------------------- |
| **Dynamic Workers created daily** | 1,000 unique Dynamic Workers per month | +$0.002 per Dynamic Worker per day  |
| **Requests** ¹                    | 10 million per month                   | +$0.30 per million requests         |
| **CPU time** ¹                    | 30 million CPU milliseconds per month  | +$0.02 per million CPU milliseconds |  
¹ Uses [Workers Standard rates](https://developers.cloudflare.com/workers/platform/pricing/#workers) and will appear as part of your existing Workers bill, not as separate Dynamic Workers charges.  
Note: Dynamic Workers requests and CPU time are already billed as part of your Workers plan and will count toward your Workers requests and CPU usage. The Dynamic Workers created daily charge is not yet active — you will not be billed for the number of Dynamic Workers created at this time. Pricing information is shared in advance so you can estimate future costs.

Mar 23, 2026
1. ### [Workflow instances now support pause(), resume(), restart(), and terminate() methods in local development](https://developers.cloudflare.com/changelog/post/2026-03-23-local-dev-instance-methods/)  
[ Workflows ](https://developers.cloudflare.com/workflows/)[ Workers ](https://developers.cloudflare.com/workers/)  
Workflow instance methods `pause()`, `resume()`, `restart()`, and `terminate()` are now available in local development when using `wrangler dev`.  
You can now test the full Workflow instance lifecycle locally:  
TypeScript  
```  
const instance = await env.MY_WORKFLOW.create({  id: "my-instance-id",});  
await instance.pause(); // pauses a running workflow instanceawait instance.resume(); // resumes a paused instanceawait instance.restart(); // restarts the instance from the beginningawait instance.terminate(); // terminates the instance immediately  
```

Mar 23, 2026
1. ### [Agents SDK v0.8.0: readable state, idempotent schedules, typed AgentClient, and Zod 4](https://developers.cloudflare.com/changelog/post/2026-03-23-agents-sdk-v080/)  
[ Agents ](https://developers.cloudflare.com/agents/)[ Workers ](https://developers.cloudflare.com/workers/)  
The latest release of the [Agents SDK ↗](https://github.com/cloudflare/agents) exposes agent state as a readable property, prevents duplicate schedule rows across Durable Object restarts, brings full TypeScript inference to `AgentClient`, and migrates to Zod 4.  
#### Readable `state` on `useAgent` and `AgentClient`  
Both `useAgent` (React) and `AgentClient` (vanilla JS) now expose a `state` property that reflects the current agent state. Previously, reading state required manually tracking it through the `onStateUpdate` callback.

**React (`useAgent`)**

  * [  JavaScript ](#tab-panel-4761)
  * [  TypeScript ](#tab-panel-4762)  
JavaScript  
```  
const agent = useAgent({  agent: "game-agent",  name: "room-123",});  
// Read state directly — no separate useState + onStateUpdate neededreturn <div>Score: {agent.state?.score}</div>;  
// Spread for partial updatesagent.setState({ ...agent.state, score: (agent.state?.score ?? 0) + 10 });  
```  
TypeScript  
```  
const agent = useAgent<GameAgent, GameState>({  agent: "game-agent",  name: "room-123",});  
// Read state directly — no separate useState + onStateUpdate neededreturn <div>Score: {agent.state?.score}</div>;  
// Spread for partial updatesagent.setState({ ...agent.state, score: (agent.state?.score ?? 0) + 10 });  
```  
`agent.state` is reactive — the component re-renders when state changes from either the server or a client-side `setState()` call.

**Vanilla JS (`AgentClient`)**

  * [  JavaScript ](#tab-panel-4763)
  * [  TypeScript ](#tab-panel-4764)  
JavaScript  
```  
const client = new AgentClient({  agent: "game-agent",  name: "room-123",  host: "your-worker.workers.dev",});  
client.setState({ score: 100 });console.log(client.state); // { score: 100 }  
```  
TypeScript  
```  
const client = new AgentClient<GameAgent>({  agent: "game-agent",  name: "room-123",  host: "your-worker.workers.dev",});  
client.setState({ score: 100 });console.log(client.state); // { score: 100 }  
```  
State starts as `undefined` and is populated when the server sends the initial state on connect (from `initialState`) or when `setState()` is called. Use optional chaining (`agent.state?.field`) for safe access. The `onStateUpdate` callback continues to work as before — the new `state` property is additive.  
#### Idempotent `schedule()`  
`schedule()` now supports an `idempotent` option that deduplicates by `(type, callback, payload)`, preventing duplicate rows from accumulating when called in places that run on every Durable Object restart such as `onStart()`.

