Labsco
spawnbase logo

durable-objects-mcp

from spawnbase

Query your Cloudflare Durable Objects from Claude Code, Cursor, and other AI clients

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedFreeQuick setup

๐ŸŸง durable-objects-mcp

Rick Rubin knows

Unofficial MCP server for querying Cloudflare Durable Object SQLite storage from AI clients (Claude Code, Cursor, Windsurf, etc.). Gives AI clients structured, read-only access to your DO storage. Connect once, discover tables, run queries.

๐Ÿค” Why

Durable Objects store state in private SQLite databases with no programmatic query access โ€” just Data Studio in the dashboard. We built this while working on Spawnbase because manually clicking through thousands of DO instances isn't viable.

TODO: The best version of this tool is one that doesn't need to exist. We'd love Cloudflare to ship native secure query access for DO storage. Until then, this fills the gap.

โš™๏ธ What it enables

You (while sipping coffee): "What tables does the AIAgent DO have for user abc123?"

โ†’ describe_schema({ class_name: "AIAgent", name: "abc123" })

  _cf_KV           โ€” key TEXT, value BLOB
  cf_agents_state  โ€” id TEXT, data BLOB
  cf_agents_messages โ€” id TEXT, role TEXT, content TEXT, created_at INTEGER
  ...

You (after the second sip): "Show me the last 5 messages"

โ†’ query({ class_name: "AIAgent", name: "abc123",
          sql: "SELECT role, content FROM cf_agents_messages ORDER BY created_at DESC LIMIT 5" })

  role       | content
  -----------|----------------------------------
  user       | Deploy the workflow to production
  assistant  | I'll deploy workflow wf_a8c3...
  ...

A standalone Cloudflare Worker that binds to your DO namespaces via script_name and calls a query() RPC method on each DO instance. Auth via Cloudflare Access (OAuth).

๐Ÿ”’ Security

Warning: Durable Objects can store sensitive data โ€” session tokens, PII, payment records, conversation history. Before deploying, review what your DOs contain, only bind the namespaces you need, and restrict your Cloudflare Access policy accordingly. If you serve end users, make sure your terms of service cover this kind of data access.

We took security seriously when building this. Here's what we put in place:

  • Cloudflare Access (OAuth) โ€” all authentication happens at the edge before the request reaches the Worker. JWTs are verified against CF Access JWKS (signature, algorithm, expiry). PKCE (S256 only) is enforced on the MCP client side. Revoking a user in your identity provider cuts their MCP session on the next token refresh.
  • Read-only by design โ€” a server-side SQL guard rejects anything that isn't SELECT, PRAGMA, EXPLAIN, or WITH before it reaches the DO. All write statements are blocked at the MCP server level.
  • No public DO access โ€” the query() RPC call uses Cloudflare service bindings (script_name), which stay entirely within Cloudflare's internal network. There is no public HTTP endpoint to the DOs. The MCP server is the only way in.
  • Explicit namespace scoping โ€” only DO classes with bindings in wrangler.jsonc are discoverable and queryable. Nothing is exposed by default.

๐Ÿ› ๏ธ Tools

ToolWhat it does
list_classesLists queryable DO classes configured in your deployment
describe_schemaReturns tables and columns for a DO instance
execute_read_queryExecutes read-only SQL against a DO instance

๐Ÿ“„ License

MIT