Changelog

Containers and Sandboxes now support connecting directly to Workers over HTTP. This allows you to call Workers functions and bindings, like KV or R2, from within the container at specific hostnames.

Define an outbound handler to capture any HTTP request or use outboundByHost to capture requests to individual hostnames and IPs.

export class MyApp extends Sandbox {}

MyApp.outbound = async (request, env, ctx) => {
  // you can run arbitrary functions defined in your Worker on any HTTP request
  return await someWorkersFunction(request.body);
};

MyApp.outboundByHost = {
  "my.worker": async (request, env, ctx) => {
    return await anotherFunction(request.body);
  },
};

In this example, requests from the container to http://my.worker will run the function defined within outboundByHost, and any other HTTP requests will run the outbound handler. These handlers run entirely inside the Workers runtime, outside of the container sandbox.

Each handler has access to env, so it can call any binding set in Wrangler config. Code inside the container makes a standard HTTP request to that hostname and the outbound Worker translates it into a binding call.

export class MyApp extends Sandbox {}

MyApp.outboundByHost = {
  "my.kv": async (request, env, ctx) => {
    const key = new URL(request.url).pathname.slice(1);
    const value = await env.KV.get(key);
    return new Response(value ?? "", { status: value ? 200 : 404 });
  },
  "my.r2": async (request, env, ctx) => {
    const key = new URL(request.url).pathname.slice(1);
    const object = await env.BUCKET.get(key);
    return new Response(object?.body ?? "", { status: object ? 200 : 404 });
  },
};

Now, from inside the container sandbox, curl http://my.kv/some-key will access Workers KV and curl http://my.r2/some-object will access R2.

Use ctx.containerId to reference the container's automatically provisioned Durable Object.

export class MyContainer extends Container {}

MyContainer.outboundByHost = {
  "get-state.do": async (request, env, ctx) => {
    const id = env.MY_CONTAINER.idFromString(ctx.containerId);
    const stub = env.MY_CONTAINER.get(id);
    return stub.getStateForKey(request.body);
  },
};

This provides an easy way to associate state with any container instance, and includes a built-in SQLite database.

Upgrade to @cloudflare/containers version 0.2.0 or later, or @cloudflare/sandbox version 0.8.0 or later to use outbound Workers.

Refer to Containers outbound traffic and Sandboxes outbound traffic for more details and examples.

Radar ships several improvements to the URL Scanner ↗ that make scan reports more informative and easier to share:

• Live screenshots — the summary card now includes an option to capture a live screenshot of the scanned URL on demand using the Browser Rendering API.
• Save as PDF — a new button generates a print-optimized document aggregating all tab contents (Summary, Security, Network, Behavior, and Indicators) into a single file.
• Download as JSON — raw scan data is available as a JSON download for programmatic use.
• Redesigned summary layout — page information and security details are now displayed side by side with the screenshot, with a layout that adapts to narrower viewports.
• File downloads — downloads are separated into a dedicated card with expandable rows showing each file's source URL and SHA256 hash.
• Detailed IP address data — the Network tab now includes additional detail per IP address observed during the scan.

Explore these improvements on the Cloudflare Radar URL Scanner ↗.

Logpush now supports higher-precision timestamp formats for log output. You can configure jobs to output timestamps at millisecond or nanosecond precision. This is available in both the Logpush UI in the Cloudflare dashboard and the Logpush API.

To use the new formats, set timestamp_format in your Logpush job's output_options:

• rfc3339ms — 2024-02-17T23:52:01.123Z
• rfc3339ns — 2024-02-17T23:52:01.123456789Z

Default timestamp formats apply unless explicitly set. The dashboard defaults to rfc3339 and the API defaults to unixnano.

For more information, refer to the Log output options documentation.

Cloudflare now exposes four new fields in the Transform Rules phase that encode client certificate data in RFC 9440 ↗ format. Previously, forwarding client certificate information to your origin required custom parsing of PEM-encoded fields or non-standard HTTP header formats. These new fields produce output in the standardized Client-Cert and Client-Cert-Chain header format defined by RFC 9440, so your origin can consume them directly without any additional decoding logic.

Each certificate is DER-encoded, Base64-encoded, and wrapped in colons. For example, :MIIDsT...Vw==:. A chain of intermediates is expressed as a comma-separated list of such values.