**Cron schedules are idempotent by default.** Calling `schedule("0 * * * *", "tick")` multiple times with the same callback, expression, and payload returns the existing schedule row instead of creating a new one. Pass `{ idempotent: false }` to override.  
Delayed and date-scheduled types support opt-in idempotency:

  * [  JavaScript ](#tab-panel-4765)
  * [  TypeScript ](#tab-panel-4766)  
JavaScript  
```  
import { Agent } from "agents";  
class MyAgent extends Agent {  async onStart() {    // Safe across restarts — only one row is created    await this.schedule(60, "maintenance", undefined, { idempotent: true });  }}  
```  
TypeScript  
```  
import { Agent } from "agents";  
class MyAgent extends Agent {  async onStart() {    // Safe across restarts — only one row is created    await this.schedule(60, "maintenance", undefined, { idempotent: true });  }}  
```  
Two new warnings help catch common foot-guns:

  * Calling `schedule()` inside `onStart()` without `{ idempotent: true }` emits a `console.warn` with actionable guidance (once per callback; skipped for cron and when `idempotent` is set explicitly).
  * If an alarm cycle processes 10 or more stale one-shot rows for the same callback, the SDK emits a `console.warn` and a `schedule:duplicate_warning` diagnostics channel event.  
#### Typed `AgentClient` with `call` inference and `stub` proxy  
`AgentClient` now accepts an optional agent type parameter for full type inference on RPC calls, matching the typed experience already available with `useAgent`.

  * [  JavaScript ](#tab-panel-4769)
  * [  TypeScript ](#tab-panel-4770)  
JavaScript  
```  
const client = new AgentClient({  agent: "my-agent",  host: window.location.host,});  
// Typed call — method name autocompletes, args and return type inferredconst value = await client.call("getValue");  
// Typed stub — direct RPC-style proxyawait client.stub.getValue();await client.stub.add(1, 2);  
```  
TypeScript  
```  
const client = new AgentClient<MyAgent>({  agent: "my-agent",  host: window.location.host,});  
// Typed call — method name autocompletes, args and return type inferredconst value = await client.call("getValue");  
// Typed stub — direct RPC-style proxyawait client.stub.getValue();await client.stub.add(1, 2);  
```  
State is automatically inferred from the agent type, so `onStateUpdate` is also typed:

  * [  JavaScript ](#tab-panel-4767)
  * [  TypeScript ](#tab-panel-4768)  
JavaScript  
```  
const client = new AgentClient({  agent: "my-agent",  host: window.location.host,  onStateUpdate: (state) => {    // state is typed as MyAgent's state type  },});  
```  
TypeScript  
```  
const client = new AgentClient<MyAgent>({  agent: "my-agent",  host: window.location.host,  onStateUpdate: (state) => {    // state is typed as MyAgent's state type  },});  
```  
Existing untyped usage continues to work without changes. The RPC type utilities (`AgentMethods`, `AgentStub`, `RPCMethods`) are now exported from `agents/client` for advanced typing scenarios. `agents`, `@cloudflare/ai-chat`, and `@cloudflare/codemode` now require `zod ^4.0.0`. Zod v3 is no longer supported.  
#### `@cloudflare/ai-chat` fixes

  * **Turn serialization** — `onChatMessage()` and `_reply()` work is now queued so user requests, tool continuations, and `saveMessages()` never stream concurrently.
  * **Duplicate messages on stop** — Clicking stop during an active stream no longer splits the assistant message into two entries.
  * **Duplicate messages after tool calls** — Orphaned client IDs no longer leak into persistent storage.  
#### `keepAlive()` and `keepAliveWhile()` are no longer experimental  
`keepAlive()` now uses a lightweight in-memory ref count instead of schedule rows. Multiple concurrent callers share a single alarm cycle. The `@experimental` tag has been removed from both `keepAlive()` and `keepAliveWhile()`.  
#### `@cloudflare/codemode`: TanStack AI integration  
A new entry point `@cloudflare/codemode/tanstack-ai` adds support for [TanStack AI's ↗](https://tanstack.com/ai) `chat()` as an alternative to the Vercel AI SDK's `streamText()`:

  * [  JavaScript ](#tab-panel-4773)
  * [  TypeScript ](#tab-panel-4774)  
JavaScript  
```  
import {  createCodeTool,  tanstackTools,} from "@cloudflare/codemode/tanstack-ai";import { chat } from "@tanstack/ai";  
const codeTool = createCodeTool({  tools: [tanstackTools(myServerTools)],  executor,});  
const stream = chat({ adapter, tools: [codeTool], messages });  
```  
TypeScript  
```  
import { createCodeTool, tanstackTools } from "@cloudflare/codemode/tanstack-ai";import { chat } from "@tanstack/ai";  
const codeTool = createCodeTool({  tools: [tanstackTools(myServerTools)],  executor,});  
const stream = chat({ adapter, tools: [codeTool], messages });  
```  
#### Upgrade  
To update to the latest version:  
Terminal window  
```  
npm i agents@latest @cloudflare/ai-chat@latest  
```

