Consumer Services Release Notes

Radar now features an expanded Routing section with dedicated sub-pages, providing a more organized and in-depth view of the global routing ecosystem. This restructuring lays the groundwork for additional routing features and widgets coming in the near future.

Dedicated sub-pages

The single Routing page has been split into three focused sub-pages:

• Overview — Routing statistics, IP address space trends, BGP announcements, and the new Top 100 ASes ranking.
• RPKI — RPKI validation status, ASPA deployment trends, and per-ASN ASPA provider details.
• Anomalies — BGP route leaks, origin hijacks, and Multi-Origin AS (MOAS) conflicts.

New widgets

The routing overview now includes a Top 100 ASes table ranking autonomous systems by customer cone size, IPv4 address space, or IPv6 address space. Users can switch between rankings using a segmented control.

The RPKI sub-page introduces a RPKI validation view for per-ASN pages, showing prefixes grouped by RPKI validation status (Valid, Invalid, Unknown) with visibility scores.

Improved IP address space chart

The IP address space chart now displays both IPv4 and IPv6 trends stacked vertically and is available on global, country, and AS views.

Check out the Radar routing section to explore the data, and stay tuned for more routing insights coming soon.

Radar ships several improvements to the URL Scanner that make scan reports more informative and easier to share:

• Live screenshots — the summary card now includes an option to capture a live screenshot of the scanned URL on demand using the Browser Rendering API.
• Save as PDF — a new button generates a print-optimized document aggregating all tab contents (Summary, Security, Network, Behavior, and Indicators) into a single file.
• Download as JSON — raw scan data is available as a JSON download for programmatic use.
• Redesigned summary layout — page information and security details are now displayed side by side with the screenshot, with a layout that adapts to narrower viewports.
• File downloads — downloads are separated into a dedicated card with expandable rows showing each file's source URL and SHA256 hash.
• Detailed IP address data — the Network tab now includes additional detail per IP address observed during the scan.

Explore these improvements on the Cloudflare Radar URL Scanner.

Cloudflare Workflows retry logic

Cloudflare Workflows allows you to configure specific retry logic for each step in your workflow execution. Now, you can access which retry attempt is currently executing for calls to

step.do():

// ctx.attempt is 1 on first try, 2 on first retry, etc.

console.log(`Attempt ${ctx.attempt}`);

You can use the step context for improved logging & observability, progressive backoff, or conditional logic in your workflow definition.

Note that the current attempt number is 1-indexed. For more information on retry behavior, refer to Sleeping and Retrying.

Sleeping and Retrying

Real-time transcription in RealtimeKit

Real-time transcription in RealtimeKit now supports 10 languages with regional variants, powered by Deepgram Nova-3 running on Workers AI.

During a meeting, participant audio is routed through AI Gateway to Nova-3 on Workers AI — so transcription runs on Cloudflare's network end-to-end, reducing latency compared to routing through external speech-to-text services.

Set the language when creating a meeting via ai_config.transcription.language :

{
 {
 "ai_config": {
 "transcription": {
 "language": "fr"
 }
 }
}

Supported languages include English, Spanish, French, German, Hindi, Russian, Portuguese, Japanese, Italian, and Dutch — with regional variants like en-AU, en-GB, en-IN, en-NZ, es-419, fr-CA, de-CH, pt-BR, and pt-PT. Use multi for automatic multilingual detection.

If you are building voice agents or real-time translation workflows, your agent can now transcribe in the caller's language natively — no extra services or routing logic needed.

• Transcription docs
• Nova-3 model page
• Workers AI
• AI Gateway

Radar ships several new features that improve the flexibility and usability of the platform, as well as visibility into what is happening on the Internet.

Region filtering

All location-aware pages now support filtering by region, including continents, geographic subregions (Middle East ↗, Eastern Asia ↗, etc.), political regions (EU ↗, African Union ↗), and US Census regions/divisions (for example, New England ↗, US Northeast ↗ ).

Traffic volume by top autonomous systems and locations

A new traffic volume view shows the top autonomous systems and countries/territories for a given location. This is useful for quickly determining which network providers in a location may be experiencing connectivity issues, or how traffic is distributed across a region.

The new AS and location dimensions have also been added to the Data Explorer ↗ for the HTTP, DNS, and NetFlows datasets. Combined with other available filters, this provides a powerful tool for generating unique insights.

Finally, breadcrumb navigation is now available on most pages, allowing easier navigation between parent and related pages.

Check out these features on Cloudflare Radar ↗ .

The Gateway Authorization Proxy and PAC file hosting are now in open beta for all plan types.

Previously, proxy endpoints relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with Cloudflare Access authentication, verifying who a user is before applying Gateway filtering without installing the WARP client.
This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints.