The chain encoding follows the same ordering as the TLS handshake: the certificate closest to the leaf appears first, working up toward the trust anchor. The root certificate is not included.

Add a request header transform rule to set the Client-Cert and Client-Cert-Chain headers on requests forwarded to your origin server. For example, to forward headers for verified, non-revoked certificates:

Rule expression:

cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked

Header modifications:

To get the most out of these fields, upload your client CA certificate to Cloudflare so that Cloudflare validates the client certificate at the edge and populates cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_revoked.

For more information, refer to Mutual TLS authentication, Request Header Transform Rules, and the fields reference.

The new secrets configuration property lets you declare the secret names your Worker requires in your Wrangler configuration file. Required secrets are validated during local development and deploy, and used as the source of truth for type generation.

{
  "secrets": {
    "required": ["API_KEY", "DB_PASSWORD"],
  },
}

[secrets]
required = [ "API_KEY", "DB_PASSWORD" ]

When secrets is defined, wrangler dev and vite dev load only the keys listed in secrets.required from .dev.vars or .env/process.env. Additional keys in those files are excluded. If any required secrets are missing, a warning is logged listing the missing names.

wrangler types generates typed bindings from secrets.required instead of inferring names from .dev.vars or .env. This lets you run type generation in CI or other environments where those files are not present. Per-environment secrets are supported — the aggregated Env type marks secrets that only appear in some environments as optional.

wrangler deploy and wrangler versions upload validate that all secrets in secrets.required are configured on the Worker before the operation succeeds. If any required secrets are missing, the command fails with an error listing which secrets need to be set.

For more information, refer to the secrets configuration property reference.

AI Crawl Control now supports extending the underlying WAF rule with custom modifications. Any changes you make directly in the WAF custom rules editor — such as adding path-based exceptions, extra user agents, or additional expression clauses — are preserved when you update crawler actions in AI Crawl Control.

If the WAF rule expression has been modified in a way AI Crawl Control cannot parse, a warning banner appears on the Crawlers page with a link to view the rule directly in WAF.

For more information, refer to WAF rule management.

You can now control how Cloudflare handles origin responses without changing your origin. Cache Response Rules let you modify Cache-Control directives, manage cache tags, and strip headers like Set-Cookie from origin responses before they reach Cloudflare's cache. Whether traffic is cached or passed through dynamically, these rules give you control over origin response behavior that was previously out of reach.

Cache Rules previously only operated on request attributes. Cache Response Rules introduce a new response phase that evaluates origin responses and lets you act on them before caching. You can now:

• Modify Cache-Control directives: Set or remove individual directives like no-store, no-cache, max-age, s-maxage, stale-while-revalidate, immutable, and more. For example, remove a no-cache directive your origin sends so Cloudflare can cache the asset, or set an s-maxage to control how long Cloudflare stores it.
• Set a different browser Cache-Control: Send a different Cache-Control header downstream to browsers and other clients than what Cloudflare uses internally, giving you independent control over edge and browser caching strategies.
• Manage cache tags: Add, set, or remove cache tags on responses, including converting tags from another CDN's header format into Cloudflare's Cache-Tag header. This is especially useful if you are migrating from a CDN that uses a different tag header or delimiter.
• Strip headers that block caching: Remove Set-Cookie, ETag, or Last-Modified headers from origin responses before caching, so responses that would otherwise be treated as uncacheable can be stored and served from cache.

• No origin changes required: Fix caching behavior entirely from Cloudflare, even when your origin configuration is locked down or managed by a different team.
• Simpler CDN migration: Match caching behavior from other CDN providers without rewriting your origin. Translate cache tag formats and override directives that do not align with Cloudflare's defaults.
• Native support, fewer workarounds: Functionality that previously required workarounds is now built into Cache Rules with full Tiered Cache compatibility.
• Fine-grained control: Use expressions to match on request and response attributes, then apply precise cache settings per rule. Rules are stackable and composable with existing Cache Rules.

Configure Cache Response Rules in the Cloudflare dashboard ↗ under Caching > Cache Rules, or via the Rulesets API ↗. For more details, refer to the Cache Rules documentation ↗.

Containers now support Docker Hub ↗ images. You can use a fully qualified Docker Hub image reference in your Wrangler configuration ↗ instead of first pushing the image to Cloudflare Registry.