Mar 23, 2026
1. ### [New AI Search REST API endpoints for /search and /chat/completions](https://developers.cloudflare.com/changelog/post/2026-03-23-ai-search-new-rest-api/)  
[ AI Search ](https://developers.cloudflare.com/ai-search/)  
[AI Search](https://developers.cloudflare.com/ai-search/) now offers new [REST API](https://developers.cloudflare.com/ai-search/api/search/rest-api/) endpoints for search and chat that use an OpenAI compatible format. This means you can use the familiar `messages` array structure that works with existing OpenAI SDKs and tools. The messages array also lets you pass previous messages within a session, so the model can maintain context across multiple turns.

| Endpoint         | Path                                                                     |
| ---------------- | ------------------------------------------------------------------------ |
| Chat Completions | POST /accounts/{account\_id}/ai-search/instances/{name}/chat/completions |
| Search           | POST /accounts/{account\_id}/ai-search/instances/{name}/search           |  
Here is an example request to the Chat Completions endpoint using the new `messages` array format:  
Terminal window  
```  
curl https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/ai-search/instances/{NAME}/chat/completions \  -H "Content-Type: application/json" \  -H "Authorization: Bearer {API_TOKEN}" \  -d '{    "messages": [      {        "role": "system",        "content": "You are a helpful documentation assistant."      },      {        "role": "user",        "content": "How do I get started?"      }    ]  }'  
```  
For more details, refer to the [AI Search REST API guide](https://developers.cloudflare.com/ai-search/api/search/rest-api/).  
#### Migration from existing AutoRAG API (recommended)  
If you are using the previous AutoRAG API endpoints (`/autorag/rags/`), we recommend migrating to the new endpoints. The previous AutoRAG API endpoints will continue to be fully supported.  
Refer to the [migration guide](https://developers.cloudflare.com/ai-search/api/migration/rest-api/) for step-by-step instructions.

Mar 23, 2026
1. ### [AI Search UI snippets and MCP support](https://developers.cloudflare.com/changelog/post/2026-03-23-ai-search-public-endpoint-and-snippets/)  
[ AI Search ](https://developers.cloudflare.com/ai-search/)  
[AI Search](https://developers.cloudflare.com/ai-search/) now supports public endpoints, UI snippets, and MCP, making it easy to add search to your website or connect AI agents.  
Public endpoints allow you to expose AI Search capabilities without requiring API authentication. To enable public endpoints:

  1. Go to **AI Search** in the Cloudflare dashboard. [ Go to **AI Search** ](https://dash.cloudflare.com/?to=/:account/ai/ai-search)
  2. Select your instance, and turn on **Public Endpoint** in **Settings**. For more details, refer to [Public endpoint configuration](https://developers.cloudflare.com/ai-search/configuration/retrieval/public-endpoint/).  
#### UI snippets  
UI snippets are pre-built search and chat components you can embed in your website. Visit [search.ai.cloudflare.com ↗](https://search.ai.cloudflare.com/) to configure and preview components for your AI Search instance.  
![Example of the search-modal-snippet component](https://developers.cloudflare.com/_astro/ui-snippet-search-modal.tIxR8nl5_2300oN.webp)  
To add a search modal to your page:  
```  
<script  type="module"  src="https://<INSTANCE_ID>.search.ai.cloudflare.com/assets/v0.0.25/search-snippet.es.js"></script>  
<search-modal-snippet  api-url="https://<INSTANCE_ID>.search.ai.cloudflare.com/"  placeholder="Search..."></search-modal-snippet>  
```  
For more details, refer to the [UI snippets documentation](https://developers.cloudflare.com/ai-search/configuration/retrieval/embed-search-snippets/).  
#### MCP  
The MCP endpoint allows AI agents to search your content via the Model Context Protocol. Connect your MCP client to:  
```  
https://<INSTANCE_ID>.search.ai.cloudflare.com/mcp  
```  
For more details, refer to the [MCP documentation](https://developers.cloudflare.com/ai-search/api/search/mcp/).

Mar 23, 2026
1. ### [Custom metadata filtering for AI Search](https://developers.cloudflare.com/changelog/post/2026-03-23-custom-metadata-filtering/)  
[ AI Search ](https://developers.cloudflare.com/ai-search/)  
[AI Search](https://developers.cloudflare.com/ai-search/) now supports custom metadata filtering, allowing you to define your own metadata fields and filter search results based on attributes like category, version, or any custom field you define.  
#### Define a custom metadata schema  
You can define up to 5 custom metadata fields per AI Search instance. Each field has a name and data type (`text`, `number`, or `boolean`):  
Terminal window  
```  
curl -X POST https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/ai-search/instances \  -H "Content-Type: application/json" \  -H "Authorization: Bearer {API_TOKEN}" \  -d '{    "id": "my-instance",    "type": "r2",    "source": "my-bucket",    "custom_metadata": [      { "field_name": "category", "data_type": "text" },      { "field_name": "version", "data_type": "number" },      { "field_name": "is_public", "data_type": "boolean" }    ]  }'  
```  
#### Add metadata to your documents  
How you attach metadata depends on your data source:

  * **R2 bucket**: Set metadata using S3-compatible custom headers (`x-amz-meta-*`) when uploading objects. Refer to [R2 custom metadata](https://developers.cloudflare.com/ai-search/configuration/data-source/r2/#custom-metadata) for examples.
  * **Website**: Add `<meta>` tags to your HTML pages. Refer to [Website custom metadata](https://developers.cloudflare.com/ai-search/configuration/data-source/website/#custom-metadata) for details.  
#### Filter search results  
Use custom metadata fields in your search queries alongside built-in attributes like `folder` and `timestamp`:  
Terminal window  
```  
curl https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/ai-search/instances/{NAME}/search \  -H "Content-Type: application/json" \  -H "Authorization: Bearer {API_TOKEN}" \  -d '{    "messages": [      {        "content": "How do I configure authentication?",        "role": "user"      }    ],    "ai_search_options": {      "retrieval": {        "filters": {          "category": "documentation",          "version": { "$gte": 2.0 }        }      }    }  }'  
```  
Learn more in the [metadata filtering documentation](https://developers.cloudflare.com/ai-search/configuration/indexing/metadata/).

Mar 23, 2026
1. ### [Web Assets fields now available in GraphQL Analytics API](https://developers.cloudflare.com/changelog/post/2026-03-23-web-assets-graphql-fields/)  
[ API Shield ](https://developers.cloudflare.com/api-shield/)  
Two new fields are now available in the `httpRequestsAdaptive` and `httpRequestsAdaptiveGroups` [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/) datasets:

  * `webAssetsOperationId` — the ID of the [saved endpoint](https://developers.cloudflare.com/api-shield/management-and-monitoring/) that matched the incoming request.
  * `webAssetsLabelsManaged` — the [managed labels](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/#managed-labels) mapped to the matched operation at the time of the request (for example, `cf-llm`, `cf-log-in`). At most 10 labels are returned per request.  
Both fields are empty when no operation matched. `webAssetsLabelsManaged` is also empty when no managed labels are assigned to the matched operation.  
These fields allow you to determine, per request, which Web Assets operation was matched and which managed labels were active. This is useful for troubleshooting downstream security detection verdicts — for example, understanding why [AI Security for Apps](https://developers.cloudflare.com/waf/detections/ai-security-for-apps/) did or did not flag a request.  
Refer to [Endpoint labeling service](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/#analytics) for GraphQL query examples.

Mar 23, 2026
1. ### [R2 SQL now supports over 190 new functions, expressions, and complex types](https://developers.cloudflare.com/changelog/post/2026-03-23-expanded-sql-functions-expressions-complex-types/)  
[ R2 SQL ](https://developers.cloudflare.com/r2-sql/)  
[R2 SQL](https://developers.cloudflare.com/r2-sql/) now supports an expanded SQL grammar so you can write richer analytical queries without exporting data. This release adds CASE expressions, column aliases, arithmetic in clauses, 163 scalar functions, 33 aggregate functions, EXPLAIN, Common Table Expressions (CTEs),and full struct/array/map access. R2 SQL is Cloudflare's serverless, distributed, analytics query engine for querying [Apache Iceberg ↗](https://iceberg.apache.org/) tables stored in [R2 Data Catalog](https://developers.cloudflare.com/r2/data-catalog/). This page documents the supported SQL syntax.  
#### Highlights

  * **Column aliases** — `SELECT col AS alias` now works in all clauses
  * **CASE expressions** — conditional logic directly in SQL (searched and simple forms)
  * **Scalar functions** — 163 new functions across math, string, datetime, regex, crypto, encoding, and type inspection categories
  * **Aggregate functions** — statistical (variance, stddev, correlation, regression), bitwise, boolean, and positional aggregates join the existing basic and approximate functions
  * **Complex types** — query struct fields with bracket notation, use 46 array functions, and extract map keys/values
  * **Common table expressions (CTEs)** — use `WITH ... AS` to define named temporary result sets. Chained CTEs are supported. All CTEs must reference the same single table.
  * **Full expression support** — arithmetic, type casting (`CAST`, `TRY_CAST`, `::` shorthand), and `EXTRACT` in SELECT, WHERE, GROUP BY, HAVING, and ORDER BY  
#### Examples  
#### CASE expressions with statistical aggregates  
```  
SELECT source,    CASE        WHEN AVG(price) > 30 THEN 'premium'        WHEN AVG(price) > 10 THEN 'mid-tier'        ELSE 'budget'    END AS tier,    round(stddev(price), 2) AS price_volatility,    approx_percentile_cont(price, 0.95) AS p95_priceFROM my_namespace.sales_dataGROUP BY source  
```  
#### Struct and array access  
```  
SELECT product_name,    pricing['price'] AS price,    array_to_string(tags, ', ') AS tag_listFROM my_namespace.productsWHERE array_has(tags, 'Action')ORDER BY pricing['price'] DESCLIMIT 10  
```  
#### Chained CTEs with time-series analysis  
```  
WITH monthly AS (    SELECT date_trunc('month', sale_timestamp) AS month,        department,        COUNT(*) AS transactions,        round(AVG(total_amount), 2) AS avg_amount    FROM my_namespace.sales_data    WHERE sale_timestamp BETWEEN '2025-01-01T00:00:00Z' AND '2025-12-31T23:59:59Z'    GROUP BY date_trunc('month', sale_timestamp), department),ranked AS (    SELECT month, department, transactions, avg_amount,        CASE            WHEN avg_amount > 1000 THEN 'high-value'            WHEN avg_amount > 500 THEN 'mid-value'            ELSE 'standard'        END AS tier    FROM monthly    WHERE transactions > 100)SELECT * FROM rankedORDER BY month, avg_amount DESC  
```  
For the full function reference and syntax details, refer to the [SQL reference](https://developers.cloudflare.com/r2-sql/sql-reference/). For limitations and best practices, refer to [Limitations and best practices](https://developers.cloudflare.com/r2-sql/reference/limitations-best-practices/).

