feat: add Web Search MCP server

Author: G4brym

.changeset/websearch-mcp-server.md

@@ -0,0 +1,5 @@
+---
+"websearch": minor
+---
+
+Add the Web Search MCP server (`websearch.mcp.cloudflare.com`). It is a stateless (`createMcpHandler`) server exposing only `/mcp`, with a `web_search` tool that takes an `account_tag` parameter and is gated behind the `websearch.run` OAuth scope. Supports both OAuth and raw Cloudflare API token (Bearer) authentication.

apps/websearch/.dev.vars.example

@@ -0,0 +1,4 @@
+CLOUDFLARE_CLIENT_ID=
+CLOUDFLARE_CLIENT_SECRET=
+DEV_DISABLE_OAUTH=
+DEV_CLOUDFLARE_API_TOKEN=

apps/websearch/.eslintrc.cjs

@@ -0,0 +1,5 @@
+/** @type {import("eslint").Linter.Config} */
+module.exports = {
+	root: true,
+	extends: ['@repo/eslint-config/default.cjs'],
+}

apps/websearch/README.md

@@ -0,0 +1,49 @@
+# Web Search MCP Server 🔎
+
+This is a [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction) server that supports remote MCP
+connections, with Cloudflare OAuth built-in.
+
+It integrates a tool powered by the Cloudflare Web Search API to run web search queries and return ranked results.
+
+## 🔨 Available Tools
+
+Currently available tools:
+
+| **Category**   | **Tool**     | **Description**                                                                                                                                            |
+| -------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Web Search** | `web_search` | Runs a web search query via the Cloudflare Web Search API and returns ranked results (title, url, snippet). Takes an `account_tag` (account id) parameter. |
+
+This MCP server is still a work in progress, and we plan to add more tools in the future.
+
+### Prompt Examples
+
+- `Search the web for the latest Cloudflare Workers release notes`
+- `Find recent articles about MCP servers`
+
+## Access the remote MCP server from any MCP Client
+
+If your MCP client has first class support for remote MCP servers, the client will provide a way to accept the server URL (`https://websearch.mcp.cloudflare.com`) directly within its interface (for example in [Cloudflare AI Playground](https://playground.ai.cloudflare.com/)).
+
+If your client does not yet support remote MCP servers, you will need to set up its respective configuration file using [mcp-remote](https://www.npmjs.com/package/mcp-remote) to specify which servers your client can access.
+
+Replace the content with the following configuration:
+
+```json
+{
+	"mcpServers": {
+		"cloudflare": {
+			"command": "npx",
+			"args": ["mcp-remote", "https://websearch.mcp.cloudflare.com/mcp"]
+		}
+	}
+}
+```
+
+Once you've set up your configuration file, restart your MCP client and a browser window will open showing your OAuth login page. Complete the authentication flow to grant the MCP server access to your Cloudflare account. Once authenticated, you'll be able to run web searches through your MCP client.
+
+## Authentication
+
+This server supports two authentication modes:
+
+- **OAuth** — connect to the server URL and complete the Cloudflare OAuth flow.
+- **API token** — send a Cloudflare API token as a `Bearer` token in the `Authorization` header to skip OAuth and call the Web Search API directly.

apps/websearch/package.json

@@ -0,0 +1,34 @@
+{
+	"name": "websearch",
+	"version": "0.0.0",
+	"private": true,
+	"scripts": {
+		"check:lint": "run-eslint-workers",
+		"check:types": "run-tsc",
+		"deploy": "run-wrangler-deploy",
+		"dev": "wrangler dev",
+		"start": "wrangler dev",
+		"types": "wrangler types --include-env=false",
+		"test": "vitest run"
+	},
+	"dependencies": {
+		"@cloudflare/workers-oauth-provider": "0.4.0",
+		"@hono/zod-validator": "0.4.3",
+		"@modelcontextprotocol/sdk": "1.29.0",
+		"@repo/mcp-common": "workspace:*",
+		"@repo/mcp-observability": "workspace:*",
+		"agents": "0.13.3",
+		"cloudflare": "4.2.0",
+		"hono": "4.7.6",
+		"workers-tagged-logger": "0.13.5",
+		"zod": "3.25.76"
+	},
+	"devDependencies": {
+		"@cloudflare/vitest-pool-workers": "0.8.14",
+		"@types/node": "22.14.1",
+		"prettier": "3.5.3",
+		"typescript": "5.5.4",
+		"vitest": "3.0.9",
+		"wrangler": "4.10.0"
+	}
+}

