Core Platform Release Notes

Cloudflare's network now supports real-time content conversion at the source, for enabled zones using content negotiation headers. When AI systems request pages from any website that uses Cloudflare and has Markdown for Agents enabled, they can express the preference for text/markdown in the request: our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly.

Here is a curl example with the Accept negotiation header requesting this page from our developer documentation:

curl https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/ \
-H "Accept: text/markdown"

The response to this request is now formatted in markdown:

HTTP/2 200
date: Wed, 11 Feb 2026 11:44:48 GMT
content-type: text/markdown; charset=utf-8
content-length: 2899
vary: accept
x-markdown-tokens: 725
content-signal: ai-train=yes, search=yes, ai-input=yes
---
title: Markdown for Agents · Cloudflare Agents docs
---
### What is Markdown for Agents
Markdown has quickly become the lingua franca for agents and AI systems
as a whole. The format’s explicit structure makes it ideal for AI processing,
ultimately resulting in better results while minimizing token waste.
...
Refer to our developer documentation and our blog announcement for more details.

Original source Report a problem

AI Crawl Control metrics have been enhanced with new views, improved filtering, and better data visualization.

Path pattern grouping

In the Metrics tab > Most popular paths table, use the new Patterns tab that groups requests by URI pattern (/blog/, /api/v1/, /docs/*) to identify which site areas crawlers target most. Refer to the screenshot above.

Enhanced referral analytics

Destination patterns show which site areas receive AI-driven referral traffic. In the Metrics tab, a new Referrals over time chart shows trends by operator or source.

Data transfer metrics

In the Metrics tab > Allowed requests over time chart, toggle Bytes to show bandwidth consumption. In the Crawlers tab, a new Bytes Transferred column shows bandwidth per crawler.

Image exports

Export charts and tables as images for reports and presentations.

Learn more about analyzing AI traffic.

Original source Report a problem

New reference documentation is now available for AI Crawl Control

GraphQL API reference

• Query examples for crawler requests, top paths, referral traffic, and data transfer. Includes key filters for detection IDs, user agents, and referrer domains.

Bot reference

• Detection IDs and user agents for major AI crawlers from OpenAI, Anthropic, Google, Meta, and others.

Worker templates

• Deploy the x402 Payment-Gated Proxy to monetize crawler access or charge bots while letting humans through free.

Original source Report a problem

Request body buffering

Controls how Cloudflare buffers HTTP request bodies before forwarding them to your origin server:

Mode Behavior Standard (default) Cloudflare can inspect a prefix of the request body for enabled functionality such as WAF and Bot Management. Full Buffers the entire request body before sending to origin. None No buffering — the request body streams directly to origin without inspection.

Response body buffering

Controls how Cloudflare buffers HTTP response bodies before forwarding them to the client:

Mode Behavior Standard (default) Cloudflare can inspect a prefix of the response body for enabled functionality. None No buffering — the response body streams directly to the client without inspection.

Setting body buffering to None may break security functionality that requires body inspection, including the Web Application Firewall (WAF) and Bot Management. Ensure that any paths where you disable buffering do not require security inspection.

These settings only take effect on zones running Cloudflare's latest CDN proxy. Enterprise customers can contact their account team to enable the latest proxy on their zones.

API example

{
  "action": "set_config",
  "action_parameters": {
    "request_body_buffering": "standard",
    "response_body_buffering": "none"
  }
}

For more information, refer to Configuration Rules.

Original source Report a problem

In an effort to improve overall user security, users without 2FA will be prompted upon login to enroll in email 2FA. This will improve user security posture while minimizing friction. Users without email 2FA enabled will see a prompt to secure their account with additional factors upon logging in. Enrolling in 2FA remains optional, but strongly encouraged as it is the best way to prevent account takeovers.

We also made changes to existing 2FA screens to improve the user experience. Now we have distinct experiences for each 2FA factor type, reflective of the way that factor works.

