Dynamic Workers let you spin up a fresh, isolated Worker at runtime to execute code you do not trust. Think of it as a sandbox: arbitrary code goes in, runs in a contained environment, and you control exactly what it can see and reach.
The headline use cases Cloudflare ships it for:
This is the question that came up on the Khadija thread. All three products touch "controlling what something can reach," but they solve different problems.
| What the customer is doing | Use this |
|---|---|
| Employees using ChatGPT, Claude.ai, Copilot in the browser; we want to block or audit some of that | Zero Trust Gateway (SWG) |
| Our app calls Anthropic/OpenAI APIs and we want caching, rate limiting, cost visibility, fallback to a second provider | AI Gateway |
| Our agents run code we did not write (LLM-generated, customer-uploaded) and we need that code sandboxed and locked down on what it can call out to | Dynamic Workers |
| Multiple of the above | Combine them. Gateway for employees, AI Gateway for app-to-LLM, Dynamic Workers for the agent sandbox |
This is what we tell a technical buyer who asks "how do you actually stop the sandboxed code from reaching the internet?"
Three options, ordered from most restrictive to most flexible:
Set globalOutbound: null when loading the dynamic Worker. Every fetch() and connect() call inside the sandbox throws an exception. The agent has zero internet access. You then hand it specific capabilities via bindings — "you can post to this chat room, you can read from this KV namespace, that is all you can do."
const worker = env.LOADER.get("agent-1", async () => ({
mainModule: "agent.js",
modules: { "agent.js": code },
globalOutbound: null, // block everything
env: {
CHAT_ROOM: chatRoomStub, // explicit capability
},
}));
Define a WorkerEntrypoint class in the loader that acts as a gateway. Every outbound request the sandbox makes routes through that class first. You inspect, allow, block, modify, or inject credentials.
export class HttpGateway extends WorkerEntrypoint {
async fetch(request) {
const url = new URL(request.url);
if (url.hostname !== "api.openai.com") {
return new Response("blocked", { status: 403 });
}
// Inject API key here — sandbox never sees it
const headers = new Headers(request.headers);
headers.set("Authorization", `Bearer ${this.env.OPENAI_API_KEY}`);
return fetch(request, { headers });
}
}
// In the loader:
globalOutbound: ctx.exports.HttpGateway(),
fetch() to work) and you want allow-list policy. This is what the live demo does.One HttpGateway class, many sandboxes, each with their own credentials. Pass props when you create the stub, gateway reads them via this.ctx.props.
// Per-tenant gateway
globalOutbound: ctx.exports.HttpGateway({
props: { tenantId: "acme", apiKey: ACME_KEY },
}),
Dynamic Workers is a strong fit. The agent loop ends with "execute this code." You don't want that code to have shell access to your servers. Sandbox it, allow it to call back to your LLM for next steps, block everything else.
Dynamic Workers with custom bindings. You expose this.env.SLACK and this.env.SALESFORCE capabilities. The customer's automation code calls those methods. Your loader Worker holds the OAuth tokens, the customer's code never sees them.
Classic Dynamic Workers play. Each user message that triggers a code execution spins up a fresh sandbox. Per the docs, can save up to 80% in LLM token cost vs streaming data through the model.
Not Dynamic Workers. This is Zero Trust Gateway. Set an HTTP policy that blocks claude.ai by category or hostname. Done.
developers.cloudflare.com/dynamic-workers/. The binding type worker_loader is supported natively in wrangler 4.88+.WorkerEntrypoint class. It is maybe 30 lines of code.limits: { cpuMs: 5000, subRequests: 10 } per invocation. Otherwise one bad agent can chew through the account quota.developers.cloudflare.com/dynamic-workers/developers.cloudflare.com/dynamic-workers/usage/egress-control/developers.cloudflare.com/dynamic-workers/usage/bindings/developers.cloudflare.com/dynamic-workers/usage/limits/github.com/cloudflare/agents/tree/main/examples/dynamic-workers-playground