apps/websearch/src/tools/websearch.tools.ts

@@ -0,0 +1,80 @@
+import { getMcpAuthContext } from 'agents/mcp'
+import { z } from 'zod'
+
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
+
+// TODO(RAG-1300): confirm the canonical Web Search API path before launch.
+const WEBSEARCH_API_BASE = 'https://api.cloudflare.com/client/v4/accounts'
+
+const QueryParam = z.string().min(1).describe('The web search query to run.')
+const AccountTagParam = z
+	.string()
+	.min(1)
+	.describe('The Cloudflare account tag (account id) to run the web search under.')
+const MaxResultsParam = z
+	.number()
+	.int()
+	.min(1)
+	.max(50)
+	.optional()
+	.describe('Maximum number of results to return (1-50).')
+
+export function registerWebSearchTools(server: McpServer) {
+	server.tool(
+		'web_search',
+		'Run a web search query via the Cloudflare Web Search API and return ranked results (title, url, snippet).',
+		{
+			query: QueryParam,
+			account_tag: AccountTagParam,
+			max_results: MaxResultsParam,
+		},
+		async ({ query, account_tag, max_results }) => {
+			const accessToken = getMcpAuthContext()?.props?.accessToken
+			if (typeof accessToken !== 'string' || accessToken.length === 0) {
+				return {
+					content: [
+						{
+							type: 'text' as const,
+							text: 'No access token available. Authenticate via OAuth or send a Cloudflare API token as a Bearer token.',
+						},
+					],
+				}
+			}
+
+			try {
+				const res = await fetch(`${WEBSEARCH_API_BASE}/${account_tag}/websearch/search`, {
+					method: 'POST',
+					headers: {
+						Authorization: `Bearer ${accessToken}`,
+						'Content-Type': 'application/json',
+					},
+					body: JSON.stringify({ query, max_results }),
+				})
+
+				if (!res.ok) {
+					const errorData = await res.json().catch(() => ({}))
+					throw new Error(`Web search failed: ${res.status} ${JSON.stringify(errorData)}`)
+				}
+
+				const data = await res.json()
+				return {
+					content: [
+						{
+							type: 'text' as const,
+							text: JSON.stringify(data),
+						},
+					],
+				}
+			} catch (error) {
+				return {
+					content: [
+						{
+							type: 'text' as const,
+							text: `Error running web search: ${error instanceof Error ? error.message : String(error)}`,
+						},
+					],
+				}
+			}
+		}
+	)
+}

