--- title: Changelogs image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) All products ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) Jun 29, 2026 1. ### [Cloudflare One Client for Windows (version 2026.6.822.0)](https://developers.cloudflare.com/changelog/post/2026-06-29-warp-windows-ga/) [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) A new GA release for the Windows Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release introduces multiple features from our previous beta release into stable release, including: * The client now applies DNS search suffixes configured in your [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles) / [network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies). Administrators can push a list of DNS search domains that the client appends to single-label queries, alongside any system-configured suffixes. See [DNS search suffixes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#dns-search-suffixes) for details. * Added mandatory authentication. When enabled via MDM, the Cloudflare One Client blocks all Internet traffic from the moment the machine boots until the user authenticates, closing the visibility gap on newly deployed devices and during re-authentication. See the [announcement blog](https://blog.cloudflare.com/mandatory-authentication-mfa/) and [documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-no-auth-no-internet/) for details. * Upgraded security of device registration to be hardware-backed. Registration tokens can now be generated in the TPM (with TPM 2.0+) whenever it is available to provide stronger protection against device impersonation. See [Hardware-backed registration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/hardware-backed-registration/) for details. * Added a local-file signal source for Emergency Disconnect. In addition to the existing HTTPS polling mechanism, administrators can now configure WARP to monitor for a file on disk; the presence of the file triggers an emergency disconnect even if both Cloudflare and your own infrastructure are unreachable. Either signal being asserted triggers disconnect; both must be cleared for normal operation to resume. * Added new warp-cli debug commands for interactive connection diagnosis. See [Extra debug logging](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#extra-debug-logging) for details. * The local DNS proxy now supports DNSSEC passthrough. DNSSEC-signed responses are forwarded to the application intact (including DO/AD bits and RRSIG records), so applications that validate DNSSEC locally — including resolvers and the dig/drill tooling — work correctly through the client. * Added a new MDM format for organization-wide settings, including a cleaner way to configure the compliance environment (e.g. FedRAMP). The previous per-configuration approach still works, but the new format is now recommended. See the updated [Cloudflare One MDM documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#organization%5Fconfigs) for details. * Added support for dashboard-managed client version deployments. Administrators can now upgrade or downgrade the client version on enrolled devices directly from the Zero Trust dashboard. See [Client version assignments](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/client-version-assignments/) for details. **Additional Changes and improvements** * Client Certificate device-posture checks now support template variables (e.g. `${serial_number}`, `${device_uuid}`) in the Subject Alternative Name field. Previously only the Common Name field accepted variables, which broke posture rules that pinned identity to a SAN entry. * Improved accessibility by using high contrast colors and more defined color boundaries when high contrast is enabled in Windows Accessibility settings. * Path MTU Discovery (PMTUD) is now enabled by default. * The UseWebView2 registry value (HKLM\\SOFTWARE\\Cloudflare\\CloudflareWARP\\UseWebView2 = y) is once again honored by the new GUI for authentication, so administrators who prefer the embedded WebView2 browser for sign-in can opt back in. This setting was effectively ignored in the previous release; the default browser was always used. This key is now also honored for re-authentications. * Fixed a crash in the authentication browser when navigating to a site that prompts for browser permissions (microphone, camera, notifications, etc.). The same fix had previously landed for the captive-portal browser; this extends it to the auth browser. * Fixed an issue in proxy mode where hostnames containing underscores (e.g. ai\_app.com) were rejected, breaking apps that depend on such hostnames (notably ChatGPT sandbox apps). The local proxy now accepts underscore-containing hostnames in CONNECT requests. * Fixed an issue where DNS queries would fail after the connection was idle, requiring users to retry. * Fixed a high CPU issue when the device wakes from sleep. * Users can now register with team names in any case format without errors. * New UI fixes * Fixed an issue where users with invalid MDM configurations were returned to the onboarding screen after successful authentication. * Added a re-auth button and banner to the home screen so users don't miss it when their session expires. * Added clear error messaging when the Cloudflare certificate needs to be installed. * Brought back support for pausing the tunnel when connected to user-specified Wi-Fi networks for consumer users. * New client UI now surfaces Split tunnel configuration and Local Domain Fallback configuration. * Added ability to configure proxy mode for consumer users. * Added back the option to quit for consumer users. **Known issues** * An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed. * In rare cases, a registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed. * Windows ARM may prompt the user to close running applications while trying to install this version. Simply click "Ok" with the default highlighted option. Jun 29, 2026 1. ### [Cloudflare One Client for macOS (version 2026.6.822.0)](https://developers.cloudflare.com/changelog/post/2026-06-29-warp-macos-ga/) [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) A new GA release for the macOS Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release introduces multiple features from our previous beta release into stable release, including: * The client now applies DNS search suffixes configured in your [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles) / [network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies). Administrators can push a list of DNS search domains that the client appends to single-label queries, alongside any system-configured suffixes. See [DNS search suffixes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#dns-search-suffixes) for details. * Upgraded security of device registration to be hardware-backed. Registration tokens can now be generated in the Secure Enclave whenever available to provide stronger protection against device impersonation. See [Hardware-backed registration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/hardware-backed-registration/) for details. * Added a local-file signal source for Emergency Disconnect. In addition to the existing HTTPS polling mechanism, administrators can now configure WARP to monitor for a file on disk; the presence of the file triggers an emergency disconnect even if both Cloudflare and your own infrastructure are unreachable. Either