ai controls

Author: ranbel

public/__redirects

@@ -2398,6 +2398,9 @@
 /cloudflare-one/identity/authorization-cookie/application-token/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/ 301
 /cloudflare-one/identity/authorization-cookie/cors/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/ 301
 /cloudflare-one/identity/service-tokens/ /cloudflare-one/access-controls/service-credentials/service-tokens/ 301
+/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/ /cloudflare-one/access-controls/ai-controls/mcp-portals/ 301
+/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/ /cloudflare-one/access-controls/ai-controls/saas-mcp/ 031
+/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps/ /cloudflare-one/access-controls/ai-controls/linked-apps/ 301
 /cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301
 /cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301
 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301

src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx

@@ -8,6 +8,6 @@ products:
 
 You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](/cloudflare-one/access-controls/policies/).
 
-[Self-hosted applications](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
+[Self-hosted applications](/cloudflare-one/access-controls/ai-controls/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
 
 For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog.

src/content/changelog/access/2025-08-26-mcp-server-portals.mdx

@@ -8,7 +8,7 @@ products:
 
 ![MCP server portal](~/assets/images/changelog/access/mcp-server-portal.png)
 
-An [MCP server portal](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
+An [MCP server portal](/cloudflare-one/access-controls/ai-controls/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
 
 - **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
 - **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be.

src/content/docs/agents/model-context-protocol/authorization.mdx

@@ -81,7 +81,7 @@ Remember — [authentication is different from authorization](https://www.cloud
 
 You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/integrations/identity-providers/) or a [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/access-controls/policies/).
 
-To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
+To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/ai-controls/saas-mcp/).
 
 ### (3) Third-party OAuth Provider
 

src/content/docs/agents/model-context-protocol/mcp-portal.mdx

@@ -5,7 +5,7 @@ tags:
   - MCP
 sidebar:
   order: 101
-external_link: /cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals/
+external_link: /cloudflare-one/access-controls/ai-controls/mcp-portals/
 description: Centralize multiple MCP servers onto a single endpoint and customize the tools, prompts, and resources available to users.
 
 ---

src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/index.mdx renamed to src/content/docs/cloudflare-one/access-controls/ai-controls/index.mdx

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: navigation
-title: MCP servers
+title: AI controls
 sidebar:
   order: 3
   group:
@@ -9,4 +9,5 @@ sidebar:
 
 import { DirectoryListing } from "~/components";
 
-<DirectoryListing />
+<DirectoryListing />
+

src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/linked-apps.mdx renamed to src/content/docs/cloudflare-one/access-controls/ai-controls/linked-apps.mdx

@@ -10,7 +10,7 @@ sidebar:
 
 import { Render, GlossaryTooltip, APIRequest } from "~/components";
 
-Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
+Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/ai-controls/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
 
 For example, your organization may wish to deploy an MCP server that helps employees interact with internal applications. You can configure [Access policies](/cloudflare-one/access-controls/policies/#selectors) to ensure that only authorized users can access those applications, either directly or by using an <GlossaryTooltip term="MCP client">MCP client</GlossaryTooltip>.
 
@@ -44,7 +44,7 @@ This guide covers how to use the Cloudflare API to link a self-hosted applicatio
 
 ## 1. Secure the MCP server with Access for SaaS
 
-The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
+The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/ai-controls/saas-mcp/).
 
 ## 2. Get the SaaS application ID
 

src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals.mdx renamed to src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx

@@ -41,7 +41,7 @@ To add an MCP server:
 7. Add [Access policies](/cloudflare-one/access-controls/policies/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Users who do not pass an Allow policy will not see this server through any portals.
 
    :::caution
-   Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
+   Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/access-controls/ai-controls/saas-mcp/).
    :::
 
 8. Select **Save and connect server**.

src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp.mdx renamed to src/content/docs/cloudflare-one/access-controls/ai-controls/saas-mcp.mdx

@@ -19,6 +19,6 @@ You can protect the following types of web applications:
   - [**Public hostname applications**](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
   - [**Private network applications**](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/).
 
-- [**Model Context Protocol (MCP) servers**](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
+- [**Model Context Protocol (MCP) servers**](/cloudflare-one/access-controls/ai-controls/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
 
 - [**Cloudflare Dashboard SSO**](/fundamentals/manage-members/dashboard-sso/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.