A developer builds a secure AI agent on Alibaba Cloud Bailian that accesses Notion data via MCP tools authenticated through IDaaS keyless OIDC, then deploys a Cloudflare Worker as an edge-facing API gateway that handles end-user authentication, rate limiting, and geographic routing to the Bailian agent backend.
# Bailian Notion Agent Behind Cloudflare Edge Gateway
Use this workflow when you need a globally distributed, low-latency AI agent that securely reads/writes Notion workspaces without exposing backend credentials. The Cloudflare Worker acts as a zero-trust edge gateway handling user auth and traffic shaping, while Alibaba Cloud Bailian executes AI logic and IDaaS manages credential-less machine-to-machine authentication.
NOTION_API_KEY and grant access via ••• → Add connections on your target database.CLIENT_ID, ISSUER_URL, and AUDIENCE. The token endpoint will be POST https://<tenant>.idaas.aliyuncs.com/oauth2/token.https://api.notion.com/v1/databases/{id}/query) and inject IDaaS variables: IDAAS_CLIENT_ID, IDAAS_ISSUER, NOTION_API_KEY.npx wrangler init notion-edge-gateway. In wrangler.toml, define routing vars:``toml name = "notion-edge-gateway" compatibility_date = "2024-01-01" [vars] BAILIAN_ENDPOINT = "https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions" ``
src/index.ts, verify JWTs against IDaaS JWKS, apply Cloudflare Rate Limiting, and route by geography:``ts export default { async fetch(req, env, ctx) { const token = req.headers.get("Authorization")?.split(" ")[1]; if (!await verifyOIDC(token, env.IDAAS_JWKS_URL)) return new Response("401", { status: 401 }); const region = req.cf?.country === "CN" ? env.BAILIAN_ENDPOINT : env.BAILIAN_FALLBACK; return fetch(region, { method: "POST", headers: req.headers, body: req.body }); } } ``
npx wrangler secret put NOTION_API_KEY and npx wrangler secret put IDAAS_CLIENT_SECRET. Deploy via npx wrangler deploy.End-users request *.workers.dev. The Cloudflare Worker validates JWTs via IDaaS JWKS, enforces rate limits, and proxies traffic to the Bailian agent based on request.cf.country. Bailian executes AI prompts, dynamically invoking Notion MCP tools. Instead of static keys, Bailian exchanges IDaaS OIDC credentials for short-lived access tokens to query Notion. Responses traverse back through the Worker to the client.
NOTION_API_KEY) and target DATABASE_IDwrangler CLI installedOrigin by default. Explicitly return Access-Control-Allow-Origin: * in preflight handlers.429 drops.request.cf is undefined in wrangler dev. Mock cf.country in wrangler.toml [dev.vars] for testing.Q: How do I deploy a Bailian Notion AI agent behind a Cloudflare edge gateway? A: You can deploy a Bailian Notion AI agent behind a Cloudflare edge gateway by using a Cloudflare Worker as an API gateway that routes requests to your Bailian backend. The Cloudflare Worker handles end-user authentication, rate limiting, and geographic routing, while the Bailian agent securely accesses Notion data via MCP tools authenticated through IDaaS keyless OIDC.