signal being asserted triggers disconnect; both must be cleared for normal operation to resume. * Added new warp-cli debug commands for interactive connection diagnosis. See [Extra debug logging](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#extra-debug-logging) for details. * The local DNS proxy now supports DNSSEC passthrough. DNSSEC-signed responses are forwarded to the application intact (including DO/AD bits and RRSIG records), so applications that validate DNSSEC locally — including resolvers and the dig/drill tooling — work correctly through the client. * Added a new MDM format for organization-wide settings, including a cleaner way to configure the compliance environment (e.g. FedRAMP). The previous per-configuration approach still works, but the new format is now recommended. See the updated [Cloudflare One MDM documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#organization%5Fconfigs) for details. * Added support for dashboard-managed client version deployments. Administrators can now upgrade or downgrade the client version on enrolled devices directly from the Zero Trust dashboard. See [Client version assignments](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/client-version-assignments/) for details. **Additional Changes and improvements** * Client Certificate device-posture checks now support template variables (e.g. `${serial_number}`, `${device_uuid}`) in the Subject Alternative Name field. Previously only the Common Name field accepted variables, which broke posture rules that pinned identity to a SAN entry. * Improved accessibility by using high contrast colors and more defined color boundaries when high contrast is enabled in the macOS Display settings. * Path MTU Discovery (PMTUD) is now enabled by default. * Fixed the in-client captive-portal browser rendering a blank "Success" page on some airline Wi-Fi networks. The browser now more consistently loads the airline's real portal page so users can complete sign-in from inside the client instead of having to open a separate browser. * Fixed an issue in proxy mode where hostnames containing underscores (e.g. ai\_app.com) were rejected, breaking apps that depend on such hostnames (notably ChatGPT sandbox apps). The local proxy now accepts underscore-containing hostnames in CONNECT requests. * Fixed an issue where DNS queries would fail after the connection was idle, requiring users to retry. * Users can now register with team names in any case format without errors. * New UI fixes * Fixed an issue where users with invalid MDM configurations were returned to the onboarding screen after successful authentication. * Added a re-auth button and banner to the home screen so users don't miss it when their session expires. * Added clear error messaging when the Cloudflare certificate needs to be installed. * Brought back support for pausing the tunnel when connected to user-specified Wi-Fi networks for consumer users. * New client UI now surfaces Split tunnel configuration and Local Domain Fallback configuration. * Added ability to configure proxy mode for consumer users. * Added back the option to quit for consumer users. **Known issues** * Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed. Jun 29, 2026 1. ### [Cloudflare One Client for Linux (version 2026.6.822.0)](https://developers.cloudflare.com/changelog/post/2026-06-29-warp-linux-ga/) [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) A new GA release for the Linux Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). This release introduces multiple features from our previous beta release into stable release, including: * The client now applies DNS search suffixes configured in your [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles) / [network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies). Administrators can push a list of DNS search domains that the client appends to single-label queries, alongside any system-configured suffixes. See [DNS search suffixes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#dns-search-suffixes) for details. * Upgraded security of device registration to be hardware-backed. Registration tokens can now be generated in the TPM (with TPM 2.0+) whenever it is available to provide stronger protection against device impersonation. See [Hardware-backed registration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/hardware-backed-registration/) for details. * Added a local-file signal source for Emergency Disconnect. In addition to the existing HTTPS polling mechanism, administrators can now configure WARP to monitor for a file on disk; the presence of the file triggers an emergency disconnect even if both Cloudflare and your own infrastructure are unreachable. Either signal being asserted triggers disconnect; both must be cleared for normal operation to resume. * Added new warp-cli debug commands for interactive connection diagnosis. See [Extra debug logging](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#extra-debug-logging) for details. * The local DNS proxy now supports DNSSEC passthrough. DNSSEC-signed responses are forwarded to the application intact (including DO/AD bits and RRSIG records), so applications that validate DNSSEC locally — including resolvers and the dig/drill tooling — work correctly through the client. * Added a new MDM format for organization-wide settings, including a cleaner way to configure the compliance environment (e.g. FedRAMP). The previous per-configuration approach still works, but the new format is now recommended. See the updated [Cloudflare One MDM documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#organization%5Fconfigs) for details. **Additional changes and improvements** * Cloudflare Mesh functionality using the Cloudflare One Client is now supported on RHEL 9 and 10. * Cloudflare Mesh now supports hostname-based routing for Cloudflare Tunnel. * Client Certificate device-posture checks now support template variables (e.g. `${serial_number}`, `${device_uuid}`) in the Subject Alternative Name field. Previously only the Common Name field accepted variables, which broke posture rules that pinned identity to a SAN entry. * Improved accessibility by using high contrast colors and more defined color boundaries when high contrast is enabled in the system display settings. * Path MTU Discovery (PMTUD) is now enabled by default. * Fixed the in-client captive-portal browser rendering a blank "Success" page on some airline Wi-Fi networks. The browser now more consistently loads the airline's real portal page so users can complete sign-in from inside the client instead of having to open a separate browser. * Fixed an issue in proxy mode where hostnames containing underscores (e.g. ai\_app.com) were rejected, breaking apps that depend on such hostnames (notably ChatGPT sandbox apps). The local proxy now accepts underscore-containing hostnames in CONNECT requests. * Fixed an issue where DNS queries would fail after the connection was idle, requiring users to retry. * Fixed an issue where some Debian releases experienced inaccurate version reporting for posture checks. * Users can now register with team names in any case format without errors. * New UI fixes * Fixed an issue where users with invalid MDM configurations were returned to the onboarding screen after successful authentication. * Added a re-auth button and banner to the home screen so users don't miss it when their session expires. * Added clear error messaging when the Cloudflare