Mar 23, 2026
1. ### [WAF Release - 2026-03-23](https://developers.cloudflare.com/changelog/post/2026-03-23-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week's release focuses on new improvements to enhance coverage.

**Key Findings**

  * Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
  
  
| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                                                                               | Previous Action | New Action | Comments                                                                                                                                                                                  |
| -------------------------- | ----------- | -------------- | ------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...97321c6c | N/A            | Command Injection - Generic 9 - URI Vector                                                                                | Log             | Disabled   | This is a new detection.                                                                                                                                                                  |
| Cloudflare Managed Ruleset | ...1eb7a999 | N/A            | Command Injection - Generic 9 - Header Vector                                                                             | Log             | Disabled   | This is a new detection.                                                                                                                                                                  |
| Cloudflare Managed Ruleset | ...0677175f | N/A            | Command Injection - Generic 9 - Body Vector                                                                               | Log             | Disabled   | This is a new detection.                                                                                                                                                                  |
| Cloudflare Managed Ruleset | ...479da68f | N/A            | PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132 (beta) | Log             | Block      | This rule has been merged into the original rule "PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132" (ID: ...824b817c  ) |

Mar 20, 2026
1. ### [Managed OAuth for Cloudflare Access](https://developers.cloudflare.com/changelog/post/2026-03-20-managed-oauth/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
Cloudflare Access supports managed OAuth, which allows non-browser clients — such as CLIs, AI agents, SDKs, and scripts — to authenticate with Access-protected applications using a standard OAuth 2.0 authorization code flow.  
Previously, non-browser clients that attempted to access a protected application received a `302` redirect to a login page they could not complete. The established workaround was `cloudflared access curl`, which required installing additional tooling.  
With managed OAuth, clients instead receive a `401` response with a `WWW-Authenticate` header that points to Access's OAuth discovery endpoints ([RFC 8414 ↗](https://datatracker.ietf.org/doc/html/rfc8414) and [RFC 9728 ↗](https://datatracker.ietf.org/doc/html/rfc9728)). The client opens the end user's browser to the Access login page. The end user authenticates with their identity provider, and the client receives an OAuth access token for subsequent requests.  
Access enforces the same policies as a browser login; the OAuth layer is a new transport mechanism, not a separate authentication path.  
Managed OAuth can be enabled on any self-hosted Access application or [MCP server portal](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/). It is opt-in for existing applications to avoid interfering with those that run their own OAuth servers and rely on their own `WWW-Authenticate` headers.  
Note  
For MCP server portals, managed OAuth is enabled by default on new portals. It remains opt-in for self-hosted applications.  
To enable managed OAuth, go to **Zero Trust** \> **Access controls** \> **Applications**, edit the application, and turn on **Managed OAuth** under **Advanced settings**.  
You can also enable it via the API by setting `oauth_configuration.enabled` to `true` on the [Access applications endpoint](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/applications/methods/update/).  
![Managed OAuth settings in the Cloudflare dashboard](https://developers.cloudflare.com/_astro/managed-oauth.BirLnBpy_Zjg97R.webp)  
For setup instructions, refer to [Enable managed OAuth](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/managed-oauth/).

Mar 20, 2026
1. ### [Route MCP server portal traffic through Cloudflare Gateway](https://developers.cloudflare.com/changelog/post/2026-03-20-mcp-portal-gateway-routing/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
[MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) can now route traffic through [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) for richer HTTP request logging and data loss prevention (DLP) scanning.  
When Gateway routing is turned on, portal traffic appears in your [Gateway HTTP logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). You can create [Gateway HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) with [DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/) to detect and block sensitive data sent to upstream MCP servers.  
Note  
DLP [AI prompt profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#ai-prompt) do not apply to MCP server portal traffic.  
To enable Gateway routing, go to **Access controls** \> **AI controls**, edit the portal, and turn on **Route traffic through Cloudflare Gateway** under **Basic information**.  
![Route MCP server portal traffic through Cloudflare Gateway](https://developers.cloudflare.com/_astro/portal-route-through-gateway.0KMUAXBm_Z1B5rry.webp)  
For more details, refer to [Route traffic through Gateway](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#route-portal-traffic-through-gateway).