Key capabilities

• Identity-aware proxy traffic
  • Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write identity-based policies like "only the Finance team can access this accounting tool."
• Multiple identity providers
  • Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems.
• Cloudflare-hosted PAC files
  • Create and host PAC files directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at https://pac.cloudflare-gateway.com// on Cloudflare's global network.
• Simplified billing
  • Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track.

Get started

• 1. In Cloudflare One , Cloudflare One , go to Networks > Resolvers & Proxies > Proxy endpoints.
• 1. Create an authorization proxy endpoint and configure Access policies.
• 1. Create a hosted PAC file or write your own.
• 1. Configure browsers to use the PAC file URL.
• 1. Install the Cloudflare certificate for HTTPS inspection.

For more details, refer to the proxy endpoints documentation and the announcement blog post announcement blog post.

Workflows on Workers

Each Workflow on Workers Paid now supports 10,000 steps by default, configurable up to 25,000 steps in your wrangler.jsonc file:

{
  "workflows": [
    {
      "name": "my-workflow",
      "binding": "MY_WORKFLOW",
      "class_name": "MyWorkflow",
      "limits": {
        "steps": 25000
      }
    }
  ]
}

Previously, each instance was limited to 1,024 steps. Now, Workflows can support more complex, long-running executions without the additional complexity of recursive or child workflow calls.

Note that the maximum persisted state limit per Workflow instance remains 100 MB for Workers Free and 1 GB for Workers Paid. Refer to Workflows limits for more information.

Workflows limits

Refer to Workflows limits for more information.

Observability rewrite

The latest release of the
Agents SDK ↗
Agents SDK
rewrites observability from scratch with
diagnostics_channel
, adds
keepAlive()
to prevent Durable Object eviction during long-running work, and introduces
waitForMcpConnections
so MCP tools are always available when
onChatMessage
runs.

The previous observability system used
console.log()
with a custom
Observability.emit()
interface. v0.7.0 replaces it with structured events published to
diagnostics channels
— silent by default, zero overhead when nobody is listening.
Every event has a
type
,
payload
, and
timestamp
. Events are routed to seven named channels:

• agents:state - state:update
• agents:rpc - rpc, rpc:error
• agents:message - message:request, message:response, message:clear, message:cancel, message:error, tool:result, tool:approval
• agents:schedule - schedule:create, schedule:execute, schedule:cancel, schedule:retry, schedule:error, queue:retry, queue:error
• agents:lifecycle - connect, destroy
• agents:workflow - workflow:start, workflow:event, workflow:approved, workflow:rejected, workflow:terminated, workflow:paused, workflow:resumed, workflow:restarted
• agents:mcp - mcp:client:preconnect, mcp:client:connect, mcp:client:authorize, mcp:client:discover

Use the typed
subscribe()
helper from
agents/observability
for type-safe access:

keepAlive() and keepAliveWhile()
keepAlive()
and
keepAliveWhile()

Durable Objects are evicted after a period of inactivity (typically 70-140 seconds with no incoming requests, WebSocket messages, or alarms). During long-running operations — streaming LLM responses, waiting on external APIs, running multi-step computations — the agent can be evicted mid-flight.
keepAlive()
prevents this by creating a 30-second heartbeat schedule. The alarm firing resets the inactivity timer. Returns a disposer function that cancels the heartbeat when called.

Key details:

• Multiple concurrent callers — Each
  keepAlive()
  call returns an independent disposer. Disposing one does not affect others.
• AIChatAgent built-in —
  AIChatAgent
  automatically calls
  keepAlive()
  during streaming responses. You do not need to add it yourself.
• Uses the scheduling system — The heartbeat does not conflict with your own schedules. It shows up in
  getSchedules()
  if you need to inspect it.

Note
keepAlive()
is marked
@experimental
and may change between releases.
For the full API reference and when-to-use guidance, refer to
Schedule tasks — Keeping the agent alive
.

waitForMcpConnections
AIChatAgent
now waits for MCP server connections to settle before calling
onChatMessage
. This ensures
this.mcp.getAITools()
returns the full set of tools, especially after Durable Object hibernation when connections are being restored in the background.

Other improvements

• MCP deduplication by name and URL —
  addMcpServer
  with HTTP transport now deduplicates on both server name and URL. Calling it with the same name but a different URL creates a new connection. URLs are normalized before comparison (trailing slashes, default ports, hostname case).
• callbackHost optional for non-OAuth servers —
  addMcpServer
  no longer requires
  callbackHost
  when connecting to MCP servers that do not use OAuth.
• MCP URL security — Server URLs are validated before connection to prevent SSRF. Private IP ranges, loopback addresses, link-local addresses, and cloud metadata endpoints are blocked.
• Custom denial messages —
  addToolOutput
  now supports
  state: "output-error"
  with
  errorText
  for custom denial messages in human-in-the-loop tool approval flows.
• requestId in chat options —
  onChatMessage
  options now include a
  requestId
  for logging and correlating events.

Upgrade

To update to the latest version:

npm i agents@latest @cloudflare/ai-chat@latest