certificate needs to be installed. * Brought back support for pausing the tunnel when connected to user-specified Wi-Fi networks for consumer users. * New client UI now surfaces Split tunnel configuration and Local Domain Fallback configuration. * Added ability to configure proxy mode for consumer users. * Added back the option to quit for consumer users. For RHEL deployments, this release introduces a dependency on the [Extra Packages for Enterprise Linux](https://docs.fedoraproject.org/en-US/epel/) repository (EPEL). The EPEL repository provides packages that support the captive portal detection’s in-app browser authentication and system tray icon. See [Getting started with EPEL](https://docs.fedoraproject.org/en-US/epel/getting-started/) for instructions on enabling EPEL. **Known issues** * Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed. Jun 26, 2026 1. ### [Agents SDK adds background sub-agents and a unified turn entry point](https://developers.cloudflare.com/changelog/post/2026-06-26-agents-sdk-v0170/) [ Agents ](https://developers.cloudflare.com/agents/)[ Workers ](https://developers.cloudflare.com/workers/) The latest release of the [Agents SDK ↗](https://github.com/cloudflare/agents) makes it easier to run long work in the background, drive turns through one entry point, and keep chat agents working through deploys, evictions, and reconnects. This release adds first-class detached (background) sub-agent runs with live progress and durable milestones, a single `runTurn` turn-admission entry point, and a large round of recovery and reliability fixes that continue converging `@cloudflare/think` and `@cloudflare/ai-chat` onto one model. #### Background sub-agents with progress and milestones `runAgentTool` can now dispatch a sub-agent without blocking the calling turn. A detached run returns a handle immediately and is owned by a durable, eviction-surviving backbone instead of being abandoned when the dispatching turn ends. * [ JavaScript ](#tab-panel-4682) * [ TypeScript ](#tab-panel-4683) JavaScript ``` class OrdersAgent extends Think { async startImport(input) { // Fire-and-forget, or wire a durable completion callback // (by method name, like schedule()): await this.runAgentTool(ImportAgent, { input, detached: { onFinish: "onImportDone", maxBudgetMs: 60 * 60 * 1000 }, }); } // result.status: "completed" | "error" | "aborted" | "interrupted" async onImportDone(run, result) {}} ``` TypeScript ``` class OrdersAgent extends Think { async startImport(input) { // Fire-and-forget, or wire a durable completion callback // (by method name, like schedule()): await this.runAgentTool(ImportAgent, { input, detached: { onFinish: "onImportDone", maxBudgetMs: 60 * 60 * 1000 }, }); } // result.status: "completed" | "error" | "aborted" | "interrupted" async onImportDone(run, result) {}} ``` Highlights: * **Durable, exactly-once-on-the-happy-path completion** via a warm fast path plus a self-scheduling reconcile backbone that survives eviction and deploys. * **Bounded.** An absolute `maxBudgetMs` ceiling (default 24h) and `cancelAgentTool(runId)` keep abandoned runs from holding a concurrency slot forever. * **`detached: { notify: true }`** lets a finished background run inject a message back into the chat so the model reacts to the result — no hand-wired `onFinish` needed. Sub-agents can also report mid-run progress that rides their own turn stream back to the parent's connected clients: * [ JavaScript ](#tab-panel-4680) * [ TypeScript ](#tab-panel-4681) JavaScript ``` // Inside the child sub-agent:await this.reportProgress({ fraction: 0.6, phase: "deploying", message: "Generating menu page…",}); ``` TypeScript ``` // Inside the child sub-agent:await this.reportProgress({ fraction: 0.6, phase: "deploying", message: "Generating menu page…",}); ``` Progress surfaces on `AgentToolRunState.progress` via `useAgentToolEvents`, so a background-runs tray can render a live bar without drilling in, and the latest snapshot is persisted for inspection after eviction. Naming a `milestone` promotes a signal to a durable, replayable row, and `detached: { onMilestones }` can surface a milestone as a synthetic chat message (`"narrate"` for a cheap status line, or `"react"` to drive a model turn). #### One entry point for turns: `runTurn` `@cloudflare/think` adds a public `runTurn(options)` facade that unifies turn admission behind a single `mode`: * [ JavaScript ](#tab-panel-4678) * [ TypeScript ](#tab-panel-4679) JavaScript ``` await this.runTurn({ mode: "wait", messages }); // saveMessages / continueLastTurnawait this.runTurn({ mode: "submit", messages }); // durable submitMessagesawait this.runTurn({ mode: "stream", messages }); // chat() ``` TypeScript ``` await this.runTurn({ mode: "wait", messages }); // saveMessages / continueLastTurnawait this.runTurn({ mode: "submit", messages }); // durable submitMessagesawait this.runTurn({ mode: "stream", messages }); // chat() ``` `stream` mode accepts array and function inputs to match `wait` mode, and all entry points now route through a shared internal admission path that throws a clear error on nested blocking admissions that previously could deadlock. #### Recovery and reliability A large part of this release continues hardening recovery and converging `@cloudflare/think` and `@cloudflare/ai-chat` onto one model: * **Stream stall watchdog.** `AIChatAgent` can detect and recover from a hung model/transport stream via the opt-in `chatStreamStallTimeoutMs` watchdog. With `chatRecovery` enabled the stall routes into the same bounded-recovery machinery a deploy or eviction uses; otherwise it surfaces as a terminal stream error so the spinner clears. * **Interrupted tool-call repair.** `AIChatAgent` now repairs a transcript with a dead server-tool call before re-entering inference (parity with `@cloudflare/think`), so a recovered turn no longer fails with `AI_MissingToolResultsError`. An overridable `repairInterruptedToolPart(part)` hook lets apps customize the repaired shape. * **Stuck status after reconnect.** Fixed AI SDK `status` getting stuck when a reconnect races a turn that has been accepted but has not started streaming yet, so the UI now renders the in-flight turn instead of settling on `ready`. * **Live "recovering…" on connect.** `AIChatAgent` now replays the recovering status to a client that connects mid-recovery, so `useAgentChat`'s `isRecovering` reflects in-progress recovery immediately instead of appearing frozen. * **Terminal connection failures.** The client stops reconnecting on terminal WebSocket close events and exposes them via `connectionError` / `onConnectionError` on `AgentClient`, `useAgent`, and `useAgentChat`. * **Agent-tool child recovery.** A healthy long-running sub-agent run is no longer abandoned as `interrupted` after a deploy (both `@cloudflare/think` and `AIChatAgent`). * **Workflows from sub-agent facets.** Agent Workflows can now start from sub-agent facets, with callbacks and Workflow RPC routed back to the originating facet. * Plus forward-progress crediting convergence, broadcast-first give-up ordering, an event-driven auto-continuation barrier, and structured row-size compaction in `AIChatAgent`. #### Other improvements * **Shared chat React core.** A new `agents/chat/react` entry exposes `useAgentChat`, transport helpers, and shared wire types, with `syncMessagesToServer` for server-authoritative transcript storage. `@cloudflare/think/react` and `@cloudflare/ai-chat/react` are now thin wrappers over it. * **Optional `ai` peer.