Mar 20, 2026
1. ### [DNS Analytics for Customer Metadata Boundary set to EU region](https://developers.cloudflare.com/changelog/post/2026-03-20-dns-analytics-cmb-eu/)  
[ DNS ](https://developers.cloudflare.com/dns/)  
DNS Analytics is now available for customers with [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/) (CMB) set to EU. Query your DNS analytics data while keeping metadata stored in the EU region.  
This update includes:

  * **DNS Analytics** — Access the same DNS analytics experience for zones in CMB=EU accounts.
  * **EU data residency** — Analytics data is stored and queried from the EU region, meeting data localization requirements.
  * **DNS Firewall Analytics** — DNS Firewall analytics is now supported for CMB=EU customers.  
#### Availability  
Available to customers with the [Data Localization Suite](https://developers.cloudflare.com/data-localization/) who have Customer Metadata Boundary configured for the EU region.  
#### Where to find it

  * **Authoritative DNS:** In the Cloudflare dashboard, select your zone and go to the **Analytics** page.  
  [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/:zone/dns/analytics)
  * **DNS Firewall:** In the Cloudflare dashboard, go to the **DNS Firewall Analytics** page.  
  [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/dns-firewall/analytics)  
For more information, refer to [DNS Analytics](https://developers.cloudflare.com/dns/additional-options/analytics/) and [DNS Firewall Analytics](https://developers.cloudflare.com/dns/dns-firewall/analytics/).

Mar 20, 2026
1. ### [Stream logs from multiple replicas of Cloudflare Tunnel simultaneously](https://developers.cloudflare.com/changelog/post/2026-03-20-tunnel-replica-overview-and-multi-log-streaming/)  
[ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/)  
In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all [replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) of that tunnel and supports streaming logs from multiple replicas at once.  
![View replicas and stream logs from multiple connectors](https://developers.cloudflare.com/_astro/tunnel-multiconn.DEOEaLlu_ZDxArh.webp)  
Previously, you could only stream logs from one replica at a time. With this update:

  * **Replicas on the tunnel overview** — All active replicas for the selected tunnel now appear on that tunnel's overview page under **Connectors**. Select any replica to stream its logs.
  * **Multi-connector log streaming** — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to [Cloudflare One ↗](https://one.dash.cloudflare.com/) and go to **Networks** \> **Connectors** \> **Cloudflare Tunnels**. Select **View logs** next to the tunnel you want to monitor.  
For more information, refer to [Tunnel log streams](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) and [Deploy replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/deploy-replicas/).

Mar 20, 2026
1. ### [Observability for Workers VPC Services](https://developers.cloudflare.com/changelog/post/2026-03-20-metrics-and-settings-dashboard/)  
[ Workers VPC ](https://developers.cloudflare.com/workers-vpc/)  
Each VPC Service now has a **Metrics** tab so you can monitor connection health and debug failures without leaving the dashboard.  
![Workers VPC Metrics dashboard showing connections, latency, and errors charts](https://developers.cloudflare.com/_astro/2026-03-20-metrics-dashboard.6kfnbqQd_1Oc7Ft.webp)  
  * **Connections** — See successful and failed connections over time, broken down by what is responsible: your origin (Bad Upstream), your configuration (Client), or Cloudflare (Internal).
  * **Latency** — Track connection and DNS resolution latency trends.
  * **Errors** — Drill into specific error codes grouped by category, with filters to isolate upstream, client, or internal failures.  
You can also view and edit your VPC Service configuration, host details, and port assignments from the **Settings** tab.  
For a full list of error codes and what they mean, refer to [Troubleshooting](https://developers.cloudflare.com/workers-vpc/reference/troubleshooting/).

Mar 19, 2026
1. ### [Service Key authentication deprecated](https://developers.cloudflare.com/changelog/post/2026-03-19-service-key-authentication-deprecated/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
Service Key authentication for the Cloudflare API is deprecated. Service Keys will stop working on September 30, 2026.  
[API Tokens](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) replace Service Keys with fine-grained permissions, expiration, and revocation.  
#### What you need to do  
Replace any use of the `X-Auth-User-Service-Key` header with an [API Token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) scoped to the permissions your integration requires.  
If you use `cloudflared`, update to a version from November 2022 or later. These versions already use API Tokens.  
If you use [origin-ca-issuer ↗](https://github.com/cloudflare/origin-ca-issuer), update to a version that supports API Token authentication.  
For more information, refer to [API deprecations](https://developers.cloudflare.com/fundamentals/api/reference/deprecations/).