For more information

Configure Email Two Factor Authentication

Original source Report a problem

New functions

Cloudflare Rulesets now includes encode_base64() and sha256() functions, enabling you to generate signed request headers directly in rule expressions. These functions support common patterns like constructing a canonical string from request attributes, computing a SHA256 digest, and Base64-encoding the result.

Function Description Availability encode_base64(input, flags) Encodes a string to Base64 format. Optional flags parameter: u for URL-safe encoding, p for padding (adds = characters to make the output length a multiple of 4, as required by some systems). By default, output is standard Base64 without padding. All plans (in header transform rules) sha256(input) Computes a SHA256 hash of the input string. Requires enablement

Note

The sha256() function is available as an Enterprise add-on and requires a specific entitlement. Contact your account team to enable it.

Examples

Encode a string to Base64 format:

encode_base64("hello world")

Returns:

aGVsbG8gd29ybGQ

Encode a string to Base64 format with padding:

encode_base64("hello world", "p")

Returns:

aGVsbG8gd29ybGQ=

Perform a URL-safe Base64 encoding of a string:

encode_base64("hello world", "u")

Returns:

aGVsbG8gd29ybGQ

Compute the SHA256 hash of a secret token:

sha256("my-token")

Returns a hash that your origin can validate to authenticate requests.

Compute the SHA256 hash of a string and encode the result to Base64 format:

encode_base64(sha256("my-token"))

Combines hashing and encoding for systems that expect Base64-encoded signatures.

For more information, refer to the Functions reference.

Original source Report a problem

Disclaimer: Please note that v6.0.0-beta.1 is in Beta and we are still testing it for stability.

Full Changelog: v5.2.0...v6.0.0-beta.1

In this release, you'll see a large number of breaking changes. This is primarily due to a change in OpenAPI definitions, which our libraries are based off of, and codegen updates that we rely on to read those OpenAPI definitions and produce our SDK libraries. As the codegen is always evolving and improving, so are our code bases.

Some breaking changes were introduced due to bug fixes, also listed below.

Please ensure you read through the list of changes below before moving to this version - this will help you understand any down or upstream issues it may cause to your environments.

Breaking Changes

Addressing - Parameter Requirements Changed

• BGPPrefixCreateParams.cidr: optional → required
• PrefixCreateParams.asn: number | null → number
• PrefixCreateParams.loa_document_id: required → optional
• ServiceBindingCreateParams.cidr: optional → required
• ServiceBindingCreateParams.service_id: optional → required

API Gateway

• ConfigurationUpdateResponse removed
• PublicSchema → OldPublicSchema
• SchemaUpload → UserSchemaCreateResponse
• ConfigurationUpdateParams.properties removed; use normalize

CloudforceOne - Response Type Changes

• ThreatEventBulkCreateResponse: number → complex object with counts and errors

D1 Database - Query Parameters

• DatabaseQueryParams: simple interface → union type (D1SingleQuery | MultipleQueries)
• DatabaseRawParams: same change
• Supports batch queries via batch array

DNS Records - Type Renames (21 types)
All record type interfaces renamed from *Record to short names:

• RecordResponse.ARecord → RecordResponse.A
• RecordResponse.AAAARecord → RecordResponse.AAAA
• RecordResponse.CNAMERecord → RecordResponse.CNAME
• RecordResponse.MXRecord → RecordResponse.MX
• RecordResponse.NSRecord → RecordResponse.NS
• RecordResponse.PTRRecord → RecordResponse.PTR
• RecordResponse.TXTRecord → RecordResponse.TXT
• RecordResponse.CAARecord → RecordResponse.CAA
• RecordResponse.CERTRecord → RecordResponse.CERT
• RecordResponse.DNSKEYRecord → RecordResponse.DNSKEY
• RecordResponse.DSRecord → RecordResponse.DS
• RecordResponse.HTTPSRecord → RecordResponse.HTTPS
• RecordResponse.LOCRecord → RecordResponse.LOC
• RecordResponse.NAPTRRecord → RecordResponse.NAPTR
• RecordResponse.SMIMEARecord → RecordResponse.SMIMEA
• RecordResponse.SRVRecord → RecordResponse.SRV
• RecordResponse.SSHFPRecord → RecordResponse.SSHFP
• RecordResponse.SVCBRecord → RecordResponse.SVCB
• RecordResponse.TLSARecord → RecordResponse.TLSA
• RecordResponse.URIRecord → RecordResponse.URI
• RecordResponse.OpenpgpkeyRecord → RecordResponse.Openpgpkey

