The Model Context Protocol was supposed to be the answer. A universal standard for AI agents to talk to external tools – clean, structured, predictable. And it worked. Until your agent needed to call an API with 2,500 endpoints.
That’s where things fell apart. Because stuffing 2,500 tool definitions into an LLM’s context window burns through roughly 1.17 million tokens before the model even starts thinking. At current pricing, you’re paying for a novel-length prompt just to ask “what’s the status of my DNS record?”
But here’s the deeper problem that most people miss. An AI system on its own can only produce text. That’s it. ChatGPT’s first version? Text in, text out. To make AI agents actually useful – sending emails, deploying infrastructure, managing firewalls – we invented tool calling. The LLM outputs a structured JSON describing which function to call, and the client application parses that JSON and actually takes the action. The AI never clicks a button. It never makes an HTTP request. It just writes JSON and hopes the client does the right thing.
Now stack that mental model against Cloudflare’s API with over 2,500 endpoints. Every single tool definition – its name, parameters, types, descriptions – has to sit inside the context window alongside the actual user task. Picture your 200K context window. Gmail tools eat a chunk. Slack tools eat another chunk. Add a third service and suddenly your “intelligent” agent has used most of its brain just memorizing tool catalogs.
Cloudflare saw this. And instead of patching MCP, they rethought the entire approach. Their solution – Code Mode – doesn’t feed agents tool schemas. It gives them a TypeScript SDK and says: “Write code.” The result? That 1.17-million-token context bill? Collapsed to roughly 1,000 tokens. Fixed size. Doesn’t grow no matter how many endpoints you add.
That’s not an optimization. That’s a paradigm shift.
How Code Mode Actually Works
Here’s the thing about traditional MCP tool calling: it treats LLMs like switchboard operators. You hand the model a giant catalog of every possible action – create_dns_record, list_workers, update_firewall_rule – and it picks one, fills in the JSON parameters, and sends it off. For APIs with a handful of endpoints, this works fine.
But Cloudflare’s own API has over 2,500 endpoints. Loading all those tool definitions into a model’s context window is like handing someone a 400-page phone book and asking them to make one call. Most of that context is wasted.
Code Mode flips the script entirely. Instead of pre-loading a massive tool catalog, their new MCP server exports just two tools:
search()– Takes a JavaScript async arrow function that queries the OpenAPI spec. The agent writes code to filter endpoints by product, path, tags, or any metadata – narrowing thousands of endpoints to the handful it needs.execute()– Takes a JavaScript async arrow function that runs authenticated calls against the Cloudflare API.
And here’s the critical detail most summaries miss: both tools expect code, not natural language. When the agent calls search(), it doesn’t type “find me DNS endpoints.” It writes an actual JavaScript function that filters the OpenAPI spec programmatically. The server runs that code in a Workers isolate and returns the results.
This is a subtle but brilliant design choice. Cloudflare doesn’t need to deploy an AI system on their end to interpret natural language queries. The agent writes code. Code is unambiguous. Code executes deterministically. And Cloudflare’s existing Workers infrastructure can run it securely at zero marginal cost.
What makes this clever is that LLMs are genuinely good at writing code. They’ve been trained on billions of lines of real-world TypeScript, JavaScript, and Python. Generating code against a typed SDK is something they do naturally. Generating perfectly formatted JSON tool-call schemas from synthetic training data? That’s the part they struggle with.
Cloudflare is essentially playing to the LLM’s strength. And the numbers back it up.
The Token Math That Changes Everything
I’ve been tracking the economics of agentic AI for months, and the token efficiency gains here are staggering. Cloudflare published a comparison table that tells the whole story:
| Approach | Tools/Endpoints | Token Cost |
|---|---|---|
| Raw OpenAPI Spec + Prompt | 2,500+ endpoints | ~2,000,000 tokens |
| Native MCP (Full Schemas) | 2,600 tools | ~1,170,000 tokens |
| Native MCP (Required Params Only) | 2,600 tools | ~244,000 tokens |
| Code Mode | 2 tools | ~1,000 tokens |
Read that again. Even if you strip MCP tool definitions down to just required parameters – dropping optional fields, condensing descriptions – you’re still at 244K tokens. That’s over the context window of most production models. Code Mode doesn’t just optimize; it makes the problem disappear entirely.
