Blog

Radar now includes content type insights for AI bot and crawler traffic. The new content_type dimension and filter shows the distribution of content types returned to AI crawlers, grouped by MIME type category.

The content type dimension and filter are available via the following API endpoints:

• /ai/bots/summary/content_type
• /ai/bots/timeseries_groups/content_type

Content type categories:

• HTML – Web pages (text/html)
• Images – All image formats (image/*)
• JSON – JSON data and API responses (application/json, *+json)
• JavaScript – Scripts (application/javascript, text/javascript)
• CSS – Stylesheets (text/css)
• Plain Text – Unformatted text (text/plain)
• Fonts – Web fonts (font/*, application/font-*)
• XML – XML documents and feeds (text/xml, application/xml, application/rss+xml, application/atom+xml)
• YAML – Configuration files (text/yaml, application/yaml)
• Video – Video content and streaming (video/*, application/ogg, *mpegurl)
• Audio – Audio content (audio/*)
• Markdown – Markdown documents (text/markdown)
• Documents – PDFs, Office documents, ePub, CSV (application/pdf, application/msword, text/csv)
• Binary – Executables, archives, WebAssembly (application/octet-stream, application/zip, application/wasm)
• Serialization – Binary API formats (application/protobuf, application/grpc, application/msgpack)
• Other – All other content types

Additionally, individual bot information pages now display content type distribution for AI crawlers that exist in both the Verified Bots and AI Bots datasets.

Check out the AI Insights page to explore the data.

Cloudflare’s network now supports real-time content conversion at the source, for enabled zones using content negotiation headers. When AI systems request pages from any website that uses Cloudflare and has Markdown for Agents enabled, they can express the preference for text/markdown in the request: our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly.

Here is a curl example with the Accept negotiation header requesting this page from our developer documentation:

curl https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/ 
  -H "Accept: text/markdown"

The response to this request is now formatted in markdown:

HTTP/2 200
date: Wed, 11 Feb 2026 11:44:48 GMT
content-type: text/markdown; charset=utf-8
content-length: 2899
vary: accept
x-markdown-tokens: 725
content-signal: ai-train=yes, search=yes, ai-input=yes

---
title: Markdown for Agents · Cloudflare Agents docs
---

## What is Markdown for Agents

Markdown has quickly become the lingua franca for agents and AI systems
as a whole. The format’s explicit structure makes it ideal for AI processing,
ultimately resulting in better results while minimizing token waste.
...

Refer to our developer documentation and our blog announcement for more details.

Radar now includes content type insights for AI bot and crawler traffic. The new content_type dimension and filter shows the distribution of content types returned to AI crawlers, grouped by MIME type category.

The content type dimension and filter are available via the following API endpoints:

• /ai/bots/summary/content_type
• /ai/bots/timeseries_groups/content_type

Content type categories:

• HTML – Web pages (text/html)
• Images – All image formats (image/*)
• JSON – JSON data and API responses (application/json, *+json)
• JavaScript – Scripts (application/javascript, text/javascript)
• CSS – Stylesheets (text/css)
• Plain Text – Unformatted text (text/plain)
• Fonts – Web fonts (font/*, application/font-*)
• XML – XML documents and feeds (text/xml, application/xml, application/rss+xml, application/atom+xml)
• YAML – Configuration files (text/yaml, application/yaml)
• Video – Video content and streaming (video/*, application/ogg, *mpegurl)
• Audio – Audio content (audio/*)
• Markdown – Markdown documents (text/markdown)
• Documents – PDFs, Office documents, ePub, CSV (application/pdf, application/msword, text/csv)
• Binary – Executables, archives, WebAssembly (application/octet-stream, application/zip, application/wasm)
• Serialization – Binary API formats (application/protobuf, application/grpc, application/msgpack)
• Other – All other content types

Additionally, individual bot information pages now display content type distribution for AI crawlers that exist in both the Verified Bots and AI Bots datasets.

Check out the AI Insights page to explore the data.

Cloudflare’s network now supports real-time content conversion at the source, for enabled zones using content negotiation headers. When AI systems request pages from any website that uses Cloudflare and has Markdown for Agents enabled, they can express the preference for text/markdown in the request: our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly.

Here is a curl example with the Accept negotiation header requesting this page from our developer documentation:

curl https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/ 
  -H "Accept: text/markdown"

The response to this request is now formatted in markdown:

HTTP/2 200
date: Wed, 11 Feb 2026 11:44:48 GMT
content-type: text/markdown; charset=utf-8
content-length: 2899
vary: accept
x-markdown-tokens: 725
content-signal: ai-train=yes, search=yes, ai-input=yes

---
title: Markdown for Agents · Cloudflare Agents docs
---

## What is Markdown for Agents

Markdown has quickly become the lingua franca for agents and AI systems
as a whole. The format’s explicit structure makes it ideal for AI processing,
ultimately resulting in better results while minimizing token waste.
...