{
  "containers": [
    {
      // Example: docker.io/cloudflare/sandbox:0.7.18
      "image": "docker.io/<NAMESPACE>/<REPOSITORY>:<TAG>",
    },
  ],
}

[[containers]]
image = "docker.io/<NAMESPACE>/<REPOSITORY>:<TAG>"

Containers also support private Docker Hub images. To configure credentials, refer to Use private Docker Hub images.

For more information, refer to Image management.

Cloudflare Gateway now supports OIDC Claims as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types.

With this update, you can:

• Filter traffic in DNS, HTTP, and Network firewall policies based on OIDC claim values.
• Apply custom resolver policies to route DNS queries to specific resolvers depending on a user's OIDC claims.
• Control egress policies to assign dedicated egress IPs based on OIDC claim attributes.

For example, you can create a policy that routes traffic differently for users with department=engineering in their OIDC claims, or restrict access to certain destinations based on a user's role claim.

To get started, configure custom OIDC claims on your identity provider and use the OIDC Claims selector in the Gateway policy builder.

For more information, refer to Identity-based policies.

The top-level Interconnects page in the Cloudflare dashboard has been removed. Interconnects are now located under Connectors > Interconnects.

Your existing configurations and functionality remain the same.

Dynamic Workers are now in open beta ↗ for all paid Workers users. You can now have a Worker spin up other Workers, called Dynamic Workers, at runtime to execute code on-demand in a secure, sandboxed environment. Dynamic Workers start in milliseconds, making them well suited for fast, secure code execution at scale.

• Code Mode: LLMs are trained to write code. Run tool-calling logic written in code instead of stepping through many tool calls, which can save up to 80% in inference tokens and cost.
• AI agents executing code: Run code for tasks like data analysis, file transformation, API calls, and chained actions.
• Running AI-generated code: Run generated code for prototypes, projects, and automations in a secure, isolated sandboxed environment.
• Fast development and previews: Load prototypes, previews, and playgrounds in milliseconds.
• Custom automations: Create custom tools on the fly that execute a task, call an integration, or automate a workflow.

Dynamic Workers support two loading modes:

• load(code) — for one-time code execution (equivalent to calling get() with a null ID).
• get(id, callback) — caches a Dynamic Worker by ID so it can stay warm across requests. Use this when the same code will receive subsequent requests.

export default {
  async fetch(request, env) {
    const worker = env.LOADER.load({
      compatibilityDate: "2026-01-01",
      mainModule: "src/index.js",
      modules: {
        "src/index.js": `
          export default {
            fetch() {
              return new Response("Hello from a dynamic Worker");
            },
          };
        `,
      },
      // Block all outbound network access from the Dynamic Worker.
      globalOutbound: null,
    });

    return worker.getEntrypoint().fetch(request);
  },
};

export default {
  async fetch(request: Request, env: Env): Promise<Response> {
    const worker = env.LOADER.load({
      compatibilityDate: "2026-01-01",
      mainModule: "src/index.js",
      modules: {
        "src/index.js": `
          export default {
            fetch() {
              return new Response("Hello from a dynamic Worker");
            },
          };
        `,
      },
      // Block all outbound network access from the Dynamic Worker.
      globalOutbound: null,
    });

    return worker.getEntrypoint().fetch(request);
  },
};

Here are 3 new libraries to help you build with Dynamic Workers:

• @cloudflare/codemode ↗: Replace individual tool calls with a single code() tool, so LLMs write and execute TypeScript that orchestrates multiple API calls in one pass.

• @cloudflare/worker-bundler ↗: Resolve npm dependencies and bundle source files into ready-to-load modules for Dynamic Workers, all at runtime.

• @cloudflare/shell ↗: Give your agent a virtual filesystem inside a Dynamic Worker with persistent storage backed by SQLite and R2.

Dynamic Workers Starter

Use this starter ↗ to deploy a Worker that can load and execute Dynamic Workers.

Dynamic Workers Playground

Deploy the Dynamic Workers Playground ↗ to write or import code, bundle it at runtime with @cloudflare/worker-bundler, execute it through a Dynamic Worker, and see real-time responses and execution logs.

For the full API reference and configuration options, refer to the Dynamic Workers documentation.

Dynamic Workers pricing is based on three dimensions: Dynamic Workers created daily, requests, and CPU time.

