Claude Managed Agents on Cloudflare
The brain runs on Anthropic. The hands — sandboxes, egress, browser, email, custom tools — run on infrastructure you own. Cloudflare ships the control plane as an open-source deployment template: cloudflare/claude-managed-agents.
The split
Claude Managed Agents (CMA) decouples the agent loop from where its actions execute. Anthropic's platform runs the loop — the model, the conversation, the decision of which tool to call next. A self-managed environment you deploy runs everything the agent's actions touch: a sandbox, a network egress path, and any custom tools you've wired up.
Cloudflare's reference implementation is a single Worker that receives a webhook when a session starts or ends, spins up a sandbox for that session, and shuts it down when the session does.
What the control plane gives you
- Two sandbox backends per session — a full MicroVM (Cloudflare Containers, real Linux,
bash) or a lightweight Isolate (Dynamic Workers, cold-starts in milliseconds). See Sandboxes. - Egress control — every outbound request from the sandbox passes through a policy engine that can inject credentials, restrict destinations, or run custom proxy logic. See Egress and identity.
- Custom tools in one file — extend what an agent can do by adding a function to
src/tools/custom-tools.ts; it runs with direct access to your Worker bindings (D1, R2, KV, Vectorize). See Custom tools. - Built-ins — Browser Run (headless browser, screenshots, session recordings), Agent Email (a real address per session), Workers AI image generation, Workers VPC for private services.
- A dashboard — manage agents, inspect sessions and logs, SSH into a running MicroVM.
Where this site's own docs connect
This isn't a hypothetical pattern for us — it rhymes with two things already documented here:
- Claude Tag runs the same decoupled shape for Slack: the model runs in an Anthropic-hosted sandbox per thread, credentials are injected by an Agent Proxy at the network boundary, and the sandbox is released and rebuilt across idle periods. See the side-by-side in Egress and identity.
- subagentcoworkers.com documents a platform built on the same idea from the other direction — typed tasks, scoped credentials, a durable state layer outside the execution boundary — using open models instead of a paid Anthropic API key. See Open models.
The catch
Real CMA needs ANTHROPIC_API_KEY as one of four required secrets, plus a Workers Paid plan (Containers and Worker Loader bindings aren't on the free tier). If your stack is OAuth-only or zero-external-paid-API by policy, that's worth knowing before you fork the repo — see Open models for the adaptation.
Related
- Sandboxes
- Egress and identity
- Custom tools
- Open models
- Source: github.com/cloudflare/claude-managed-agents
d4b27555df5304ee · verify