** The root `agents` and `@cloudflare/codemode` runtimes no longer reference AI SDK types, so they bundle without `ai` / `zod` installed; AI-specific entry points still require the peer when imported. `just-bash` likewise moves to an optional peer used only by the skills bash runner. * **Code Mode.** The default `DynamicWorkerExecutor` timeout increases from 30s to 60s, executions now dispose the dynamically-loaded Worker and its RPC stub after each run (fixing a flaky isolate-shutdown assertion), connector imports are cleaned up, and the outer MCP tool-call context is passed to `openApiMcpServer` request callbacks. * **Voice.** Voice turns now support AI SDK `fullStream` responses (and warn when `textStream` is used). * **MCP.** `McpAgent` server-to-client requests can now be sent from callbacks that do not inherit the agent's async context, including callbacks reached through Worker Loader RPC. * **Experimental: server actions and channels.** This release lays groundwork for guarded server actions (`action()` / `getActions()` with a durable replay ledger and approvals) and a unified channels surface (`configureChannels()`, `deliverNotice()`). Both are experimental and their APIs may change, so we don't recommend depending on them yet. #### Upgrade To update to the latest version: npm yarn pnpm bun ``` npm i agents@latest @cloudflare/think@latest @cloudflare/ai-chat@latest @cloudflare/codemode@latest @cloudflare/voice@latest ``` ``` yarn add agents@latest @cloudflare/think@latest @cloudflare/ai-chat@latest @cloudflare/codemode@latest @cloudflare/voice@latest ``` ``` pnpm add agents@latest @cloudflare/think@latest @cloudflare/ai-chat@latest @cloudflare/codemode@latest @cloudflare/voice@latest ``` ``` bun add agents@latest @cloudflare/think@latest @cloudflare/ai-chat@latest @cloudflare/codemode@latest @cloudflare/voice@latest ``` Refer to the [Think documentation](https://developers.cloudflare.com/agents/harnesses/think/), [Code Mode documentation](https://developers.cloudflare.com/agents/tools/codemode/), and [Agents documentation](https://developers.cloudflare.com/agents/) for more information. Jun 26, 2026 1. ### [New \`us\` jurisdiction for Durable Objects](https://developers.cloudflare.com/changelog/post/2026-06-26-durable-objects-us-jurisdiction/) [ Durable Objects ](https://developers.cloudflare.com/durable-objects/)[ Workers ](https://developers.cloudflare.com/workers/) Durable Objects now supports a `us` [jurisdiction](https://developers.cloudflare.com/durable-objects/reference/data-location/#restrict-durable-objects-to-a-jurisdiction), letting you create Durable Objects that only run and store data within the United States. Use the `us` jurisdiction when you need to keep a Durable Object's compute and storage inside the United States to meet data residency requirements. Create a namespace restricted to the `us` jurisdiction the same way as any other jurisdiction: JavaScript ``` // Workerexport default { async fetch(request, env) { const usSubnamespace = env.MY_DURABLE_OBJECT.jurisdiction("us"); const stub = usSubnamespace.getByName("general"); return stub.fetch(request); },}; ``` Workers may still access Durable Objects constrained to the `us` jurisdiction from anywhere in the world. The jurisdiction constraint only controls where the Durable Object itself runs and persists data. For the full list of supported jurisdictions, refer to [Data location — Restrict Durable Objects to a jurisdiction](https://developers.cloudflare.com/durable-objects/reference/data-location/#restrict-durable-objects-to-a-jurisdiction). Jun 25, 2026 1. ### [Search API tokens by name](https://developers.cloudflare.com/changelog/post/2026-06-25-api-token-search/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) You can now search API tokens by name, making it easier to find specific tokens across large token lists without manually paginating. #### What's new * **Dashboard search**: Both [account API tokens ↗](https://dash.cloudflare.com/?to=/:account/account-api-tokens) and [user API tokens ↗](https://dash.cloudflare.com/profile/api-tokens) pages now include a search bar. Type a name to filter results. * **API search support**: The [/user/tokens](https://developers.cloudflare.com/api/resources/user/subresources/tokens/methods/list/) and [/accounts/{account\_id}/tokens](https://developers.cloudflare.com/api/resources/accounts/subresources/tokens/methods/list/) endpoints now accept a `name` query parameter to filter tokens by name. For more information, refer to [Create an API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) and [Account API tokens](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/). Jun 25, 2026 1. ### [Test Durable Object eviction with new cloudflare:test helpers](https://developers.cloudflare.com/changelog/post/2026-06-25-durable-object-eviction-test-helpers/) [ Durable Objects ](https://developers.cloudflare.com/durable-objects/)[ Workers ](https://developers.cloudflare.com/workers/) The `@cloudflare/vitest-pool-workers` package now includes `evictDurableObject` and `evictAllDurableObjects` test helpers, exported from `cloudflare:test`. These helpers let you test how a Durable Object behaves across evictions, simulating the production lifecycle where an idle Durable Object can be evicted from memory. For more context, refer to [Lifecycle of a Durable Object](https://developers.cloudflare.com/durable-objects/concepts/durable-object-lifecycle/). TypeScript ``` import { evictDurableObject, evictAllDurableObjects } from "cloudflare:test";import { env } from "cloudflare:workers"; const id = env.COUNTER.idFromName("my-counter");const stub = env.COUNTER.get(id); // Evict the Durable Object instance pointed to by a specific stubawait evictDurableObject(stub); // Close WebSockets instead of hibernating themawait evictDurableObject(stub, { webSockets: "close" }); // Evict all currently-running Durable Objects in evictable namespacesawait evictAllDurableObjects(); ``` These helpers are available in `@cloudflare/vitest-pool-workers@0.16.20` and later. Learn more in the [Test APIs reference](https://developers.cloudflare.com/workers/testing/vitest-integration/test-apis/#durable-objects) and the [Testing Durable Objects guide](https://developers.cloudflare.com/durable-objects/examples/testing-with-durable-objects/#testing-eviction). Jun 24, 2026 1. ### [Cloudflare One Client for macOS (version 2026.6.782.1)](https://developers.cloudflare.com/changelog/post/2026-06-24-warp-macos-beta/) [ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) A new Beta release for the macOS Cloudflare One Client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/). This beta release introduces upgraded security of device registration to be hardware-backed. Registration tokens can now be generated in the Secure Enclave whenever available to provide stronger protection against device impersonation. **Additional changes and improvements** This release also introduces multiple fixes and improvements including: * Improved accessibility by using high contrast colors and more defined color boundaries when high contrast is enabled in the macOS Display settings. * Path MTU Discovery (PMTUD) is now enabled by default. * Fixed an issue where DNS queries would fail after the connection was idle, requiring users to retry. * Users can now register with team names in any case format without errors. * New UI fixes * Fixed an issue where users with invalid MDM configurations