A demo agent answers a prompt. A production agent remembers, retries, acts on tools, waits for a human, and survives a restart. We build the second kind — on the agentic cloud, with the primitives that handle the hard parts natively.
If even a fraction of knowledge workers each run several agents in parallel, you need compute for tens of millions of simultaneous sessions. Stateless functions have no GPU, no persistent per-instance memory, and a hard timeout — so you bolt on a database, a queue, a scheduler, and a session store. Cloudflare's stateful-serverless model gives each agent its own durable micro-server, with no idle cost.
Lambda-style request/response. No GPU. No per-instance state. 900-second cap. You assemble a database, a queue, a cron service, a session store, and a vector DB — then operate all of it. The agent is the glue between five systems you maintain.
Each agent instance is a stateful micro-server with its own embedded SQL, WebSockets, and scheduling. It hibernates when idle (costs nothing), wakes on an event, and resumes exactly where it left off. The data tier, queue, and scheduler collapse into the agent itself.
Every model call an agent makes flows through one named, observable path. Watch a single request travel the layers — each is a first-party Cloudflare primitive, not a system you stand up and operate.
A request enters through identity, routes through the gateway, infers, calls tools, acts in a sandbox, and is wrapped in durable execution end to end. Tap any layer.
Most agent projects don't fail on model quality. They fail on reliability, state, and scope. Cloudflare's stack maps to each requirement natively — that mapping is the whole argument.
Survives restarts, deploys, and failures. Per-agent SQL inside a Durable Object.
Agents SDK · DOAutomatic, idempotent, step-level. Resume from the last successful checkpoint.
Workflows V2Logs, traces, token + cost analytics on every inference, in one place.
AI GatewayScale-to-zero, caching, rate limits, budget caps. No idle GPU spend.
Workers AI · GatewayApproval gates for high-stakes actions — wait hours or days for a person.
step.waitForEventScoped OAuth, least privilege, egress control. The agent never sees the token.
Mesh · OAuth · egress proxyContent moderation and a defined task boundary. An agent that can do anything is an agent you can't ship. Bounded scope is the difference between a tool and a liability.
Gateway GuardrailsAgent = Durable Object. Per-agent state, WebSockets, scheduling, and now long-running sessions without eviction.
Durable stateDurable execution — 50K concurrency, 300 creates/sec, step checkpoints, sleep to one year, human-in-the-loop.
Error recovery + HITLServerless GPU. Unified env.AI.run() binding — 70+ models across 12+ providers, multimodal, one line to switch.
The inference layer for agents — observability, caching, unified billing, cross-provider failover, streaming resilience.
Observability + costMcpAgent on Durable Objects, workers-oauth-provider, MCP Server Portals, Code Mode for token efficiency.
Tool layer + securityThe web action layer — 120 concurrent browsers, Live View, human-in-the-loop, CDP, WebMCP, session recordings.
Act · webIsolated Linux computer per agent, or a millisecond isolate for snippets. Per-app DBs via DO Facets.
Act · codeManaged persistent memory that gets smarter over time, plus hybrid-retrieval RAG created dynamically per agent.
Memory + groundingCloudflare Mesh + Workers VPC, Managed OAuth (RFC 9728), resource-scoped permissions, sandbox egress proxy.
Guardrails + scope// Supporting: Durable Objects · Vectorize · R2 · D1 · KV · Queues. Multi-channel add-ons: Voice (experimental), Email (beta). Preview/beta status verified against Agents Week 2026 — re-checked at each engagement.
"The one-app-serves-many-users model the cloud was built on doesn't work for tens of millions of simultaneous agent sessions."
— Cloudflare CTO Dane Knecht & VP Product Rita Kozlov, Agents Week 2026. Each lit cell is an agent waking, acting, and hibernating independently — one Durable Object apiece, scale-to-zero.
The market data isn't an argument against agents. It's an argument for building them bounded, durable, and observable — which is exactly what the production stack provides, and exactly what a flashy demo that can't survive a restart never will.
// The honest caveat: Cloudflare is vendor concentration — Durable Objects have no drop-in equivalent on AWS or GCP today. For most commercial workloads that isn't a real constraint; where it is, we keep the application logic and data model portable and say so up front.
The same agentic-cloud primitives power real-time voice and SMS. Our telephony agent answers calls 24/7 — it qualifies a project, answers pricing, routes to a human, or books a call. Real-time STT + TTS over WebSockets on the Agents SDK, with durable per-call state. Call it and hear a bounded, durable agent in production.
The full Cloudflare agent stack, layer by layer — durable state, execution, tools, memory, and the honest trade-offs.
How to build and host production AI agents on Cloudflare — durable state, durable execution, tools, and inference, mapped to a nine-part stack.
Start with the complete-stack guide, then go deep on each layer.
MCP — the Model Context Protocol, originated by Anthropic — is the standard way an agent connects to your tools and data through one authenticated surface instead of bespoke glue per integration. It matters because it makes the agent-to-system link governable: scoped access, least privilege, and one place to audit what the agent can reach.
It's not framework versus framework — it's hosting. LangGraph is solid orchestration, but you still bring your own runtime, durable state, scheduler, scaling, and ops. The Agents SDK makes each agent a Durable Object with state and lifecycle built in, so the production hardening LangGraph leaves to you is already handled.
Seven things: durable state, error recovery and retries, observability, cost control, human-in-the-loop gates, tool security, and bounded scope. A demo answers a prompt; a production agent remembers, retries, acts on tools, waits for a person, and survives a restart. We build those in from day one, not after the demo impresses.
Yes — that is what the MCP tool layer is for. The agent calls your CRM, database, internal APIs, or third-party services through scoped, authenticated tool surfaces, with credentials held at the edge so the agent never sees a token. You keep your systems; the agent gets least-privilege access to exactly what its task requires.
Managed OAuth (RFC 9728) authenticates the agent on the user’s behalf — no insecure service accounts. Tools run behind scoped, least-privilege permissions; code executes in egress-proxied sandboxes; and every inference and tool call is logged through AI Gateway. An agent that can do anything is a liability, so bounded scope is part of the design.
A working call, not a discovery call. You bring one process. We come with a working hypothesis on the architecture, the primitives it maps to, and a fixed-scope, 90-day ballpark. No SDR. No drip campaign.