¹ Uses Workers Standard rates and will appear as part of your existing Workers bill, not as separate Dynamic Workers charges.

Note: Dynamic Workers requests and CPU time are already billed as part of your Workers plan and will count toward your Workers requests and CPU usage. The Dynamic Workers created daily charge is not yet active — you will not be billed for the number of Dynamic Workers created at this time. Pricing information is shared in advance so you can estimate future costs.

Workflow instance methods pause(), resume(), restart(), and terminate() are now available in local development when using wrangler dev.

You can now test the full Workflow instance lifecycle locally:

const instance = await env.MY_WORKFLOW.create({
  id: "my-instance-id",
});

await instance.pause(); // pauses a running workflow instance
await instance.resume(); // resumes a paused instance
await instance.restart(); // restarts the instance from the beginning
await instance.terminate(); // terminates the instance immediately

The latest release of the Agents SDK ↗ exposes agent state as a readable property, prevents duplicate schedule rows across Durable Object restarts, brings full TypeScript inference to AgentClient, and migrates to Zod 4.

Both useAgent (React) and AgentClient (vanilla JS) now expose a state property that reflects the current agent state. Previously, reading state required manually tracking it through the onStateUpdate callback.

React (useAgent)

const agent = useAgent({
  agent: "game-agent",
  name: "room-123",
});

// Read state directly — no separate useState + onStateUpdate needed
return <div>Score: {agent.state?.score}</div>;

// Spread for partial updates
agent.setState({ ...agent.state, score: (agent.state?.score ?? 0) + 10 });

const agent = useAgent<GameAgent, GameState>({
  agent: "game-agent",
  name: "room-123",
});

// Read state directly — no separate useState + onStateUpdate needed
return <div>Score: {agent.state?.score}</div>;

// Spread for partial updates
agent.setState({ ...agent.state, score: (agent.state?.score ?? 0) + 10 });

agent.state is reactive — the component re-renders when state changes from either the server or a client-side setState() call.

Vanilla JS (AgentClient)

const client = new AgentClient({
  agent: "game-agent",
  name: "room-123",
  host: "your-worker.workers.dev",
});

client.setState({ score: 100 });
console.log(client.state); // { score: 100 }

const client = new AgentClient<GameAgent>({
  agent: "game-agent",
  name: "room-123",
  host: "your-worker.workers.dev",
});

client.setState({ score: 100 });
console.log(client.state); // { score: 100 }

State starts as undefined and is populated when the server sends the initial state on connect (from initialState) or when setState() is called. Use optional chaining (agent.state?.field) for safe access. The onStateUpdate callback continues to work as before — the new state property is additive.

schedule() now supports an idempotent option that deduplicates by (type, callback, payload), preventing duplicate rows from accumulating when called in places that run on every Durable Object restart such as onStart().

Cron schedules are idempotent by default. Calling schedule("0 * * * *", "tick") multiple times with the same callback, expression, and payload returns the existing schedule row instead of creating a new one. Pass { idempotent: false } to override.

Delayed and date-scheduled types support opt-in idempotency:

import { Agent } from "agents";

class MyAgent extends Agent {
  async onStart() {
    // Safe across restarts — only one row is created
    await this.schedule(60, "maintenance", undefined, { idempotent: true });
  }
}

import { Agent } from "agents";

class MyAgent extends Agent {
  async onStart() {
    // Safe across restarts — only one row is created
    await this.schedule(60, "maintenance", undefined, { idempotent: true });
  }
}

Two new warnings help catch common foot-guns:

• Calling schedule() inside onStart() without { idempotent: true } emits a console.warn with actionable guidance (once per callback; skipped for cron and when idempotent is set explicitly).
• If an alarm cycle processes 10 or more stale one-shot rows for the same callback, the SDK emits a console.warn and a schedule:duplicate_warning diagnostics channel event.