were returned to the onboarding screen after successful authentication. * Added a re-auth button and banner to the home screen so users don't miss it when their session expires. * Added clear error messaging when the Cloudflare certificate needs to be installed. * Brought back support for pausing the tunnel when connected to user-specified Wi-Fi networks for consumer users. * New client UI now surfaces Split tunnel configuration and Local Domain Fallback configuration. * Added ability to configure proxy mode for consumer users. * Added back the option to quit for consumer users. **Known issues** * Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed. Jun 24, 2026 1. ### [Control AI Search similarity cache freshness](https://developers.cloudflare.com/changelog/post/2026-06-24-ai-search-similarity-cache-controls/) [ AI Search ](https://developers.cloudflare.com/ai-search/) [AI Search](https://developers.cloudflare.com/ai-search/) now gives you more control over [similarity cache](https://developers.cloudflare.com/ai-search/configuration/retrieval/cache/) freshness. Similarity cache helps reduce latency and inference cost by reusing responses for semantically similar queries. With these updates, you can choose how long responses are eligible for reuse and clear cached responses when they may be stale. #### Cache duration now defaults to 48 hours Previously, AI Search cached responses for a fixed duration of 30 days. Cached responses now use the instance's `cache_ttl` setting, and the default is **48 hours**. You can set `cache_ttl` when creating or updating an instance to choose a cache duration from 10 minutes to 6 days. Use a shorter TTL when your source content changes frequently and freshness is more important. Use a longer TTL when your content is stable and you want more cache reuse. For example, set `cache_ttl` to `518400` to retain cached responses for 6 days: ``` { "cache_ttl": 518400} ``` #### Purge cached responses You can also purge all cached responses for an instance on demand. Purging cached responses does not delete indexed content or source files. It prevents AI Search from reusing previous cached responses, so subsequent similar queries generate fresh answers and repopulate the cache. Terminal window ``` curl -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/ai-search/instances/$INSTANCE_NAME/purge_cache" \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` You can also purge cached responses from the instance settings page in the Cloudflare dashboard. Refer to [similarity cache](https://developers.cloudflare.com/ai-search/configuration/retrieval/cache/) for the full list of supported `cache_ttl` values and more details about cache behavior. Jun 24, 2026 1. ### [Audit Logs v2 — Organization-level audit logs in Cloudflare dashboard](https://developers.cloudflare.com/changelog/post/2026-06-24-audit-logs-v2-organization-dashboard-ui/) [ Audit Logs ](https://developers.cloudflare.com/fundamentals/account/account-security/review-audit-logs/) You can now, as an [Organization](https://developers.cloudflare.com/fundamentals/organizations/) Super Administrator, view organization-level [audit logs](https://developers.cloudflare.com/fundamentals/account/account-security/audit-logs/) in the Cloudflare dashboard, in addition to the existing [API access](https://developers.cloudflare.com/fundamentals/account/account-security/audit-logs/#organization-activity-logs). Organization audit logs help you monitor activity across your organization. You can see who performed an action, what changed, when it happened, how it was performed, and whether it succeeded or failed. You can filter and search logs by actor, action, result, resource, request details, and timestamp. Use these logs to troubleshoot changes, investigate unexpected access, and support security or compliance workflows. ![Organization audit logs in the Cloudflare dashboard](https://developers.cloudflare.com/_astro/Audit_logs_v2_organization_dashboard.De-uwPva_Z1QU6mw.webp) If you are viewing account-level audit logs and the account belongs to an organization where you are an Organization Super Administrator, select **View Organization Audit Logs** to open the parent organization's audit logs. ![View Organization Audit Logs button](https://developers.cloudflare.com/_astro/Audit_logs_v2_view_organization_button.Ch7CaBB-_Z10mKrb.webp) To get started, go to **Organizations**, select your organization, then go to **Manage Organization** \> **Audit Logs**. For more information, refer to the [Audit Logs documentation](https://developers.cloudflare.com/fundamentals/account/account-security/audit-logs/). Jun 24, 2026 1. ### [New WebSocket Analytics Logpush dataset and updated fields](https://developers.cloudflare.com/changelog/post/2026-06-24-log-fields-updated/) [ Logs ](https://developers.cloudflare.com/logs/) Cloudflare has updated [Logpush datasets](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/): #### New datasets * **WebSocket Analytics**: A new dataset with fields including `BytesReceivedClient`, `BytesReceivedOrigin`, `BytesSentClient`, `BytesSentOrigin`, `ClientASN`, `ClientIP`, `ClientRequestHost`, `ClientRequestPath`, `ClientRequestUserAgent`, `ColoCode`, `ConnectionCloseReason`, `ConnectionCloseSource`, `ConnectionID`, `ConnectionTransportCloseCode`, `EdgeEndTimestamp`, `EdgeStartTimestamp`, and `RayID`. #### Updated fields in existing datasets * **Firewall events** (added): `ZoneName`. The Firewall events dataset is now also available for [account-scope Logpush](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/firewall%5Fevents/), in addition to the existing zone scope. * **Email Security Alerts** (added): `BCC`, `DKIMResult`, `DMARCPolicy`, `DMARCResult`, and `SPFResult`. For the complete field definitions for each dataset, refer to [Logpush datasets](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/). Jun 24, 2026 1. ### [Precise IP location and richer AS details on the Cloudflare Radar IP page](https://developers.cloudflare.com/changelog/post/2026-06-24-radar-ip-page-improvements/) [ Radar ](https://developers.cloudflare.com/radar/) [**Radar**](https://developers.cloudflare.com/radar/) now plots your IPv4 and IPv6 locations on the [IP page ↗](https://radar.cloudflare.com/ip), shows the Cloudflare data centers serving your connection, and includes more detail about the autonomous system (AS) your primary IP belongs to. #### Your IP location on the map The map of your connection now shows: * **IP location markers** — The primary IP will show as a red marker. When both IP addresses do not geolocate to the same place, a second marker will appear in blue with a note explaining why IPv4 and IPv6 can resolve to different locations. * **Cloudflare data center markers** — Cloudflare data centers now show as orange dots on the map and the one you are connected to is highlighted. * **Data center connectors** — Each line connects your IP markers to their respective data centers. ![Map showing Cloudflare data centers and a marker representing the IP location with a line connected to a data center](https://developers.cloudflare.com/_astro/ip-page-geolocation.BJ53oUtj_ZhL3mu.webp) Due to the data policies of our geolocation provider, this detailed location is only available for your own IP. Other IP addresses keep the current country-level view. #### Extended AS information The AS card on the IP page now shows additional detail about the network an IP belongs to — including alternate