Summary

On June 26, 2026 Cloudflare added service-token support to Access MCP server portals, letting autonomous agents and bots reach upstream MCP servers through a portal without a browser-based OAuth flow. Admins add a Service Auth policy matching the token on the portal and each linked MCP server's Access application, enabling governed machine-to-machine agent authentication.

What changed

Cloudflare Access MCP server portals now accept Access service tokens (via Service Auth policies) for machine-to-machine access, so agents and bots can connect to upstream MCP servers with full access without the interactive OAuth 2.0 login previously required.

Why it matters

Autonomous agents run without a human to complete a browser login, so first-class service-token auth for MCP portals closes a real gap, letting enterprises grant and govern non-interactive agent access to tools through Cloudflare's zero-trust controls.

Evidence excerpt

You can now use an Access service token to connect autonomous agents and bots to an MCP server portal with full access to upstream MCP servers; service token sessions can reach upstream MCP servers through the portal without a browser-based OAuth flow.

Sources