Mar 19, 2026
1. ### [Hyperdrive now supports custom TLS/SSL certificates for MySQL](https://developers.cloudflare.com/changelog/post/2026-03-19-hyperdrive-mysql-custom-certificate-support/)  
[ Hyperdrive ](https://developers.cloudflare.com/hyperdrive/)  
Hyperdrive now supports custom TLS/SSL certificates for MySQL databases, bringing the same certificate options previously available for PostgreSQL to MySQL connections.  
You can now configure:

  * **Server certificate verification** with `VERIFY_CA` or `VERIFY_IDENTITY` SSL modes to verify that your MySQL database server's certificate is signed by the expected certificate authority (CA).
  * **Client certificates** (mTLS) for Hyperdrive to authenticate itself to your MySQL database with credentials beyond username and password.  
Create a Hyperdrive configuration with custom certificates for MySQL:  
Terminal window  
```  
# Upload a CA certificatenpx wrangler cert upload certificate-authority --ca-cert your-ca-cert.pem --name your-custom-ca-name  
# Create a Hyperdrive with VERIFY_IDENTITY modenpx wrangler hyperdrive create your-hyperdrive-config \  --connection-string="mysql://user:password@hostname:port/database" \  --ca-certificate-id <CA_CERT_ID> \  --sslmode VERIFY_IDENTITY  
```  
For more information, refer to [SSL/TLS certificates for Hyperdrive](https://developers.cloudflare.com/hyperdrive/configuration/tls-ssl-certificates-for-hyperdrive/) and [MySQL TLS/SSL modes](https://developers.cloudflare.com/hyperdrive/examples/connect-to-mysql/).

Mar 19, 2026
1. ### [Manage Cloudflare Tunnels with Wrangler](https://developers.cloudflare.com/changelog/post/2026-03-19-wrangler-tunnel-commands/)  
[ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Workers ](https://developers.cloudflare.com/workers/)  
You can now manage [Cloudflare Tunnels](https://developers.cloudflare.com/tunnel/) directly from [Wrangler](https://developers.cloudflare.com/workers/wrangler/), the CLI for the Cloudflare Developer Platform. The new [wrangler tunnel](https://developers.cloudflare.com/workers/wrangler/commands/tunnel/) commands let you create, run, and manage tunnels without leaving your terminal.  
![Wrangler tunnel commands demo](https://developers.cloudflare.com/_astro/wrangler-tunnel.DOqrtGGg_7EDX0.webp)  
Available commands:

  * `wrangler tunnel create` — Create a new remotely managed tunnel.
  * `wrangler tunnel list` — List all tunnels in your account.
  * `wrangler tunnel info` — Display details about a specific tunnel.
  * `wrangler tunnel delete` — Delete a tunnel.
  * `wrangler tunnel run` — Run a tunnel using the cloudflared daemon.
  * `wrangler tunnel quick-start` — Start a free, temporary tunnel without an account using [Quick Tunnels](https://developers.cloudflare.com/tunnel/setup/#quick-tunnels-development).  
Wrangler handles downloading and managing the [cloudflared](https://developers.cloudflare.com/tunnel/downloads/) binary automatically. On first use, you will be prompted to download `cloudflared` to a local cache directory.  
These commands are currently experimental and may change without notice.  
To get started, refer to the [Wrangler tunnel commands documentation](https://developers.cloudflare.com/workers/wrangler/commands/tunnel/).

Mar 19, 2026
1. ### [Moonshot AI Kimi K2.5 now available on Workers AI](https://developers.cloudflare.com/changelog/post/2026-03-19-kimi-k2-5-workers-ai/)  
[ Workers AI ](https://developers.cloudflare.com/workers-ai/)  
Workers AI is officially in the big models game. [@cf/moonshotai/kimi-k2.5](https://developers.cloudflare.com/workers-ai/models/kimi-k2.5/) is the first frontier-scale open-source model on our AI inference platform — a large model with a full 256k context window, multi-turn tool calling, vision inputs, and structured outputs. By bringing a frontier-scale model directly onto the Cloudflare Developer Platform, you can now run the entire agent lifecycle on a single, unified platform.  
The model has proven to be a fast, efficient alternative to larger proprietary models without sacrificing quality. As AI adoption increases, the volume of inference is skyrocketing — now you can access frontier intelligence at a fraction of the cost.  
#### Key capabilities

