Parker Agee

Let AI Agents Run Your Web App for Customers with MCP and Cloudflare Workers

How to Let AI Agents Use Your Web App for Customers with MCP and Cloudflare Workers

If you own a web app and want AI agents (like bots or assistants) to use it on behalf of your customers, there’s a slick way to make it happen using the Remote Model Context Protocol (MCP) and Cloudflare Workers. I recently dug into this Cloudflare blog post and figured out how the authentication (auth) pieces work. Here’s the breakdown for web developers like us.

What’s MCP and Why Does It Matter?

MCP is an open standard that lets AI models—like Claude or your custom bot—talk to your web app securely and easily. Think of it as a universal adapter (like USB-C) for AI. With Cloudflare Workers, you can host an MCP server to expose your app’s features to these agents, and the auth part ensures they only act within a customer’s permissions.

The Key Auth Pieces You Need to Know

Here’s how authentication fits into letting AI agents use your web app for customers:

1. AI Agents Need Permission to Act

  • For an AI to act on behalf of a customer (e.g., update their profile), it needs proof it’s allowed. Auth is like handing the AI a key—but only for what the customer approves.
  • In MCP, you define “tools” (like “send a message” or “add a task”) that the AI can use. Auth ensures the AI sticks to those limits.

2. OAuth-Like Flow for Simplicity

  • The blog hints at a standard auth approach, likely similar to OAuth, which is perfect for third-party access:
    • Customer Consent: Your customer logs in and says, “Let this AI use my account.”
    • Token Issued: Your app generates a secure token tied to that customer, like “This AI can post for Customer A.”
    • Agent Uses Token: The AI includes this token in every request to prove it’s legit.
  • Cloudflare Workers handle this securely with HTTPS and can store secrets (like tokens) easily.

3. Transport and Security Built In

  • Cloudflare Workers take care of the “transport” (secure communication) between the AI and your app via HTTPS. No need to mess with SSL setup—it’s done for you.
  • For auth, this means tokens and data (e.g., “update this profile”) stay encrypted and safe.

4. Your Role: Define the Tools

  • You create an MCP server on Workers that lists your app’s features—like “get customer data”—and add auth checks.
  • Example: For a “post message” tool, your server might check, “Does this token match Customer A, and did they allow posting?”

How to Set It Up for Your Web App

Imagine your app manages to-do lists, and you want an AI to add tasks for customers. Here’s how it could work:

Step 1: Build the MCP Server

  • Write a script on Cloudflare Workers defining a tool like addTask(taskText). It checks the token to confirm the AI has permission.
  • Simplified code example: 
    async function addTask(request) {
  const token = request.headers.get("Authorization");
  if (!verifyToken(token)) return new Response("Unauthorized", { status: 401 });
  const customerId = getCustomerIdFromToken(token);
  // Add task to your app’s database for customerId
  return new Response("Task added", { status: 200 });
}

Step 2: Add Auth to Your App

  • Implement an OAuth flow in your app. When a customer approves an AI, they log in, and your app issues a token.
  • Cloudflare Workers can validate this token on each request—super straightforward.

Step 3: Let the AI Do Its Thing

  • The AI (e.g., Claude) calls your MCP server with the token and a request like addTask("Buy milk"). Your server verifies it and adds the task.

Why This Is Awesome for You

  • Scalability: One setup works for any MCP-compatible AI—no custom code per agent.
  • Security: Tokens keep the AI from messing with other customers’ stuff or overstepping.
  • Ease: Workers handle the boring stuff (HTTPS, token checks), so you focus on your app’s logic.

Next Steps to Make It Happen

  1. Set Up Cloudflare Workers: Sign up, deploy a basic MCP server (check their docs), and test a dummy tool.
  2. Add Auth: Use an OAuth library (e.g., Passport.js for Node.js) to handle customer logins and token generation.
  3. Test It: Grab an MCP-compatible AI, give it a token, and watch it add tasks for a test customer.

With MCP and Cloudflare Workers, letting AI agents use your web app for customers is less of a headache. The auth piece—handled with tokens and secure transport—keeps everything safe and simple. You just define what the AI can do, and the system enforces the rules.

Subscribe to get future posts via email (or grab the RSS feed).