And the footprint stays fixed. Whether Cloudflare adds 100 new endpoints or 1,000, Code Mode still uses ~1,000 tokens. The size of the API is decoupled from the token cost. That’s the architectural insight that matters.
The efficiency compounds for complex operations too. With traditional tool calling, a task that requires chaining five API calls means five round-trips to the LLM, each time re-feeding intermediate results back into the context window. With Code Mode, the agent writes a single function that chains all five calls, runs it once, and returns only the final result.
This is the same principle that made programmatic tool calling so compelling when Anthropic introduced it for Claude Sonnet 4.6. But Cloudflare has taken the concept further by building the entire discovery-and-execution infrastructure as a managed platform.
Code as a Communication Layer: The Real Insight
Everyone’s focused on the token savings. But the real breakthrough is more fundamental: Code Mode uses code as a communication protocol between agent and API.
Think about what happens without Code Mode. You’d need natural language parsing on both sides. The agent says “I need to protect my origin from DDoS attacks” in natural language. The API server would need its own AI system to interpret that intent, figure out which endpoints to surface, and respond. You’d have AI talking to AI, with all the ambiguity and hallucination risk that implies.
Code Mode removes that entirely. The agent writes code. Code is precise. Code is deterministic. Cloudflare just executes it – no NLP, no interpretation, no second AI. It’s the same workflow that human developers have always used: search documentation, write code, execute it. Except now the agent is the developer.
Cloudflare actually walks through a concrete example in their blog post. Suppose a user tells their agent: “Protect my origin from DDoS attacks.” Here’s the flow:
Step 1: Preliminary research. The agent consults Cloudflare’s documentation (via a docs MCP server or web search) and learns: “Put Cloudflare WAF and DDoS protection rules in front of the origin.”
Step 2: Search for relevant APIs. The agent doesn’t know which endpoints to call yet. So it calls search() with a JavaScript function that filters the OpenAPI spec for WAF and DDoS-related endpoints. The code runs in a Workers isolate, and the agent gets back just the relevant endpoint schemas – not the full 2,500-endpoint catalog.
Step 3: Inspect and drill deeper. The agent can call search() again to inspect a specific endpoint’s schema – what parameters it accepts, what rulesets are available. This loop continues until the agent has enough information to act.
Step 4: Execute. The agent switches to execute(), writing code that calls the authenticated Cloudflare API: listing existing rulesets, checking current WAF rules, and updating DDoS sensitivity levels.
The entire operation – from searching the spec, to inspecting schemas, to listing rulesets and fetching configurations – takes about four tool calls. With traditional MCP? You’d need the agent to parse through hundreds of pre-loaded tool definitions, burning through your context window before you even start.
And Cloudflare is providing this Worker execution essentially as free compute for agents. They eat the cost of running the isolates (Workers typically cost $0.30 per million executions) because the real monetization is getting agents deeply integrated into the Cloudflare platform. Smart.
The Security Model: V8 Isolates and the “Dynamic Worker Loader”
Here’s where I didn’t expect Cloudflare to have such a strong answer. Because letting an LLM generate and execute arbitrary code sounds terrifying. Prompt injection? Unauthorized API calls? Data exfiltration? These are legitimate concerns.
Cloudflare’s answer is the Dynamic Worker Loader – an API that spawns lightweight V8 isolates on demand to run agent-generated code. Every code execution gets its own sandbox with these constraints:
- No file system access. The isolate can’t read or write files.
- No environment variables. It can’t sniff out secrets.
- No outbound fetches by default. The sandbox can’t call arbitrary URLs. All external communication is mediated through explicitly defined TypeScript APIs.
- Authentication handled externally. API keys are injected by the host, never exposed to the generated code. The agent never sees credentials.
- Memory isolation. Each V8 isolate maintains completely isolated memory, making cross-contamination between executions impossible.
Cloudflare also leverages hardware-level memory protection keys to further isolate V8 isolates. Even if an attacker somehow triggers a V8 heap corruption, the memory protection boundaries prevent escalation.
This is where Cloudflare’s existing infrastructure gives them a massive advantage. They’ve been running V8 isolates at planet scale for years through Cloudflare Workers. The same technology that powers billions of edge computing requests now sandboxes AI-generated code. They didn’t build new security infrastructure – they adapted battle-tested systems.