  * **256,000 token context window** for retaining full conversation history, tool definitions, and entire codebases across long-running agent sessions
  * **Multi-turn tool calling** for building agents that invoke tools across multiple conversation turns
  * **Vision inputs** for processing images alongside text
  * **Structured outputs** with JSON mode and JSON Schema support for reliable downstream parsing
  * **Function calling** for integrating external tools and APIs into agent workflows  
#### Prefix caching and session affinity  
When an agent sends a new prompt, it resends all previous prompts, tools, and context from the session. The delta between consecutive requests is usually just a few new lines of input. Prefix caching avoids reprocessing the shared context, saving time and compute from the prefill stage. This means faster Time to First Token (TTFT) and higher Tokens Per Second (TPS) throughput.  
Workers AI has done prefix caching, but we are now surfacing cached tokens as a usage metric and offering a discount on cached tokens compared to input tokens (pricing is listed on the [model page](https://developers.cloudflare.com/workers-ai/models/kimi-k2.5/)).  
Terminal window  
```  
curl -X POST \  "https://api.cloudflare.com/client/v4/accounts/{account_id}/ai/run/@cf/moonshotai/kimi-k2.5" \  -H "Authorization: Bearer {api_token}" \  -H "Content-Type: application/json" \  -H "x-session-affinity: ses_12345678" \  -d '{    "messages": [      {        "role": "system",        "content": "You are a helpful assistant."      },      {        "role": "user",        "content": "What is prefix caching and why does it matter?"      }    ],    "max_tokens": 2400,    "stream": true  }'  
```  
Some clients like [OpenCode ↗](https://opencode.ai) implement session affinity automatically. The [Agents SDK ↗](https://github.com/cloudflare/agents) starter also sets up the wiring for you.  
#### Redesigned asynchronous API  
For volumes of requests that exceed synchronous rate limits, you can submit batches of inferences to be completed asynchronously. We have revamped the [Asynchronous Batch API](https://developers.cloudflare.com/workers-ai/features/batch-api/) with a pull-based system that processes queued requests as soon as capacity is available. With internal testing, async requests usually execute within 5 minutes, but this depends on live traffic.  
The async API is the best way to avoid capacity errors in durable workflows. It is ideal for use cases that are not real-time, such as code scanning agents or research agents.  
To use the asynchronous API, pass `queueRequest: true`:  
JavaScript  
```  
// 1. Push a batch of requests into the queueconst res = await env.AI.run(  "@cf/moonshotai/kimi-k2.5",  {    requests: [      {        messages: [{ role: "user", content: "Tell me a joke" }],      },      {        messages: [{ role: "user", content: "Explain the Pythagoras theorem" }],      },    ],  },  { queueRequest: true },);  
// 2. Grab the request IDconst requestId = res.request_id;  
// 3. Poll for the resultconst result = await env.AI.run("@cf/moonshotai/kimi-k2.5", {  request_id: requestId,});  
if (result.status === "queued" || result.status === "running") {  // Retry by polling again} else {  return Response.json(result);}  
```  
You can also set up [event notifications](https://developers.cloudflare.com/workers-ai/platform/event-subscriptions/) to know when inference is complete instead of polling.  
#### Get started  
Use Kimi K2.5 through the [Workers AI binding](https://developers.cloudflare.com/workers-ai/configuration/bindings/) (`env.AI.run()`), the REST API at `/run` or `/v1/chat/completions`, [AI Gateway](https://developers.cloudflare.com/ai-gateway/), or via the [OpenAI-compatible endpoint](https://developers.cloudflare.com/workers-ai/configuration/open-ai-compatibility/).  
For more information, refer to the [Kimi K2.5 model page](https://developers.cloudflare.com/workers-ai/models/kimi-k2.5/), [pricing](https://developers.cloudflare.com/workers-ai/platform/pricing/), and [prompt caching](https://developers.cloudflare.com/workers-ai/features/prompt-caching/).

Mar 18, 2026
1. ### [SCIM provisioning for Authentik is now Generally Available](https://developers.cloudflare.com/changelog/post/2026-03-17-scim-authentik-support/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
Cloudflare dashboard SCIM provisioning now supports [Authentik ↗](https://goauthentik.io/) as an identity provider, joining Okta and Microsoft Entra ID as explicitly supported providers.  
Customers can now sync users and group information from Authentik to Cloudflare, apply Permission Policies to those groups, and manage the lifecycle of users & groups directly from your Authentik Identity Provider.  
Note  
SCIM provisioning for the Cloudflare dashboard is available to Enterprise customers. You must be a Super Administrator to complete the initial setup.  
For more information:

  * [SCIM provisioning overview](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/)
  * [Provision with Authentik](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/authentik/)

Mar 18, 2026
1. ### [SCIM audit logging Support](https://developers.cloudflare.com/changelog/post/2026-03-18-scim-audit-logging/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
Cloudflare dashboard SCIM provisioning operations are now captured in [Audit Logs v2](https://developers.cloudflare.com/fundamentals/account/account-security/audit-logs/), giving you visibility into user and group changes made by your identity provider.  
![SCIM audit logging](https://developers.cloudflare.com/_astro/2026-03-18-scim-audit-logging.DPKMiE8X_ZojL4c.webp)  

**Logged actions:**

| Action Type       | Description                             |
| ----------------- | --------------------------------------- |
| Create SCIM User  | User provisioned from IdP               |
| Replace SCIM User | User fully replaced (PUT)               |
| Update SCIM User  | User attributes modified (PATCH)        |
| Delete SCIM User  | Member deprovisioned                    |
| Create SCIM Group | Group provisioned from IdP              |
| Update SCIM Group | Group membership or attributes modified |
| Delete SCIM Group | Group deprovisioned                     |  
For more details, refer to the [Audit Logs v2 documentation](https://developers.cloudflare.com/fundamentals/account/account-security/audit-logs/).

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/12/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/12/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```