Refer to our developer documentation and our blog announcement for more details.

Radar now includes content type insights for AI bot and crawler traffic. The new content_type dimension and filter shows the distribution of content types returned to AI crawlers, grouped by MIME type category.

The content type dimension and filter are available via the following API endpoints:

• /ai/bots/summary/content_type
• /ai/bots/timeseries_groups/content_type

Content type categories:

• HTML – Web pages (text/html)
• Images – All image formats (image/*)
• JSON – JSON data and API responses (application/json, *+json)
• JavaScript – Scripts (application/javascript, text/javascript)
• CSS – Stylesheets (text/css)
• Plain Text – Unformatted text (text/plain)
• Fonts – Web fonts (font/*, application/font-*)
• XML – XML documents and feeds (text/xml, application/xml, application/rss+xml, application/atom+xml)
• YAML – Configuration files (text/yaml, application/yaml)
• Video – Video content and streaming (video/*, application/ogg, *mpegurl)
• Audio – Audio content (audio/*)
• Markdown – Markdown documents (text/markdown)
• Documents – PDFs, Office documents, ePub, CSV (application/pdf, application/msword, text/csv)
• Binary – Executables, archives, WebAssembly (application/octet-stream, application/zip, application/wasm)
• Serialization – Binary API formats (application/protobuf, application/grpc, application/msgpack)
• Other – All other content types

Additionally, individual bot information pages now display content type distribution for AI crawlers that exist in both the Verified Bots and AI Bots datasets.

Check out the AI Insights page to explore the data.

Cloudflare’s network now supports real-time content conversion at the source, for enabled zones using content negotiation headers. When AI systems request pages from any website that uses Cloudflare and has Markdown for Agents enabled, they can express the preference for text/markdown in the request: our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly.

Here is a curl example with the Accept negotiation header requesting this page from our developer documentation:

curl https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/ 
  -H "Accept: text/markdown"

The response to this request is now formatted in markdown:

HTTP/2 200
date: Wed, 11 Feb 2026 11:44:48 GMT
content-type: text/markdown; charset=utf-8
content-length: 2899
vary: accept
x-markdown-tokens: 725
content-signal: ai-train=yes, search=yes, ai-input=yes

---
title: Markdown for Agents · Cloudflare Agents docs
---

## What is Markdown for Agents

Markdown has quickly become the lingua franca for agents and AI systems
as a whole. The format’s explicit structure makes it ideal for AI processing,
ultimately resulting in better results while minimizing token waste.
...

Refer to our developer documentation and our blog announcement for more details.

The Cloudflare Vite plugin now integrates seamlessly @vitejs/plugin-rsc, the official Vite plugin for React Server Components.

A childEnvironments option has been added to the plugin config to enable using multiple environments within a single Worker.
The parent environment can then import modules from a child environment in order to access a separate module graph.
For a typical RSC use case, the plugin might be configured as in the following example:

export default defineConfig({
  plugins: [
    cloudflare({
      viteEnvironment: {
        name: "rsc",
        childEnvironments: ["ssr"],
      },
    }),
  ],
});

@vitejs/plugin-rsc provides the lower level functionality that frameworks, such as React Router, build upon.
The GitHub repository includes a basic Cloudflare example.

This week’s release changes the rule action from BLOCK to Disabled for Anomaly:Header:User-Agent – Fake Google Bot.

The latest release of the Agents SDK brings readonly connections, MCP protocol and security improvements, x402 payment protocol v2 migration, and the ability to customize OAuth for MCP server connections.

Readonly connections

Agents can now restrict WebSocket clients to read-only access, preventing them from modifying agent state. This is useful for dashboards, spectator views, or any scenario where clients should observe but not mutate.

New hooks: shouldConnectionBeReadonly, setConnectionReadonly, isConnectionReadonly. Readonly connections block both client-side setState() and mutating @callable() methods, and the readonly flag survives hibernation.

• JavaScript

  class MyAgent extends Agent {
    shouldConnectionBeReadonly(connection) {
      // Make spectators readonly
      return connection.url.includes("spectator");
    }
  }

• TypeScript

  class MyAgent extends Agent {
    shouldConnectionBeReadonly(connection) {
      // Make spectators readonly
      return connection.url.includes("spectator");
    }
  }

Custom MCP OAuth providers

The new createMcpOAuthProvider method on the Agent class allows subclasses to override the default OAuth provider used when connecting to MCP servers. This enables custom authentication strategies such as pre-registered client credentials or mTLS, beyond the built-in dynamic client registration.

