draft portal UI

ranbel · ranbel · commit 266648bbc883 · 2025-08-20T17:55:20.000-04:00
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals.mdx
@@ -6,23 +6,110 @@ tags:
 sidebar:
   order: 1
   label: MCP server portals
+  badge:
+    text: Beta
 ---
 
 import { Render, GlossaryTooltip } from "~/components"
 
-An MCP server portal centralizes multiple [Model Context Protocol (MCP) servers](https://www.cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) and their tools onto a single HTTP endpoint. Key benefits include:
+An MCP server portal centralizes multiple [Model Context Protocol (MCP) servers](https://www.cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) onto a single HTTP endpoint. Key benefits include:
 
-- **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers (such as the [Cloudflare Documentation MCP server](https://github.com/cloudflare/mcp-server-cloudflare/tree/main/apps/docs-vectorize)) as well as MCP servers secured using any [third-party or custom OAuth provider](/agents/model-context-protocol/authorization/). Users log in to the portal through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
+- **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers (such as the [Cloudflare Documentation MCP server](https://github.com/cloudflare/mcp-server-cloudflare/tree/main/apps/docs-vectorize)) as well as MCP servers secured using any [third-party or custom OAuth provider](/agents/model-context-protocol/authorization/). Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
 
-- **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools that they want to make available to users through the portal. This allows users to access a curated set of tools from a single URL — the less tools available to an LLM model, the smaller the context window and the better the AI responses tend to be.
+- **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be.
 
 - **Observability**: Once the user's AI agent is connected to the portal, Cloudflare Access logs the individual prompts and responses made using the tools in the portal.
 
 ## Prerequisites
 
-- Add an [identity provider](/cloudflare-one/identity/idp-integration/) to Cloudflare Zero Trust
-
-## Create an MCP server portal
+- An [active domain on Cloudflare](/fundamentals/manage-domains/add-site/)
+- Domain uses either a [full setup](/dns/zone-setups/full-setup/) or a [partial (`CNAME`) setup](/dns/zone-setups/partial-setup/)
+- An [identity provider](/cloudflare-one/identity/idp-integration/) configured on Cloudflare Zero Trust
 
 ## Add an MCP server
 
+Add individual MCP servers to Cloudflare Access to bring them under centralized management.
+
+To add an MCP server:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications** > **AI controls**.
+2. Select the **MCP servers** tab.
+3. Select **Add an MCP server**.
+4. Enter any name for the server.
+5. (Optional) Enter a custom string for the **Server ID**.
+6. In **HTTP URL**, enter the full URL of your MCP server. For example, if you want to add the [Cloudflare Documentation MCP server](https://github.com/cloudflare/mcp-server-cloudflare/tree/main/apps/docs-vectorize), enter `https://docs.mcp.cloudflare.com/sse`.
+7. Add [Access policies](/cloudflare-one/policies/access/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Blocked users will not see the server in their portal.
+
+	:::note
+	Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/).
+	:::
+8. Select **Add server**.
+9. If the MCP server supports OAuth, you will be redirected to log in to your OAuth provider. You can log in to any account on the MCP server.
+
+Cloudflare Access will validate the server connection and fetch a list of tools and prompts. Once the server is successfully connected, the [server status](#server-status) will change to **Ready**. You can now add the MCP server to an [MCP server portal](#create-a-portal).
+
+### Server status
+
+The MCP server status indicates the connectivity status of the MCP server to Cloudflare Access.
+
+| Status | Description |
+| ------ | ----------- |
+| Unknown | ?|
+| Inactive | ?|
+| Waiting | ?|
+| Ready | ?|
+
+### Refresh the MCP server
+
+If your MCP server updates its tools and prompts, you can instruct Cloudflare Access to refresh the server profile in Zero Trust:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications** > **AI controls**.
+2. Select the **MCP servers** tab and find the server that you want to refresh.
+3. Select the three dots > **Sync capabilities**.
+
+The MCP server page will show the updated list of tools and prompts. New tools and prompts are automatically enabled in the MCP server portal.
+
+## Create a portal
+
+To create an MCP server portal:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications** > **AI controls**.
+2. Select **Add an MCP server portal**.
+3. Enter any name for the portal.
+4. Under **Custom domain**, select a domain for the portal URL. Domains must belong to an active zone in your Cloudflare account. You can optionally specify a subdomain.
+5. [Add MCP servers](#add-an-mcp-server) to the portal.
+6. Add [Access policies](/cloudflare-one/policies/access/) to define the users who can connect to the portal URL.
+7. Select **Add an MCP server portal**.
+8. (Optional) [Customize the login experience](#customize-login-settings) for the portal.
+
+Users can now [connect to the portal](#connect-to-a-portal) at `https//<subdomain>.<domain>/sse` using an MCP client.
+
+### Customize login settings
+
+Cloudflare Access automatically creates an Access application for each MCP server portal. You can customize the portal login experience by updating Access application settings:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
+2. Find the portal that you want to configure, then select the three dots > **Edit**.
+3. To configure identity providers for the portal:
+	1. Select the **Login methods** tab.
+	2. Select the [identity providers](/cloudflare-one/identity/idp-integration/) that you want to enable for your application.
+	3. (Recommended) If you plan to only allow access via a single identity provider, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](/cloudflare-one/applications/login-page/). Instead, Cloudflare will redirect users directly to your SSO login event.
+4. To customize the block page:
+	1. Select the **Experience settings** tab.
+	2. <Render file="access/access-block-page" product="cloudflare-one" />
+5. Select **Save application**.
+
+## Connect to a portal
+
+Users can connect to your MCP server running at `https//<subdomain>.<domain>/sse` using [Workers AI Playground](https://playground.ai.cloudflare.com/), [MCP inspector](https://github.com/modelcontextprotocol/inspector), or [other MCP clients](/agents/guides/remote-mcp-server/#connect-your-mcp-server-to-claude-and-other-mcp-clients) that support remote MCP servers.
+
+To test in Workers AI Playground:
+
+1. Go to [Workers AI Playground](https://playground.ai.cloudflare.com/).
+2. Under **MCP Servers**, enter `https//<subdomain>.<domain>/sse` for the portal URL.
+3. Select **Connect**.
+4. A popup window will appear requesting access to the MCP server portal. Select **Approve**.
+5. Follow the prompts to log in to your Cloudflare Access identity provider.
+6. ?? How do you log in to the individual MCP servers in the portal?
+
+Workers AI Playground will show a **Connected** status.
diff --git a/src/content/glossary/cloudflare-one.yaml b/src/content/glossary/cloudflare-one.yaml
@@ -129,7 +129,7 @@ entries:
 
   - term: MCP server portal
     general_definition: |-
-      a web application in Cloudflare Zero Trust that serves as a single entry point to multiple MCP servers and tools.
+      a web application in Cloudflare Zero Trust that serves as a gateway to multiple MCP servers.
 
   - term: MCP server tool
     general_definition: |-