IAM Resource Groups

• ResourceGroupCreateResponse.scope: optional single → required array
• ResourceGroupCreateResponse.id: optional → required

Origin CA Certificates - Parameter Requirements Changed

• OriginCACertificateCreateParams.csr: optional → required
• OriginCACertificateCreateParams.hostnames: optional → required
• OriginCACertificateCreateParams.request_type: optional → required

Pages

• Renamed: DeploymentsSinglePage → DeploymentListResponsesV4PagePaginationArray
• Domain response fields: many optional → required

Pipelines - v0 to v1 Migration

• Entire v0 API deprecated; use v1 methods (createV1, listV1, etc.)
• New sub-resources: Sinks, Streams

R2

• EventNotificationUpdateParams.rules: optional → required
• Super Slurper: bucket, secret now required in source params

Radar

• dataSource: string → typed enum (23 values)
• eventType: string → typed enum (6 values)
• V2 methods require dimension parameter (breaking signature change)

Resource Sharing

• Removed: status_message field from all recipient response types

Schema Validation

• Consolidated SchemaCreateResponse, SchemaListResponse, SchemaEditResponse, SchemaGetResponse → PublicSchema
• Renamed: SchemaListResponsesV4PagePaginationArray → PublicSchemasV4PagePaginationArray

Spectrum

• Renamed union members: AppListResponse.UnionMember0 → SpectrumConfigAppConfig
• Renamed union members: AppListResponse.UnionMember1 → SpectrumConfigPaygoAppConfig

Workers

• Removed: WorkersBindingKindTailConsumer type (all occurrences)
• Renamed: ScriptsSinglePage → ScriptListResponsesSinglePage
• Removed: DeploymentsSinglePage

Zero-Trust DLP

• datasets.create(), update(), get() return types changed
• PredefinedGetResponse union members renamed to UnionMember0-5

Zero-Trust Tunnels

• Removed: CloudflaredCreateResponse, CloudflaredListResponse, CloudflaredDeleteResponse, CloudflaredEditResponse, CloudflaredGetResponse
• Removed: CloudflaredListResponsesV4PagePaginationArray

Features

Abuse Reports (client.abuseReports)

• Reports: create, list, get
• Mitigations: sub-resource for abuse mitigations

AI Search (client.aisearch)

• Instances: create, update, list, delete, read, stats
• Items: list, get
• Jobs: create, list, get, logs
• Tokens: create, update, list, delete, read

Connectivity (client.connectivity)

• Directory Services: create, update, list, delete, get
• Supports IPv4, IPv6, dual-stack, and hostname configurations

Organizations (client.organizations)

• Organizations: create, update, list, delete, get
• OrganizationProfile: update, get
• Hierarchical organization support with parent/child relationships

R2 Data Catalog (client.r2DataCatalog)

• Catalog: list, enable, disable, get
• Credentials: create
• MaintenanceConfigs: update, get
• Namespaces: list
• Tables: list, maintenance config management
• Apache Iceberg integration

Realtime Kit (client.realtimeKit)

• Apps: get, post
• Meetings: create, get, participant management
• Livestreams: 10+ methods for streaming
• Recordings: start, pause, stop, get
• Sessions: transcripts, summaries, chat
• Webhooks: full CRUD
• ActiveSession: polls, kick participants
• Analytics: organization analytics

Token Validation (client.tokenValidation)

• Configuration: create, list, delete, edit, get
• Credentials: update
• Rules: create, list, delete, bulkCreate, bulkEdit, edit, get
• JWT validation with RS256/384/512, PS256/384/512, ES256, ES384

