Skip to content
Effloow
← Back to Articles
ARTICLES ·2026-05-17 ·BY EFFLOOW CONTENT FACTORY

Cloudflare + Stripe Machine Payments Protocol: Agents Own Their Stack

Cloudflare and Stripe launched MPP in April 2026: AI agents can now create accounts, buy domains, and deploy Workers autonomously. Here is how the protocol works.
cloudflare stripe ai-agents infrastructure-automation machine-payments-protocol agentic-deployment
SHARE
Cloudflare + Stripe Machine Payments Protocol: Agents Own Their Stack

On April 30, 2026, Cloudflare and Stripe jointly announced the Machine Payments Protocol (MPP) — a new open protocol that lets AI agents provision Cloudflare accounts, register domains, and deploy applications without any manual human steps beyond accepting terms of service.

This is not a gimmick demo. The protocol is in open beta, built on OAuth + OIDC + x402 (HTTP 402 Payment Required), and already includes integrations from Vercel, Supabase, Clerk, PostHog, Sentry, PlanetScale, and Inngest at launch.

This article walks through the architecture, the API flow, and what the code actually looks like.

What the Protocol Solves

The traditional agentic deployment problem: an AI agent can write production-ready code, but to deploy it, a human still needs to create accounts, add payment methods, configure DNS, and manage API tokens. Every cloud provider had a different setup flow — and none of them were designed for machines as the user.

MPP standardizes this into three layers: discovery, authorization, and payment.

Three-Layer Architecture

1. Discovery: The Catalog API

Each provider publishes a JSON catalog describing what an agent can buy and at what price:

GET https://api.cloudflare.com/client/v4/stripe/catalog

The response looks like this:

[
  {
    "provider": "cloudflare",
    "service": "account",
    "description": "Create a Cloudflare account",
    "price_per_month": 0,
    "requires_payment_method": true
  },
  {
    "provider": "cloudflare",
    "service": "registrar:domain",
    "description": "Register a .com/.dev domain at cost",
    "price_per_month": "variable",
    "requires_payment_method": true
  },
  {
    "provider": "cloudflare",
    "service": "workers",
    "description": "Deploy a Cloudflare Worker",
    "price_per_month": 0,
    "free_tier": "100k requests/day"
  }
]

2. Authorization: OAuth-Scoped Identity

The agent does not use raw API keys. It operates under a delegated identity scoped to a Stripe Project — which acts as the payer identity. The Stripe Project itself is the authorization boundary; the agent is a sub-identity with scoped permissions.

This is closer to OAuth impersonation than a service account model. The key distinction: the payment rail is part of the identity scope, not a separate credential.

3. Payment: Tokenization with Caps

Payment is handled through Stripe tokenization. The default cap is $100/month per provider per project, configurable from the Stripe Projects dashboard. Stripe Projects is currently in open beta.

The Full Flow: From Zero to Live URL in 90 Seconds

The official Cloudflare demo shows this sequence:

# User sets up once
stripe projects init

# Agent takes over from here
stripe projects catalog
# → Returns list of available services

stripe projects add cloudflare/account
# → Cloudflare creates account, returns OAuth token

stripe projects add cloudflare/registrar:domain --name myproject.dev
# → Domain registered and DNS configured

# Agent deploys using the returned OAuth token
wrangler deploy --token $CLOUDFLARE_OAUTH_TOKEN
# → Worker live at myproject.dev

End-to-end, in the Cloudflare demo: approximately 90 seconds from invocation to live URL.

The human is only needed once: accepting Cloudflare's Terms of Service (a legal requirement that cannot be automated away) and optionally adding a payment method to the Stripe Project. After that, agents can provision indefinitely within the spending cap.

What the Identity Model Actually Means

There is a subtle but important distinction between MPP and previous "agent with API keys" approaches.

Old approach MPP
Agent holds a static API key Agent operates under a dynamic OAuth token
Key has broad account access Token is scoped to the Stripe Project
Rotation is manual Token lifecycle managed by Stripe
No spend tracking Spend caps per provider built in
One leaked key = full account compromise Leaked token = scoped to project + capped spend

The security model is meaningfully better. The $100/month default cap means a compromised agent cannot run up an unlimited cloud bill — which was a real attack surface in the older API-key-based agentic patterns.

Cloudflare Registrar API (Separate Feature, Same Week)

Alongside MPP, Cloudflare separately launched the Registrar API in beta — letting developers and agents search, check availability, and register domains programmatically without going through the dashboard. This is distinct from the MPP flow but designed to work with it.

# Direct Registrar API (no Stripe Projects required)
curl -X POST "https://api.cloudflare.com/client/v4/registrar/domains" \
  -H "Authorization: Bearer $CF_TOKEN" \
  -d '{"name": "myproject.dev", "auto_renew": true}'

Launch Partners

At launch, MPP integrations are available from:

  • Cloudflare (accounts, domains, Workers, R2, KV)
  • Vercel (project creation, deployments)
  • Supabase (database provisioning)
  • Clerk (auth setup)
  • PostHog (analytics setup)
  • Sentry (error tracking)
  • PlanetScale (database)
  • Inngest (workflow automation)

The fact that these are all popular developer-tool SaaS companies — not just Cloudflare properties — suggests the protocol is designed for adoption across the ecosystem.

What Agents Can Do Today vs. What Still Needs a Human

Agents can do:

  • Create new Cloudflare accounts
  • Start paid subscriptions within the spending cap
  • Register domain names
  • Deploy Workers, configure DNS
  • All of the above for the eight launch partners

Still requires a human:

  • Accepting Terms of Service (once, per provider)
  • Adding a payment method to the Stripe Project (once)
  • Raising the $100/month default spending cap

The Bigger Picture

MPP arrives at a moment when the "autonomous coding agent" story is hitting a structural limit. Agents can write and test code locally, but the actual "ship to production" step still requires human infrastructure setup. MPP directly addresses this gap.

Cloudflare's concurrent announcement that they are offering $100,000 in credits to new startups incorporating using Cloudflare Registrar suggests they are betting that agents will become a significant source of new account creation — not just a convenience feature for existing users.

For developers building agents that need to provision infrastructure on behalf of end users (SaaS builders, AI-powered app generators, multi-tenant automation tools), MPP is worth evaluating now. The beta is open. The protocol is documented. The eight launch partners cover a large fraction of the typical startup stack.

Getting Started

Stripe Projects is in open beta. To try it:

  1. Install the Stripe CLI and apply for beta access at stripe.com/projects
  2. Run stripe projects init to create a project and link your payment method
  3. Run stripe projects catalog to see available providers
  4. Tell your agent to use stripe projects add <provider>/<service>

Cloudflare's full agent provisioning docs are at developers.cloudflare.com/agents.

Sources:

Need content like this
for your blog?

We run AI-powered technical blogs. Start with a free 3-article pilot.

Learn more →

More in Articles

2026-05-13
Cloudflare Project Think: Durable Agent Runtime Guide
Read →
2026-05-08
Cloudflare Dynamic Workers: V8 Sandbox for AI Agent Code
Read →
2026-05-07
Cloudflare Code Mode MCP: Entire API in 1,000 Tokens
Read →
2026-05-07
MCP Code Execution: Build Token-Efficient AI Agents
Read →

Stay in the loop.

One dispatch every Friday. New articles, tool releases, and a short note from the editor.

Get weekly AI tool reviews & automation tips

Join our newsletter. No spam, unsubscribe anytime.