names, the operator website, and an estimate of the AS user population — alongside the AS number and country. Visit the [Cloudflare Radar IP page ↗](https://radar.cloudflare.com/ip) to explore more details about your IP. Jun 23, 2026 1. ### [Workflows rollback handlers now include step context](https://developers.cloudflare.com/changelog/post/2026-06-16-rollback-options/) [ Workflows ](https://developers.cloudflare.com/workflows/) [Workflows](https://developers.cloudflare.com/workflows/) makes it easier to build reliable multi-step applications that can recover when downstream systems fail. Rollback handlers now receive the original [step context](https://developers.cloudflare.com/workflows/build/step-context/) via a `ctx` object for the step being rolled back. This includes `ctx.step.name`, `ctx.step.count`, `ctx.attempt`, and the step `config` with defaults applied. The [step configuration](https://developers.cloudflare.com/workflows/build/workers-api/#workflowstepconfig) includes the retry and timeout settings used for that step, so you can customize your step recovery logic according to those fields. TypeScript ``` await step.do( "create charge", async () => { const charge = await createCharge(); return { chargeId: charge.id }; }, { rollback: async ({ ctx, output, error }) => { // `output` is the value returned by the step being rolled back. const { chargeId } = output as { chargeId: string }; await refundCharge(chargeId, { // `ctx` is the original step context, including step name, count, attempt, and config. reason: `${ctx.step.name}: ${error.message}`, }); }, rollbackConfig: { // `rollbackConfig` controls retries and timeout for the rollback handler. retries: { limit: 3, delay: "30 seconds", backoff: "linear" }, timeout: "5 minutes", }, },); ``` Refer to [rollback options](https://developers.cloudflare.com/workflows/build/workers-api/#rollback-options) to learn more. Jun 23, 2026 1. ### [Cloudflare AMP/SXG is now end of life.](https://developers.cloudflare.com/changelog/post/2026-06-23-amp-sxg-end-of-life/) [ Speed ](https://developers.cloudflare.com/speed/) Cloudflare Accelerated Mobile Pages (AMP) and Signed Exchanges (SXG) support has reached end of life. The features have been disabled since October 2025, so customers who had them configured should see no change to their traffic. Customers will no longer be able to configure AMP/SXG through API or rulesets. The Zone API will start throwing errors. Rulesets with the SXG configuration will fail to save until SXG has been removed. Jun 23, 2026 1. ### [WAF Release - 2026-06-23](https://developers.cloudflare.com/changelog/post/2026-06-23-waf-release/) [ WAF ](https://developers.cloudflare.com/waf/) This week's release introduces new managed protection to address a critical pre-authentication OS command injection vulnerability in Ivanti Sentry (CVE-2026-10520). **Key Findings** * CVE-2026-10520: An OS command injection vulnerability in Ivanti Sentry allows remote, unauthenticated attackers to execute arbitrary system commands with root privileges. The flaw stems from improper sanitization of input strings parsed during internal configuration handling. | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ------------------------------------------------------ | --------------- | ---------- | ------------------------ | | Cloudflare Managed Ruleset | ...242fdf83 | N/A | Ivanti Sentry - Command Injection - CVE:CVE-2026-10520 | Log | Block | This is a new detection. | Jun 23, 2026 1. ### [WAF Release - Scheduled changes for 2026-06-29](https://developers.cloudflare.com/changelog/post/scheduled-waf-release/) [ WAF ](https://developers.cloudflare.com/waf/) | Announcement Date | Release Date | Release Behavior | Legacy Rule ID | Rule ID | Description | Comments | | ----------------- | ------------ | ---------------- | -------------- | ----------- | ----------------------------------------------------------- | ------------------------ | | 2026-06-23 | 2026-06-29 | Log | N/A | ...d84c92c9 | Fortinet FortiSandbox - Path Traversal - CVE:CVE-2026-39813 | This is a new detection. | Jun 22, 2026 1. ### [R2 SQL now supports window functions, DISTINCT, and set operations](https://developers.cloudflare.com/changelog/post/2026-06-21-window-functions-distinct-set-operations/) [ R2 SQL ](https://developers.cloudflare.com/r2-sql/) R2 SQL now supports window functions, `SELECT DISTINCT`, set operations, and additional aggregates, making it easier to write analytical queries without preprocessing your data elsewhere. [R2 SQL](https://developers.cloudflare.com/r2-sql/) is Cloudflare's serverless, distributed SQL engine for querying [Apache Iceberg ↗](https://iceberg.apache.org/) tables stored in [R2 Data Catalog](https://developers.cloudflare.com/r2/data-catalog/). #### New capabilities * **Window functions** — `ROW_NUMBER`, `RANK`, `DENSE_RANK`, `PERCENT_RANK`, `CUME_DIST`, `NTILE`, `LAG`, `LEAD`, `FIRST_VALUE`, `LAST_VALUE`, `NTH_VALUE`, and aggregates with an `OVER (...)` clause, including `PARTITION BY` and explicit frames * **QUALIFY** — filter rows based on a window function result * **DISTINCT** — `SELECT DISTINCT`, `DISTINCT ON (...)`, and the `DISTINCT` modifier on aggregates such as `COUNT(DISTINCT ...)` * **Set operations** — `UNION`, `UNION ALL`, `INTERSECT`, and `EXCEPT` * **Grouping extensions** — `GROUPING SETS`, `ROLLUP`, and `CUBE` * **Exact aggregates** — `MEDIAN`, `PERCENTILE_CONT`, `ARRAY_AGG`, and `STRING_AGG` #### Examples #### Rank rows with a window function ``` SELECT customer_id, region, ROW_NUMBER() OVER (PARTITION BY region ORDER BY total_amount DESC) AS rank_in_regionFROM my_namespace.sales_data ``` #### Filter with QUALIFY ``` SELECT customer_id, region, total_amountFROM my_namespace.sales_dataQUALIFY ROW_NUMBER() OVER (PARTITION BY region ORDER BY total_amount DESC) <= 3 ``` #### Combine tables with a set operation ``` SELECT customer_id FROM my_namespace.sales_dataEXCEPTSELECT customer_id FROM my_namespace.archived_sales ``` The named `WINDOW` clause is not supported — inline the `OVER (...)` specification at each call site. For the full syntax reference, refer to the [SQL reference](https://developers.cloudflare.com/r2-sql/sql-reference/). For supported features and performance guidance, refer to [Limitations and best practices](https://developers.cloudflare.com/r2-sql/reference/limitations-best-practices/). Jun 19, 2026 1. ### [Manage all your routes from one page in the dashboard](https://developers.cloudflare.com/changelog/post/2026-06-19-unified-routes-page/) [ Cloudflare Mesh ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/)[ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) The **Routes** page in the Cloudflare dashboard now shows the routes across all of your connectors — [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) and [Cloudflare Tunnel](https://developers.cloudflare.com/tunnel/) routes alongside [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/) and [Magic Transit](https://developers.cloudflare.com/magic-transit/) static routes — in a single table, instead of a separate routes view per product. ![The unified Routes page in the Cloudflare dashboard, showing routes across connectors in a single table](https://developers.cloudflare.com/_astro/2026-06-19-unified-routes.B3igBY20_Z1awHp.webp) From the unified Routes page you can: * **Visualize your network with an interactive map** that shows how your destinations flow through to your connectors — including equal-cost multi-path (ECMP) routes where the same prefix is served by several connectors. Select a node to filter the table down to the routes behind it. * **See every route in one table**, with its destination, type, connector, priority, and source, and filter or sort to find what you need. * **Create, edit, and delete routes** of any supported type without leaving the page. When adding a Cloudflare WAN or Magic Transit static route, you now pick the next hop by **connector name** instead of typing its IP. * **Manage [virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/virtual-networks/)** from a dedicated tab. * **Test a route** to see which connector and next hop a destination resolves to before you commit a change. To find it, go to **Networking** \> **Routes** in the dashboard sidebar. [ Go to **Routes** ](https://dash.cloudflare.com/?to=/:account/magic-networks/routes) Your existing routes, APIs, and configurations are unchanged — this is a dashboard experience that brings them together in one place. Learn how to [add routes](https://developers.cloudflare.com/cloudflare-one/networks/routes/add-routes/) and [manage virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/virtual-networks/). Jun 19, 2026 1. ### [New Asia-Pacific location hints: apac-ne and apac-se](https://developers.cloudflare.com/changelog/post/2026-06-19-apac-ne-apac-se-location-hints/) [ Durable Objects ](https://developers.cloudflare.com/durable-objects/)[ Workers ](https://developers.cloudflare.com/workers/) Durable Objects now supports two new location hints for Asia-Pacific: `apac-ne` (Northeast Asia-Pacific) and `apac-se` (Southeast Asia-Pacific). Use `apac-ne` or `apac-se` when you want finer-grained placement within Asia-Pacific rather than the broader `apac` hint. Use the new hints the same way as any other `locationHint`: JavaScript ``` // Northeast Asia-Pacific (Japan, Korea, etc.)const stubNE = env.MY_DURABLE_OBJECT.get(id, { locationHint: "apac-ne" }); // Southeast Asia-Pacific (Singapore, Indonesia, etc.)const stubSE = env.MY_DURABLE_OBJECT.get(id, { locationHint: "apac-se" }); ``` If your users are spread across all of Asia-Pacific, the existing `apac` hint remains the right choice. Only reach for `apac-ne` or `apac-se` when your traffic is clearly concentrated in one sub-region and you want to minimize round-trip time to that audience. The default behavior and what we generally recommended is not adding a location hint unless absolutely needed, this will create the Durable Object as close to the initializing request as possible to reduce latency. As with all location hints, these are best-effort suggestions. Cloudflare will place the Durable Object in a nearby data center, not necessarily the exact hinted location. For the full list of supported hints, refer to [Data location — Provide a location hint](https://developers.cloudflare.com/durable-objects/reference/data-location/#provide-a-location-hint). Jun 19, 2026 1. ### [Outbound connections keep Durable Objects alive](https://developers.cloudflare.com/changelog/post/2026-06-19-outbound-connections-keep-dos-alive/) [ Durable Objects ](https://developers.cloudflare.com/durable-objects/) Durable Objects now remain alive for the duration of active outbound connections created via [connect()](https://developers.cloudflare.com/workers/runtime-apis/tcp-sockets/) or an outbound WebSocket. Previously, a Durable Object would be evicted after 70-140 seconds of no incoming traffic, even if the object had an open outbound connection, which is a common pattern when streaming responses from a large language model (LLM) over TCP or an outbound WebSocket. With this change, each active outbound connection prevents eviction. Once all outbound connections close, the standard 70-140 second inactivity window applies before the Durable Object is evicted. #### Before: streaming connections were cut off by eviction ![Timeline showing a Durable Object evicted 70-140 seconds after the last incoming request, cutting off an in-flight LLM stream while the outbound connection is still open](https://developers.cloudflare.com/_astro/outbound-connection-before.DpePflZI_1djzQi.svg) #### After: active outbound connections keep the Durable Object alive ![Timeline showing the same outbound stream completing because the active connection keeps the Durable Object alive, with the inactivity window starting only after the connection closes](https://developers.cloudflare.com/_astro/outbound-connection-after.Bn9BVcYz_1djzQi.svg) If you are [building agents on Cloudflare](https://developers.cloudflare.com/agents/), this is especially relevant. An agent that streams tokens from an LLM while [calling models](https://developers.cloudflare.com/agents/concepts/calling-llms/), or that performs [long-running tasks](https://developers.cloudflare.com/agents/concepts/agentic-patterns/long-running-agents/) over an outbound connection, now stays alive for the duration of that connection instead of being evicted mid-stream. **Limits:** * Each outbound connection keeps the Durable Object alive for a maximum of **15 minutes**. After 15 minutes, the connection stops preventing eviction (the connection itself continues operating), and the [standard eviction rules](https://developers.cloudflare.com/durable-objects/concepts/durable-object-lifecycle/) resume. * The Durable Object's existing [per-account instance limits](https://developers.cloudflare.com/durable-objects/platform/limits/) still apply. For more information, refer to [Lifecycle of a Durable Object](https://developers.cloudflare.com/durable-objects/concepts/durable-object-lifecycle/). Jun 19, 2026 1. ### [Temporary accounts for AI agent deployments](https://developers.cloudflare.com/changelog/post/2026-06-19-temporary-accounts-for-agents/) [ Workers ](https://developers.cloudflare.com/workers/) AI agents can now deploy Workers to Cloudflare without first requiring a user to sign up, open a browser-based OAuth flow, click through the dashboard, or create an API token. When an agent tries to deploy without Cloudflare credentials, Wrangler can tell it to rerun with `--temporary`, then deploy the Worker to a temporary preview account. To try this with your agent, update to Wrangler 4.102.0 or later, make sure you are logged out (`wrangler logout`), and then ask your agent to build something and deploy it to Cloudflare. The agent should follow Wrangler's output and deploy using the `--temporary` flag. ![Diagram showing an AI agent deploying, verifying, and redeploying a Worker to a temporary account, then claiming it after authentication and moving it to a permanent account](https://developers.cloudflare.com/_astro/claim-deployments-flow.Co0tUHG4_g1dGj.webp) Terminal window ``` wrangler deploy --temporary ``` The temporary deployment stays live for 60 minutes. During that window, the agent can verify the Worker, redeploy changes, and return both the live Worker URL and claim URL. Opening the claim URL lets you sign in to or create a Cloudflare account and make the temporary account permanent. Temporary preview accounts currently support a limited set of products, including Workers, Workers Static Assets, Workers KV, D1, Durable Objects, Hyperdrive, Queues, and SSL/TLS certificates. For supported products, limits, and claim behavior, refer to [Claim deployments (temporary accounts)](https://developers.cloudflare.com/workers/platform/claim-deployments/). For more context, refer to [Temporary Cloudflare Accounts for Agents ↗](https://blog.cloudflare.com/temporary-accounts/). Jun 