Alerting Silences (client.alerting.silences)

• create, update, list, delete, get

IAM SSO (client.iam.sso)

• create, update, list, delete, get, beginVerification

Pipelines v1 (client.pipelines)

• Sinks: create, list, delete, get
• Streams: create, update, list, delete, get

Zero-Trust AI Controls / MCP (client.zeroTrust.access.aiControls.mcp)

• Portals: create, update, list, delete, read
• Servers: create, update, list, delete, read, sync

Accounts

• managed_by field with parent_org_id, parent_org_name

Addressing LOA Documents

• auto_generated field on LOADocumentCreateResponse

Addressing Prefixes

• delegate_loa_creation, irr_validation_state, ownership_validation_state, ownership_validation_token, rpki_validation_state

AI

• Added toMarkdown.supported() method to get all supported conversion formats

AI Gateway

• zdr field added to all responses and params

Alerting

• New alert type: abuse_report_alert
• type field added to PolicyFilter

Browser Rendering

• ContentCreateParams: refined to discriminated union (Variant0 | Variant1)
• Split into URL-based and HTML-based parameter variants for better type safety

Client Certificates

• reactivate parameter in edit

CloudforceOne

• ThreatEventCreateParams.indicatorType: required → optional
• hasChildren field added to all threat event response types
• datasetIds query parameter on AttackerListParams, CategoryListParams, TargetIndustryListParams
• categoryUuid field on TagCreateResponse
• indicators array for multi-indicator support per event
• uuid and preserveUuid fields for UUID preservation in bulk create
• format query parameter ('json' | 'stix2') on ThreatEventListParams
• createdAt, datasetId fields on ThreatEventEditParams

Content Scanning

• Added create(), update(), get() methods

Custom Pages

• New page types: basic_challenge, under_attack, waf_challenge

D1

• served_by_colo - colo that handled query
• jurisdiction - 'eu' | 'fedramp'
• Time Travel (client.d1.database.timeTravel): getBookmark(), restore() - point-in-time recovery

Email Security

• New fields on InvestigateListResponse / InvestigateGetResponse: envelope_from, envelope_to, postfix_id_outbound, replyto
• New detection classification: 'outbound_ndr'
• Enhanced Finding interface with attachment, detection, field, portion, reason, score
• Added cursor query parameter to InvestigateListParams

Gateway Lists

• New list types: CATEGORY, LOCATION, DEVICE

Intel

• New issue type: 'configuration_suggestion'
• payload field: unknown → typed Payload interface with detection_method, zone_tag

Leaked Credential Checks

• Added detections.get() method

Logpush

• New datasets: dex_application_tests, dex_device_state_events, ipsec_logs, warp_config_changes, warp_toggle_changes

Load Balancers

• Monitor.port: number → number | null
• Pool.load_shedding: LoadShedding → LoadShedding | null
• Pool.origin_steering: OriginSteering → OriginSteering | null

Magic Transit

• license_key field on connectors
• provision_license parameter for auto-provisioning
• IPSec: custom_remote_identities with FQDN support
• Snapshots: Bond interface, probed_mtu field

Pages

• New response types: ProjectCreateResponse, ProjectListResponse, ProjectEditResponse, ProjectGetResponse
• Deployment methods return specific response types instead of generic Deployment

Queues

• Added subscriptions.get() method
• Enhanced SubscriptionGetResponse with typed event source interfaces
• New event source types: Images, KV, R2, Vectorize, Workers AI, Workers Builds, Workflows

R2

• Sippy: new provider s3 (S3-compatible endpoints)
• Sippy: bucketUrl field for S3-compatible sources
• Super Slurper: keys field on source response schemas (specify specific keys to migrate)
• Super Slurper: pathPrefix field on source schemas
• Super Slurper: region field on S3 source params

Radar

• Added geolocations.list(), geolocations.get() methods
• Added V2 dimension-based methods (summaryV2, timeseriesGroupsV2) to radar sub-resources

