Cloudflare is one of Executor's documented self-host/deployment paths, and the Cloudflare host docs already cover Access-gated /mcp usage with service-token headers for headless clients.
That works for direct MCP clients, but the executor CLI cannot currently use the same Access-protected instance because commands like:
executor login --base-url https://executor.example.com
must first call /api/auth/cli-login, and there does not appear to be a way for the CLI/server profile to attach required Cloudflare Access headers:
CF-Access-Client-Id
CF-Access-Client-Secret
This means a Cloudflare Access-protected self-hosted Executor can be used by MCP clients that support custom headers, but not cleanly by the Executor CLI itself.
Requested shape:
- Let
executor server add / server profiles define HTTP headers.
- Prefer env-backed values, not plaintext persistence, for example:
CF-Access-Client-Id=$EXECUTOR_CF_ACCESS_CLIENT_ID
CF-Access-Client-Secret=$EXECUTOR_CF_ACCESS_CLIENT_SECRET
- Apply those headers consistently to CLI discovery/login and later API calls:
/api/auth/cli-login
whoami
call
generate
- other remote server commands
This would make the blessed Cloudflare path usable end-to-end from both MCP clients and the official CLI, without requiring users to weaken Access or run a local header-injecting proxy.
🤖 This content was generated with AI assistance using gpt-5.5.
Cloudflare is one of Executor's documented self-host/deployment paths, and the Cloudflare host docs already cover Access-gated
/mcpusage with service-token headers for headless clients.That works for direct MCP clients, but the
executorCLI cannot currently use the same Access-protected instance because commands like:must first call
/api/auth/cli-login, and there does not appear to be a way for the CLI/server profile to attach required Cloudflare Access headers:CF-Access-Client-IdCF-Access-Client-SecretThis means a Cloudflare Access-protected self-hosted Executor can be used by MCP clients that support custom headers, but not cleanly by the Executor CLI itself.
Requested shape:
executor server add/ server profiles define HTTP headers.CF-Access-Client-Id=$EXECUTOR_CF_ACCESS_CLIENT_IDCF-Access-Client-Secret=$EXECUTOR_CF_ACCESS_CLIENT_SECRET/api/auth/cli-loginwhoamicallgenerateThis would make the blessed Cloudflare path usable end-to-end from both MCP clients and the official CLI, without requiring users to weaken Access or run a local header-injecting proxy.
🤖 This content was generated with AI assistance using gpt-5.5.