Think of it like this: Docker containers are castles with walls. V8 isolates are prison cells inside the castle. Code Mode puts the LLM’s generated code inside the cell and throws away the key.
Why Not CLI? Why Not Client-Side? The Alternatives Cloudflare Rejected
Cloudflare didn’t arrive at server-side Code Mode on their first try. They explored several approaches, and understanding why they rejected the alternatives is as instructive as understanding Code Mode itself.
Client-side Code Mode was their first iteration. Same concept – agent writes code – but the code executed on the user’s machine, not on Cloudflare’s servers. The problem? It requires the agent to ship with a secure sandbox. Tools like Anthropic’s Claude SDK programming tool calling support this, but not every agent framework does. If your agent can’t safely execute arbitrary code locally, you’re stuck.
CLI-based access is another path. Cloudflare has a CLI, and tools like OpenClaw and MCPorter can convert MCP servers into command-line interfaces, giving agents progressive disclosure of capabilities. But CLIs need a shell.
And giving an AI agent shell access violates the principle of least privilege – the agent only needs to make specific HTTP calls to Cloudflare’s API, but a shell gives it the ability to run anything on the system. The attack surface goes from a single API endpoint to the entire operating system.
Dynamic tool search takes a middle path: maintain a search function that surfaces a smaller, relevant subset of tools for the current task. This shrinks context usage, but you still need to maintain and evolve that search function, and you’re still loading tool schemas into the context window – just fewer of them.
Code Mode on the server side sidesteps all of these limitations. The agent writes code. Cloudflare executes it in an isolate they control. No local sandbox required. No shell access. No tool schemas in the context. It’s the cleanest separation of concerns in the agentic tooling space right now.
Code Mode vs. Traditional Tool Calling: The Real Trade-offs
I want to be honest here, because Code Mode isn’t a silver bullet. There are legitimate trade-offs.
Where Code Mode wins:
- Large APIs. Anything with more than ~50 endpoints is dramatically more efficient with Code Mode.
- Multi-step operations. Tasks requiring loops, conditionals, or chaining multiple calls are handled in a single execution.
- Token cost. For enterprise APIs at scale, the savings are enormous.
- API evolution. Cloudflare can update their API spec without requiring any changes on the agent’s side – the agent discovers endpoints dynamically.
Where traditional tool calling still makes sense:
- Complex reasoning tasks. If each step of a workflow requires the LLM to reason about the previous step’s output before deciding what to do next, you need the model in the loop. Code Mode assumes the agent can plan the entire sequence upfront, which isn’t always true for non-deterministic tasks.
- Simple, single-tool calls. For an API with 10 endpoints, the overhead of code generation might actually add latency compared to a direct JSON tool call.
- Debugging. When generated code silently calls the wrong endpoint but doesn’t produce a schema violation, troubleshooting gets harder. With traditional tool calling, you can inspect exactly which tool was invoked and with what parameters.
The AI coding tools landscape has been moving toward this kind of “let the LLM write code” paradigm for a while. What Cloudflare has done is build the infrastructure to make it safe and scalable for production API interactions – not just coding assistants.
What This Means For Developers Building AI Agents
If you’re building agentic AI systems, Code Mode represents a fundamental shift in how you should think about tool integration. The implications are concrete.
1. API-first agents become viable at any scale. Before Code Mode, connecting an agent to a large API was a context-window management nightmare. Now, the size of the API is essentially irrelevant to the token cost. You connect an agent to Cloudflare’s 2,500-endpoint API for the same token cost as a 10-endpoint API.
2. This is the blueprint for modern MCP servers. If you’re building an MCP server for your own product or organization, Code Mode is the pattern to follow. Expose a search() and execute() tool, back them with a Worker isolate (or equivalent sandbox), and let agents write code against your OpenAPI spec. This is the evolution of how MCP tool calling should work.
3. Sandbox-as-a-service is the new primitive. The Dynamic Worker Loader API – the ability to spawn V8 isolates on demand for arbitrary code execution – is arguably more important than Code Mode itself. Every AI agent platform needs a story for safely executing model-generated code. Cloudflare just turned theirs into a platform feature.
4. Context engineering matters more than ever. As we noted when discussing context window optimization, the models with the largest context windows aren’t necessarily winning. The teams that are most disciplined about what goes into those windows are. Code Mode is a masterclass in context engineering – less is more when the less is the right less.