Resource Sharing

• Added terminal boolean field to Resource Error interfaces

Rules

• Added id field to ItemDeleteParams.Item

Rulesets

• New buffering fields on SetConfigRule: request_body_buffering, response_body_buffering

Secrets Store

• New scopes: 'dex', 'access' (in addition to 'workers', 'ai_gateway')

SSL Certificate Packs

• Response types now proper interfaces (was unknown)
• Fields now required: id, certificates, hosts, status, type

Security Center

• payload field: unknown → typed Payload interface with detection_method, zone_tag

Shared Types

• Added: CloudflareTunnelsV4PagePaginationArray pagination class

Workers

• Added subdomains.delete() method
• Worker.references - track external dependencies (domains, Durable Objects, queues)
• Worker.startup_time_ms - startup timing
• Script.observability - observability settings with logging
• Script.tag, Script.tags - immutable ID and tags
• Placement: support for region, hostname, host-based placement
• tags, tail_consumers now accept | null
• Telemetry: traces field, $containers event info, durableObjectId, transactionName, abr_level fields

Workers for Platforms

• ScriptUpdateResponse: new fields entry_point, observability, tag, tags
• placement field now union of 4 variants (smart mode, region, hostname, host)
• tags, tail_consumers now nullable
• TagUpdateParams.body now accepts null

Workflows

• instance_retention: unknown → typed InstanceRetention interface with error_retention, success_retention
• New status option: 'restart' added to StatusEditParams.status

Zero-Trust Devices

• External emergency disconnect settings (4 new fields)
• antivirus device posture check type
• os_version_extra documentation improvements

Zones

• New response types: SubscriptionCreateResponse, SubscriptionUpdateResponse, SubscriptionGetResponse

Zero-Trust Access Applications

• New ApplicationType values: 'mcp', 'mcp_portal', 'proxy_endpoint'
• New destination type: ViaMcpServerPortalDestination for MCP server access

Zero-Trust Gateway

• Added rules.listTenant() method

Zero-Trust Gateway - Proxy Endpoints

• ProxyEndpoint: interface → discriminated union (ZeroTrustGatewayProxyEndpointIP | ZeroTrustGatewayProxyEndpointIdentity)
• ProxyEndpointCreateParams: interface → union type
• Added kind field: 'ip' | 'identity'

Zero-Trust Tunnels

• WARPConnector*Response: union type → interface

Deprecations

API Gateway: UserSchemas, Settings, SchemaValidation resources
Audit Logs: auditLogId.not (use id.not)
CloudforceOne: ThreatEvents.get(), IndicatorTypes.list()
Devices: public_ip field (use DEX API)
Email Security: item_count field in Move responses
Pipelines: v0 methods (use v1)
Radar: old summary() and timeseriesGroups() methods (use V2)
Rulesets: disable_apps, mirage fields
WARP Connector: connections field
Workers: environment parameter in Domains
Zones: ResponseBuffering page rule

Bug Fixes

mcp: correct code tool API endpoint (599703c)
mcp: return correct lines on typescript errors (5d6f999)
organization_profile: fix bad reference (d84ea77)
schema_validation: correctly reflect model to openapi mapping (bb86151)
workers: fix tests (2ee37f7)

Documentation

Added deprecation notices with migration paths
api_gateway: deprecate API Shield Schema Validation resources (8a4b20f)
Improved JSDoc examples across all resources
workers: expose subdomain delete documentation (4f7cc1f)

Original source Report a problem

New functions

Function Description split(source, delimiter) Splits a string into an array of strings using the specified delimiter. join(array, delimiter) Joins an array of strings into a single string using the specified delimiter. has_key(map, key) Returns true if the specified key exists in the map. has_value(map, value) Returns true if the specified value exists in the map.

Example use cases

• Check if a country code exists in a header list:

has_value(split(http.response.headers["x-allow-country"][0], ","), ip.src.country)

• Check if a specific header key exists:

has_key(http.request.headers, "x-custom-header")

• Join array values for logging or comparison:

join(http.request.headers.names, ", ")

For more information, refer to the Functions reference.

Original source Report a problem