Cloudflare publishes MCP reference architecture for production: Access gateway, per-user token caps, centralized remote deployment, Code Mode claiming up to 99.9% token reduction

Cloudflare published a reference architecture for production MCP this week, and the framing lands cleanly on top of the week's running story about MCP security. The thesis: MCP is transport and interoperability, not governance. A control plane has to sit above it. That is a direct response to the class of issues OX Security disclosed last week when it surfaced eleven CVEs in MCP's STDIO transport and Anthropic declined to change the reference SDK's unsafe defaults. If the protocol will not self-govern, something else needs to.

Four components form the stack. Cloudflare Access handles authentication with SSO, MFA, device posture, and location signals — standard enterprise zero-trust primitives applied to MCP requests. MCP Server Portals give users a unified discovery and access interface across the servers they are authorized for, rather than the ad-hoc local-config setup that is the current default. AI Gateway sits at the model-call layer, routing requests across providers and enforcing per-user usage limits and token monitoring. Code Mode is the most interesting piece: it collapses tool interfaces into dynamic entry points, which Cloudflare says can reduce token usage by up to 99.9%. That number is worth independent verification, but the claim is concrete.

The threat model Cloudflare names is the one builders already feel: prompt injection, supply chain attacks, exposed or misconfigured servers, arbitrary code execution, and data exfiltration across MCP integrations. Their sharp position is that locally deployed MCP servers are a "significant security liability." That is a direct shot at the default deployment pattern for Claude Desktop, Claude Code, Cursor, and most current client integrations, which run MCP servers as local child processes on user machines. Cloudflare's answer is remote deployment on their developer platform with centralized team management, fine-grained tool exposure, and DLP policy enforcement. Whether enterprises agree that local MCP is unacceptable, or continue to allow it for flexibility reasons, will shape which of the two architectures wins.

If you are evaluating MCP for production at enterprise scale, two concrete actions from this release. One, assume that "run the MCP server locally" is not a long-term posture for regulated workloads. The combination of OX Security's STDIO findings, Anthropic's decision not to patch the reference SDK, and Cloudflare's framing of local servers as a security liability puts local-MCP deployment on notice. Plan the migration to proxied, centrally-governed MCP regardless of which vendor you choose. Two, the Code Mode 99.9% token-reduction claim is worth measuring against your own workload before you take it at face value, but if it holds even directionally, token economics become a serious variable in the governance-versus-flexibility trade-off. Cost control and security are now pointing in the same direction for enterprise MCP.