AgentClient now accepts an optional agent type parameter for full type inference on RPC calls, matching the typed experience already available with useAgent.

const client = new AgentClient({
  agent: "my-agent",
  host: window.location.host,
});

// Typed call — method name autocompletes, args and return type inferred
const value = await client.call("getValue");

// Typed stub — direct RPC-style proxy
await client.stub.getValue();
await client.stub.add(1, 2);

const client = new AgentClient<MyAgent>({
  agent: "my-agent",
  host: window.location.host,
});

// Typed call — method name autocompletes, args and return type inferred
const value = await client.call("getValue");

// Typed stub — direct RPC-style proxy
await client.stub.getValue();
await client.stub.add(1, 2);

State is automatically inferred from the agent type, so onStateUpdate is also typed:

const client = new AgentClient({
  agent: "my-agent",
  host: window.location.host,
  onStateUpdate: (state) => {
    // state is typed as MyAgent's state type
  },
});

const client = new AgentClient<MyAgent>({
  agent: "my-agent",
  host: window.location.host,
  onStateUpdate: (state) => {
    // state is typed as MyAgent's state type
  },
});

Existing untyped usage continues to work without changes. The RPC type utilities (AgentMethods, AgentStub, RPCMethods) are now exported from agents/client for advanced typing scenarios. agents, @cloudflare/ai-chat, and @cloudflare/codemode now require zod ^4.0.0. Zod v3 is no longer supported.

• Turn serialization — onChatMessage() and _reply() work is now queued so user requests, tool continuations, and saveMessages() never stream concurrently.
• Duplicate messages on stop — Clicking stop during an active stream no longer splits the assistant message into two entries.
• Duplicate messages after tool calls — Orphaned client IDs no longer leak into persistent storage.

keepAlive() now uses a lightweight in-memory ref count instead of schedule rows. Multiple concurrent callers share a single alarm cycle. The @experimental tag has been removed from both keepAlive() and keepAliveWhile().

A new entry point @cloudflare/codemode/tanstack-ai adds support for TanStack AI's ↗ chat() as an alternative to the Vercel AI SDK's streamText():

import {
  createCodeTool,
  tanstackTools,
} from "@cloudflare/codemode/tanstack-ai";
import { chat } from "@tanstack/ai";

const codeTool = createCodeTool({
  tools: [tanstackTools(myServerTools)],
  executor,
});

const stream = chat({ adapter, tools: [codeTool], messages });

import { createCodeTool, tanstackTools } from "@cloudflare/codemode/tanstack-ai";
import { chat } from "@tanstack/ai";

const codeTool = createCodeTool({
  tools: [tanstackTools(myServerTools)],
  executor,
});

const stream = chat({ adapter, tools: [codeTool], messages });

To update to the latest version:

npm i agents@latest @cloudflare/ai-chat@latest

AI Search now offers new REST API endpoints for search and chat that use an OpenAI compatible format. This means you can use the familiar messages array structure that works with existing OpenAI SDKs and tools. The messages array also lets you pass previous messages within a session, so the model can maintain context across multiple turns.

Here is an example request to the Chat Completions endpoint using the new messages array format:

curl https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/ai-search/instances/{NAME}/chat/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer {API_TOKEN}" \
  -d '{
    "messages": [
      {
        "role": "system",
        "content": "You are a helpful documentation assistant."
      },
      {
        "role": "user",
        "content": "How do I get started?"
      }
    ]
  }'

For more details, refer to the AI Search REST API guide.

If you are using the previous AutoRAG API endpoints (/autorag/rags/), we recommend migrating to the new endpoints. The previous AutoRAG API endpoints will continue to be fully supported.

Refer to the migration guide for step-by-step instructions.

AI Search now supports public endpoints, UI snippets, and MCP, making it easy to add search to your website or connect AI agents.

Public endpoints allow you to expose AI Search capabilities without requiring API authentication. To enable public endpoints:

1. Go to AI Search in the Cloudflare dashboard. Go to AI Search
2. Select your instance, and turn on Public Endpoint in Settings. For more details, refer to Public endpoint configuration.

UI snippets are pre-built search and chat components you can embed in your website. Visit search.ai.cloudflare.com ↗ to configure and preview components for your AI Search instance.

To add a search modal to your page:

<script
  type="module"
  src="https://<INSTANCE_ID>.search.ai.cloudflare.com/assets/v0.0.25/search-snippet.es.js"
></script>

<search-modal-snippet
  api-url="https://<INSTANCE_ID>.search.ai.cloudflare.com/"
  placeholder="Search..."
>
</search-modal-snippet>

For more details, refer to the UI snippets documentation.

The MCP endpoint allows AI agents to search your content via the Model Context Protocol. Connect your MCP client to:

https://<INSTANCE_ID>.search.ai.cloudflare.com/mcp

For more details, refer to the MCP documentation.