apps/websearch/src/websearch.app.ts

@@ -0,0 +1,91 @@
+import OAuthProvider from '@cloudflare/workers-oauth-provider'
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js'
+import { createMcpHandler } from 'agents/mcp'
+
+import { isApiTokenRequest } from '@repo/mcp-common/src/api-token-mode'
+import {
+	createAuthHandlers,
+	handleTokenExchangeCallback,
+} from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import { getEnv } from '@repo/mcp-common/src/env'
+import { RequiredScopes } from '@repo/mcp-common/src/scopes'
+import { MetricsTracker } from '@repo/mcp-observability'
+
+import { registerWebSearchTools } from './tools/websearch.tools'
+import { BASE_INSTRUCTIONS } from './websearch.context'
+
+import type { Env } from './websearch.context'
+
+const env = getEnv<Env>()
+
+const metrics = new MetricsTracker(env.MCP_METRICS, {
+	name: env.MCP_SERVER_NAME,
+	version: env.MCP_SERVER_VERSION,
+})
+
+const WebSearchScopes = {
+	...RequiredScopes,
+	'account:read': 'See your account info such as account details, analytics, and memberships.',
+	'websearch.run': 'Grants access to run Cloudflare Web Search queries.',
+} as const
+
+// Stateless: createMcpHandler requires a fresh server instance per request.
+// TODO(RAG-1300): swap back to CloudflareMCPServer (metrics + per-user userId via
+// getMcpAuthContext) once @repo/mcp-common is on a zod 3.25+/SDK 1.29+ compatible stack.
+function createServer(env: Env): McpServer {
+	const server = new McpServer(
+		{ name: env.MCP_SERVER_NAME, version: env.MCP_SERVER_VERSION },
+		{ instructions: BASE_INSTRUCTIONS }
+	)
+	registerWebSearchTools(server)
+	return server
+}
+
+// Stateless streamable-HTTP handler. Reads the access token from ctx.props,
+// set either by the OAuthProvider (OAuth mode) or below (API-token mode).
+function mcpFetch(req: Request, env: Env, ctx: ExecutionContext): Promise<Response> {
+	const handler = createMcpHandler(createServer(env), { route: '/mcp' })
+	return handler(req, env, ctx)
+}
+
+function getBearerToken(req: Request, env: Env): string {
+	if (env.DEV_CLOUDFLARE_API_TOKEN && env.DEV_DISABLE_OAUTH === 'true') {
+		return env.DEV_CLOUDFLARE_API_TOKEN
+	}
+	const [, token] = (req.headers.get('Authorization') ?? '').split(' ')
+	return token ?? ''
+}
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext): Promise<Response> => {
+		// Raw Cloudflare API token bearer → skip OAuth, use it directly.
+		// OAuth-issued tokens are excluded by isApiTokenRequest and fall through.
+		if (await isApiTokenRequest(req, env)) {
+			ctx.props = { type: 'api_token', accessToken: getBearerToken(req, env) }
+			return mcpFetch(req, env, ctx)
+		}
+
+		// OAuth mode: advertises the OAuth endpoints and decrypts OAuth-issued
+		// tokens into ctx.props.accessToken before delegating to the MCP handler.
+		return new OAuthProvider({
+			apiHandlers: {
+				'/mcp': { fetch: mcpFetch },
+			},
+			defaultHandler: createAuthHandlers({ scopes: WebSearchScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			refreshTokenTTL: 2592000, // 30 days
+			// TODO: Remove after 2026-05-01 — all pre-0.4.0 grants will have expired by then
+			resourceMatchOriginOnly: true,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env, ctx)
+	},
+}

apps/websearch/src/websearch.context.ts

@@ -0,0 +1,28 @@
+export interface Env {
+	OAUTH_KV: KVNamespace
+	MCP_COOKIE_ENCRYPTION_KEY: string
+	ENVIRONMENT: 'development' | 'staging' | 'production'
+	MCP_SERVER_NAME: string
+	MCP_SERVER_VERSION: string
+	CLOUDFLARE_CLIENT_ID: string
+	CLOUDFLARE_CLIENT_SECRET: string
+	MCP_METRICS: AnalyticsEngineDataset
+	GIT_HASH: string
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
+}
+
+export const BASE_INSTRUCTIONS = /* markdown */ `
+# Cloudflare Web Search MCP Server
+
+This server provides a tool to run web searches powered by the Cloudflare Web Search API.
+
+## Authentication
+
+- Connect with OAuth, or send a Cloudflare API token as a Bearer token to skip OAuth.
+
+## Tools
+
+- **web_search**: Run a web search query for a given account and return ranked results (title, url, snippet). Pass the Cloudflare account tag via the \`account_tag\` parameter.
+`

apps/websearch/tsconfig.json

@@ -0,0 +1,4 @@
+{
+	"extends": "@repo/typescript-config/workers.json",
+	"include": ["*/**.ts", "./vitest.config.ts", "./types.d.ts"]
+}

apps/websearch/types.d.ts

@@ -0,0 +1,5 @@
+import type { TestEnv } from './vitest.config'
+
+declare module 'cloudflare:test' {
+	interface ProvidedEnv extends TestEnv {}
+}