Cloudflare also recently introduced “Markdown for Agents” – a companion feature that further reduces how much context agents need. Between the two, they’re building an entire stack for token-efficient agentic infrastructure.
The Bigger Picture: Infrastructure Companies Are Winning the Agent Race
What strikes me about Cloudflare’s play is the strategic clarity. While model labs compete on benchmark scores – and we’ve documented just how misleading those benchmarks can be – infrastructure companies are quietly building the layer that actually determines whether agents work in production.
Google has UCP for the commerce layer. Anthropic has MCP for the protocol layer. And now Cloudflare has Code Mode for the execution layer.
The pattern is clear: the value in agentive AI isn’t just in the model. It’s in the infrastructure that connects models to real-world actions – efficiently, securely, and at scale. Cloudflare sits at an interesting intersection here, because they already control a huge chunk of the internet’s infrastructure. Adding AI agent execution to that position is a natural (and frankly, smart) move.
But there’s a constraint worth noting: Code Mode currently shines brightest on Cloudflare’s own platform. The sandbox is Cloudflare Workers. The API discovery is built for OpenAPI specs hosted by Cloudflare. If you’re building agents that interact primarily with non-Cloudflare services, you’ll need to either bring those APIs into the Cloudflare ecosystem or build your own sandbox infrastructure (which, as one Hacker News commenter noted, is “a significant operational burden”).
The Bottom Line
Cloudflare Code Mode is one of those ideas that seems obvious in hindsight. LLMs are better at writing code than generating JSON schemas. So give them a typed SDK, let them write code, and run it in a sandbox. Simple.
But the execution is what separates this from a blog post idea. The 99.9% token reduction, the V8 isolate security model, the Dynamic Worker Loader, the free compute for agent executions, the integration with MCP and the Cloudflare Agents SDK – this is production infrastructure, not a demo.
For developers building AI agents that need to interact with large APIs, Code Mode isn’t optional anymore. It’s the blueprint. And for the broader agentic AI ecosystem, it signals where the real engineering challenges are: not in bigger models, but in smarter infrastructure that makes those models genuinely useful.
The model writes the code. The sandbox runs it. The infrastructure scales it. That’s the stack for 2026.
FAQ
What is Cloudflare Code Mode?
Code Mode is Cloudflare’s approach to AI agent-API interaction. Instead of feeding LLMs massive lists of tool definitions (traditional MCP), agents get just two tools – search() and execute() – and write JavaScript code against a typed OpenAPI spec. That code runs in a secure V8 isolate sandbox on Cloudflare’s infrastructure. It reduces token usage by 99.9% for large APIs like Cloudflare’s 2,500+ endpoint API, using a fixed ~1,000 tokens regardless of API size.
Does Code Mode replace MCP?
No. Code Mode is a server-side optimization for how MCP servers expose capabilities to agents. Cloudflare built a new MCP server for their entire API that uses Code Mode internally. MCP still defines the protocol – Code Mode changes how the server implements it, replacing thousands of individual tools with two code-driven ones.
Is it safe to let LLMs generate and execute code?
Cloudflare addresses this with V8 isolate sandboxing (the same technology powering Cloudflare Workers at global scale). Each code execution runs in complete memory isolation with no file system access, no environment variables, and restricted outbound network access. API keys are injected externally, never exposed to generated code. Hardware-level memory protection keys add an additional layer against heap corruption exploits.
Can I use this pattern for my own APIs?
Yes. If your API has an OpenAPI specification, you can build a Code Mode-style MCP server that exposes search() and execute() tools backed by a sandbox runtime. The key requirement is a secure execution environment – Cloudflare uses Workers isolates, but you could use Deno, a V8 sandbox, or any isolated runtime. This is arguably the new standard for how MCP servers should be designed for large APIs.
How does Code Mode compare to OpenAI’s function calling?
OpenAI’s function calling has the LLM generate a JSON object describing which function to call. The app executes it and feeds results back. Code Mode has the LLM generate actual JavaScript code that orchestrates multiple calls, which runs in a managed sandbox. Code Mode is dramatically more efficient for large APIs (99.9% fewer tokens) and complex multi-step operations, but may add latency for simple single-tool calls where a direct JSON tool call would suffice.