AI Search now supports custom metadata filtering, allowing you to define your own metadata fields and filter search results based on attributes like category, version, or any custom field you define.

You can define up to 5 custom metadata fields per AI Search instance. Each field has a name and data type (text, number, or boolean):

curl -X POST https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/ai-search/instances \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer {API_TOKEN}" \
  -d '{
    "id": "my-instance",
    "type": "r2",
    "source": "my-bucket",
    "custom_metadata": [
      { "field_name": "category", "data_type": "text" },
      { "field_name": "version", "data_type": "number" },
      { "field_name": "is_public", "data_type": "boolean" }
    ]
  }'

How you attach metadata depends on your data source:

• R2 bucket: Set metadata using S3-compatible custom headers (x-amz-meta-*) when uploading objects. Refer to R2 custom metadata for examples.
• Website: Add <meta> tags to your HTML pages. Refer to Website custom metadata for details.

Use custom metadata fields in your search queries alongside built-in attributes like folder and timestamp:

curl https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/ai-search/instances/{NAME}/search \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer {API_TOKEN}" \
  -d '{
    "messages": [
      {
        "content": "How do I configure authentication?",
        "role": "user"
      }
    ],
    "ai_search_options": {
      "retrieval": {
        "filters": {
          "category": "documentation",
          "version": { "$gte": 2.0 }
        }
      }
    }
  }'

Learn more in the metadata filtering documentation.

Two new fields are now available in the httpRequestsAdaptive and httpRequestsAdaptiveGroups GraphQL Analytics API datasets:

• webAssetsOperationId — the ID of the saved endpoint that matched the incoming request.
• webAssetsLabelsManaged — the managed labels mapped to the matched operation at the time of the request (for example, cf-llm, cf-log-in). At most 10 labels are returned per request.

Both fields are empty when no operation matched. webAssetsLabelsManaged is also empty when no managed labels are assigned to the matched operation.

These fields allow you to determine, per request, which Web Assets operation was matched and which managed labels were active. This is useful for troubleshooting downstream security detection verdicts — for example, understanding why AI Security for Apps did or did not flag a request.

Refer to Endpoint labeling service for GraphQL query examples.

R2 SQL now supports an expanded SQL grammar so you can write richer analytical queries without exporting data. This release adds CASE expressions, column aliases, arithmetic in clauses, 163 scalar functions, 33 aggregate functions, EXPLAIN, Common Table Expressions (CTEs),and full struct/array/map access. R2 SQL is Cloudflare's serverless, distributed, analytics query engine for querying Apache Iceberg ↗ tables stored in R2 Data Catalog. This page documents the supported SQL syntax.

• Column aliases — SELECT col AS alias now works in all clauses
• CASE expressions — conditional logic directly in SQL (searched and simple forms)
• Scalar functions — 163 new functions across math, string, datetime, regex, crypto, encoding, and type inspection categories
• Aggregate functions — statistical (variance, stddev, correlation, regression), bitwise, boolean, and positional aggregates join the existing basic and approximate functions
• Complex types — query struct fields with bracket notation, use 46 array functions, and extract map keys/values
• Common table expressions (CTEs) — use WITH ... AS to define named temporary result sets. Chained CTEs are supported. All CTEs must reference the same single table.
• Full expression support — arithmetic, type casting (CAST, TRY_CAST, :: shorthand), and EXTRACT in SELECT, WHERE, GROUP BY, HAVING, and ORDER BY

SELECT source,
    CASE
        WHEN AVG(price) > 30 THEN 'premium'
        WHEN AVG(price) > 10 THEN 'mid-tier'
        ELSE 'budget'
    END AS tier,
    round(stddev(price), 2) AS price_volatility,
    approx_percentile_cont(price, 0.95) AS p95_price
FROM my_namespace.sales_data
GROUP BY source

SELECT product_name,
    pricing['price'] AS price,
    array_to_string(tags, ', ') AS tag_list
FROM my_namespace.products
WHERE array_has(tags, 'Action')
ORDER BY pricing['price'] DESC
LIMIT 10