18, 2026 1. ### [Cloudflare identity provider is now the default for new accounts](https://developers.cloudflare.com/changelog/post/2026-06-18-cloudflare-idp-default/) [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) When you create a new Zero Trust organization, Cloudflare now adds the [Cloudflare identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/cloudflare/) as your default login method. Previously, new organizations started with [one-time PIN (OTP)](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/). With the Cloudflare identity provider, your users authenticate using their existing Cloudflare account credentials, and authentication is restricted to members of your account. You can still add OTP or connect any [third-party identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) whenever you need to. This change only applies to newly created accounts. Existing organizations keep the login methods they already have configured. If you would like to use the Cloudflare Identity Provider in an existing account, you must enable it. Jun 18, 2026 1. ### [exec() is now available for Containers](https://developers.cloudflare.com/changelog/post/2026-06-18-container-exec/) [ Containers ](https://developers.cloudflare.com/containers/) `exec()` is now available for [Containers](https://developers.cloudflare.com/containers/). Use `this.ctx.container.exec()` to start processes inside a running Container, stream standard input and output, inspect exit codes, and signal each process. Call `exec()` from a class extending `Container`, or from another Durable Object through `this.ctx.container`. The associated Container must already be running. This example starts the Container when needed, then reads its Node.js version: * [ JavaScript ](#tab-panel-4684) * [ TypeScript ](#tab-panel-4685) src/index.js ``` import { Container } from "@cloudflare/containers"; export class MyContainer extends Container { async readVersion() { if (!this.ctx.container.running) { await this.start(); } const process = await this.ctx.container.exec(["node", "--version"]); const output = await process.output(); const decoder = new TextDecoder(); return { exitCode: output.exitCode, stdout: decoder.decode(output.stdout), stderr: decoder.decode(output.stderr), }; }} ``` src/index.ts ``` import { Container } from "@cloudflare/containers"; export class MyContainer extends Container { async readVersion() { if (!this.ctx.container.running) { await this.start(); } const process = await this.ctx.container.exec(["node", "--version"]); const output = await process.output(); const decoder = new TextDecoder(); return { exitCode: output.exitCode, stdout: decoder.decode(output.stdout), stderr: decoder.decode(output.stderr), }; }} ``` The command array starts an executable directly, without an implicit shell. Invoke a shell explicitly for pipes, redirects, or variable expansion. One RPC method can coordinate multiple `exec()` calls in one caller-to-Durable Object round trip. It can also pass byte-oriented `ReadableStream` input or return streamed output with flow control. For options and streaming examples, refer to [Execute commands](https://developers.cloudflare.com/containers/execute-commands/). Jun 18, 2026 1. ### [Create PlanetScale Postgres and MySQL databases, billed to your Cloudflare account](https://developers.cloudflare.com/changelog/post/2026-06-18-planetscale-databases-cloudflare-billing/) [ Hyperdrive ](https://developers.cloudflare.com/hyperdrive/)[ Workers ](https://developers.cloudflare.com/workers/) You can create PlanetScale Postgres and MySQL databases from Cloudflare and bill PlanetScale database usage through your Cloudflare account as a pay-as-you-go customer. Cloudflare contract customers will be able to add PlanetScale usage to their contract in July so reach out to your Cloudflare account team if interested. Create a PlanetScale database from the Cloudflare dashboard to check out globally distributed Workers optimized for regional data access. [ Go to **Create a PlanetScale database** ](https://dash.cloudflare.com/?to=/:account/workers/hyperdrive?modal=1&type=planetscale&step=1) ![Request flow from a user to Workers, Hyperdrive caches, connection pools, and PlanetScale.](https://developers.cloudflare.com/_astro/planetscale-request-flow.CchJ2m4p_1fTg6l.svg) PlanetScale databases created from Cloudflare work with [Workers](https://developers.cloudflare.com/workers/) through [Hyperdrive](https://developers.cloudflare.com/hyperdrive/). Hyperdrive manages database connection pools and query caching, so you can use PlanetScale as a centralized relational database for Workers applications without changing your database drivers, object-relational mapping (ORM) libraries, or SQL tooling. PlanetScale usage appears on your Cloudflare invoice each billing period as a dollar total at PlanetScale's standard [pricing ↗](https://planetscale.com/pricing). You can introspect per-database billing usage via PlanetScale's [dashboard ↗](https://planetscale.com/docs/billing#organization-usage-and-billing-page). When you create a PlanetScale database from the Cloudflare dashboard, you receive the same PlanetScale developer experience, including development branches, query insights, and Model Context Protocol (MCP) server support for agents. To get started, refer to [PlanetScale Postgres and MySQL with Hyperdrive](https://developers.cloudflare.com/hyperdrive/planetscale/). Jun 18, 2026 1. ### [Updated Workers AI popularity metric in Cloudflare Radar](https://developers.cloudflare.com/changelog/post/2026-06-18-radar-workers-ai-inference-metric/) [ Radar ](https://developers.cloudflare.com/radar/) [**Radar**](https://developers.cloudflare.com/radar/) has changed how it measures [Workers AI](https://developers.cloudflare.com/workers-ai/) model and task popularity. Previously, popularity was based on the number of unique accounts running inferences against each model or task. It is now based on the **number of inferences**, giving a more representative view of actual usage volume. This change will affect all new measurements as well as historical data. As a result, the model and task distributions shown on Radar may differ from what you saw previously, and historical trends may shift accordingly. The [Workers AI model popularity ↗](https://radar.cloudflare.com/ai-insights#workers-ai-model-popularity) chart shows the distribution of inferences across models. ![Screenshot of the Workers AI model popularity chart on the AI Insights page](https://developers.cloudflare.com/_astro/workers-ai-model-popularity.CMw_WVXg_Tjg4b.webp) The [Workers AI task popularity ↗](https://radar.cloudflare.com/ai-insights#workers-ai-task-popularity) chart shows the distribution of inferences across tasks. ![Screenshot of the Workers AI task popularity chart on the AI Insights page](https://developers.cloudflare.com/_astro/workers-ai-task-popularity.ZoA-NO8k_ZVCPD5.webp) The same data is available via the following API endpoints: * [/ai/inference/summary/{dimension}](https://developers.cloudflare.com/api/resources/radar/subresources/ai/subresources/inference/methods/summary%5Fv2/) * [/ai/inference/timeseries\_groups/{dimension}](https://developers.cloudflare.com/api/resources/radar/subresources/ai/subresources/inference/methods/timeseries%5Fgroups%5Fv2/) Explore the data on the [AI Insights page ↗](https://radar.cloudflare.com/ai-insights). ```json {"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}} ```