• JavaScript

  class MyAgent extends Agent {
    createMcpOAuthProvider(callbackUrl) {
      return new MyCustomOAuthProvider(this.ctx.storage, this.name, callbackUrl);
    }
  }

• TypeScript

  class MyAgent extends Agent {
    createMcpOAuthProvider(callbackUrl: string): AgentMcpOAuthProvider {
      return new MyCustomOAuthProvider(this.ctx.storage, this.name, callbackUrl);
    }
  }

MCP SDK upgrade to 1.26.0

Upgraded the MCP SDK to 1.26.0 to prevent cross-client response leakage. Stateless MCP Servers should now create a new McpServer instance per request instead of sharing a single instance. A guard is added in this version of the MCP SDK which will prevent connection to a Server instance that has already been connected to a transport. Developers will need to modify their code if they declare their McpServer instance as a global variable.

MCP OAuth callback URL security fix

Added callbackPath option to addMcpServer to prevent instance name leakage in MCP OAuth callback URLs. When sendIdentityOnConnect is false, callbackPath is now required — the default callback URL would expose the instance name, undermining the security intent. Also fixes callback request detection to match via the state parameter instead of a loose /callback URL substring check, enabling custom callback paths.

Deprecate onStateUpdate in favor of onStateChanged

onStateChanged is a drop-in rename of onStateUpdate (same signature, same behavior). onStateUpdate still works but emits a one-time console warning per class. validateStateChange rejections now propagate a CF_AGENT_STATE_ERROR message back to the client.

x402 v2 migration

Migrated the x402 MCP payment integration from the legacy x402 package to @x402/core and @x402/evm v2.

Breaking changes for x402 users:

• Peer dependencies changed: replace x402 with @x402/core and @x402/evm
• PaymentRequirements type now uses v2 fields (e.g. amount instead of maxAmountRequired)
• X402ClientConfig.account type changed from viem.Account to ClientEvmSigner (structurally compatible with privateKeyToAccount())

npm uninstall x402
npm install @x402/core @x402/evm

Network identifiers now accept both legacy names and CAIP-2 format:

// Legacy name (auto-converted)
{
  network: "base-sepolia",
}

// CAIP-2 format (preferred)
{
  network: "eip155:84532",
}

Other x402 changes:

• X402ClientConfig.network is now optional — the client auto-selects from available payment requirements
• Server-side lazy initialization: facilitator connection is deferred until the first paid tool invocation
• Payment tokens support both v2 (PAYMENT-SIGNATURE) and v1 (X-PAYMENT) HTTP headers
• Added normalizeNetwork export for converting legacy network names to CAIP-2 format
• Re-exports PaymentRequirements, PaymentRequired, Network, FacilitatorConfig, and ClientEvmSigner from agents/x402

Other improvements

• Fix useAgent and AgentClient crashing when using basePath routing
• CORS handling delegated to partyserver’s native support (simpler, more reliable)
• Client-side onStateUpdateError callback for handling rejected state updates

Upgrade

To update to the latest version:

npm i agents@latest

The Sandbox SDK now supports PTY (pseudo-terminal) passthrough, enabling browser-based terminal UIs to connect to sandbox shells via WebSocket.

sandbox.terminal(request)

The new terminal() method proxies a WebSocket upgrade to the container’s PTY endpoint, with output buffering for replay on reconnect.

• JavaScript

  // Worker: proxy WebSocket to container terminal
  return sandbox.terminal(request, { cols: 80, rows: 24 });

• TypeScript

  // Worker: proxy WebSocket to container terminal
  return sandbox.terminal(request, { cols: 80, rows: 24 });

Multiple terminals per sandbox

Each session can have its own terminal with an isolated working directory and environment, so users can run separate shells side-by-side in the same container.

• JavaScript

  // Multiple isolated terminals in the same sandbox
  const dev = await sandbox.getSession("dev");
  return dev.terminal(request);

• TypeScript

  // Multiple isolated terminals in the same sandbox
  const dev = await sandbox.getSession("dev");
  return dev.terminal(request);

xterm.js addon

The new @cloudflare/sandbox/xterm export provides a SandboxAddon for xterm.js with automatic reconnection (exponential backoff + jitter), buffered output replay, and resize forwarding.

• JavaScript

  import { SandboxAddon } from "@cloudflare/sandbox/xterm";
  
  const addon = new SandboxAddon({
    getWebSocketUrl: ({ sandboxId, origin }) =>
      `${origin}/ws/terminal?id=${sandboxId}`,
    onStateChange: (state, error) => updateUI(state),
  });
  terminal.loadAddon(addon);
  addon.connect({ sandboxId: "my-sandbox" });

• TypeScript

  import { SandboxAddon } from "@cloudflare/sandbox/xterm";
  
  const addon = new SandboxAddon({
    getWebSocketUrl: ({ sandboxId, origin }) =>
      `${origin}/ws/terminal?id=${sandboxId}`,
    onStateChange: (state, error) => updateUI(state),
  });
  terminal.loadAddon(addon);
  addon.connect({ sandboxId: "my-sandbox" });

Upgrade

To update to the latest version:

npm i @cloudflare/sandbox@latest