WITH monthly AS (
    SELECT date_trunc('month', sale_timestamp) AS month,
        department,
        COUNT(*) AS transactions,
        round(AVG(total_amount), 2) AS avg_amount
    FROM my_namespace.sales_data
    WHERE sale_timestamp BETWEEN '2025-01-01T00:00:00Z' AND '2025-12-31T23:59:59Z'
    GROUP BY date_trunc('month', sale_timestamp), department
),
ranked AS (
    SELECT month, department, transactions, avg_amount,
        CASE
            WHEN avg_amount > 1000 THEN 'high-value'
            WHEN avg_amount > 500 THEN 'mid-value'
            ELSE 'standard'
        END AS tier
    FROM monthly
    WHERE transactions > 100
)
SELECT * FROM ranked
ORDER BY month, avg_amount DESC

For the full function reference and syntax details, refer to the SQL reference. For limitations and best practices, refer to Limitations and best practices.

This week's release focuses on new improvements to enhance coverage.

Key Findings

• Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

DNS Analytics is now available for customers with Customer Metadata Boundary (CMB) set to EU. Query your DNS analytics data while keeping metadata stored in the EU region.

This update includes:

• DNS Analytics — Access the same DNS analytics experience for zones in CMB=EU accounts.
• EU data residency — Analytics data is stored and queried from the EU region, meeting data localization requirements.
• DNS Firewall Analytics — DNS Firewall analytics is now supported for CMB=EU customers.

Available to customers with the Data Localization Suite who have Customer Metadata Boundary configured for the EU region.

• Authoritative DNS: In the Cloudflare dashboard, select your zone and go to the Analytics page.

  Go to Analytics

• DNS Firewall: In the Cloudflare dashboard, go to the DNS Firewall Analytics page.

  Go to Analytics

For more information, refer to DNS Analytics and DNS Firewall Analytics.

In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all replicas of that tunnel and supports streaming logs from multiple replicas at once.

Previously, you could only stream logs from one replica at a time. With this update:

• Replicas on the tunnel overview — All active replicas for the selected tunnel now appear on that tunnel's overview page under Connectors. Select any replica to stream its logs.
• Multi-connector log streaming — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to Cloudflare One ↗ and go to Networks > Connectors > Cloudflare Tunnels. Select View logs next to the tunnel you want to monitor.

For more information, refer to Tunnel log streams and Deploy replicas.

Each VPC Service now has a Metrics tab so you can monitor connection health and debug failures without leaving the dashboard.

• Connections — See successful and failed connections over time, broken down by what is responsible: your origin (Bad Upstream), your configuration (Client), or Cloudflare (Internal).
• Latency — Track connection and DNS resolution latency trends.
• Errors — Drill into specific error codes grouped by category, with filters to isolate upstream, client, or internal failures.

You can also view and edit your VPC Service configuration, host details, and port assignments from the Settings tab.

For a full list of error codes and what they mean, refer to Troubleshooting.

Service Key authentication for the Cloudflare API is deprecated. Service Keys will stop working on September 30, 2026.

API Tokens replace Service Keys with fine-grained permissions, expiration, and revocation.

Replace any use of the X-Auth-User-Service-Key header with an API Token scoped to the permissions your integration requires.

If you use cloudflared, update to a version from November 2022 or later. These versions already use API Tokens.

If you use origin-ca-issuer ↗, update to a version that supports API Token authentication.

For more information, refer to API deprecations.

Hyperdrive now supports custom TLS/SSL certificates for MySQL databases, bringing the same certificate options previously available for PostgreSQL to MySQL connections.

You can now configure:

• Server certificate verification with VERIFY_CA or VERIFY_IDENTITY SSL modes to verify that your MySQL database server's certificate is signed by the expected certificate authority (CA).
• Client certificates (mTLS) for Hyperdrive to authenticate itself to your MySQL database with credentials beyond username and password.

Create a Hyperdrive configuration with custom certificates for MySQL:

# Upload a CA certificate
npx wrangler cert upload certificate-authority --ca-cert your-ca-cert.pem --name your-custom-ca-name

# Create a Hyperdrive with VERIFY_IDENTITY mode
npx wrangler hyperdrive create your-hyperdrive-config \
  --connection-string="mysql://user:password@hostname:port/database" \
  --ca-certificate-id <CA_CERT_ID> \
  --sslmode VERIFY_IDENTITY

For more information, refer to SSL/TLS certificates for Hyperdrive and MySQL TLS/SSL modes.