Cloudflare Self-Hosting
Deploy OpenSEO to your own Cloudflare account for internet-facing, multi-device, or team use.
Host OpenSEO on Cloudflare for internet-facing self-hosting across multiple devices or with your team. It works on Cloudflare's free plan.
1) Deploy from GitHub
Click the deploy button. There are lots of fields on the deploy form, but you only need to do the below steps.
- Connect your Git provider (GitHub/GitLab).
- Leave the resource naming fields as default unless you have a reason to change them.
- Click
Create and Deploy. - Wait 1-2 minutes for deployment to finish.
If deploy fails with Cannot provision a KV Namespace with the title "open-seo" because it already exists, use the manual deploy with Wrangler guide on GitHub instead.
2) Configure authentication and secrets
In the Cloudflare dashboard:
- Go to
Compute->Workers & Pages-> your OpenSEO Worker. - Open
Settings. - In
Domains & Routes, enableCloudflare Accessfor theworkers.devroute. - Save the values shown by Cloudflare Access.
- In
Variables & Secrets, add:POLICY_AUD(from Access setup)TEAM_DOMAIN(domain fromJWKS_URL, for examplehttps://your-team.cloudflareaccess.com)DATAFORSEO_API_KEY(see DataForSEO API key setup)
3) Optional: add an R2 lifecycle rule
DataForSEO API responses are cached in R2 under the dataforseo-cache/ prefix. This step is optional, but recommended to automatically clean up expired cache objects:
npx wrangler r2 bucket lifecycle add open-seo dataforseo-cache-expiry dataforseo-cache/ --expire-days 7If you changed the R2 bucket name during deploy, replace open-seo with your bucket name.
Without a lifecycle rule, cached objects under dataforseo-cache/ will accumulate indefinitely and increase storage costs over time.
4) Validate setup
- Open your Worker URL again.
- Sign in with Cloudflare Access.
- OpenSEO should load after login.
If login fails, re-check the three secrets and Access toggle.
Connect the MCP server through Cloudflare Access
Use the same Cloudflare Access application that protects your OpenSEO Worker. Managed OAuth is required for MCP clients and is not enabled by default.
- Open Cloudflare Zero Trust.
- Go to
Access controls->Applications. - Find your OpenSEO application, then select
Edit. - Go to
Additional settings->OAuth. - Turn on
Managed OAuth. - In
Managed OAuth settings, allow the redirect URIs your MCP clients use:- Allow
localhost/ loopback clients for CLI and desktop agents (Codex CLI, Claude Code) that registerhttp://localhost:PORT/callback. - Add HTTPS redirect URIs for web connectors (a path may end in
/*). - Without this, clients can't finish Dynamic Client Registration and log in but expose no tools.
- Allow
- Save.
MCP clients should connect to:
https://YOUR_WORKER_HOSTNAME/mcpGive teammates access to OpenSEO
- Open Cloudflare Zero Trust.
- Go to Access -> Applications.
- Open your OpenSEO application.
- Edit the
Allowpolicy. - Add teammate emails (or your company email domain / group).
- Save.
After saving, teammates can open your OpenSEO URL and sign in through Cloudflare Access. OpenSEO will use a shared workspace for everyone allowed by the policy.
Advanced guides on GitHub
- Manual deploy with Wrangler: create the Cloudflare resources yourself and deploy with the CLI.
- Operations: update to the latest OpenSEO version and manage telemetry.