From fastly-agent-toolkit
Executes Fastly CLI commands to manage CDN services, deploy Compute apps, configure backends/domains/VCL/logging/TLS/KV stores, purge cache, and check stats. Use for Fastly service CRUD and edge tasks.
npx claudepluginhub fastly/fastly-agent-toolkit --plugin fastly-agent-toolkitThis skill uses the workspace's default tool permissions.
CRITICAL: many subcommands have unintuitive paths (e.g. `fastly domain create` fails with 403, correct is `fastly service domain create`; logging is under `fastly service logging`; alerts under `fastly service alert`; rate limits under `fastly service rate-limit`).
Configures, manages, and debugs Fastly CDN platform including service/backend setup, caching/VCL, security (DDoS/WAF/NGWAF/rate limiting/bot management), TLS certificates, cache purging, Compute, and REST API. For Fastly services, edge caching, security, API calls, and troubleshooting.
Guides Cloudflare platform development: Workers, Pages, storage (KV, D1, R2), AI (Workers AI, Vectorize, Agents SDK), feature flags (Flagship), networking (Tunnel, Spectrum), security (WAF, DDoS), IaC (Terraform, Pulumi). Prioritizes docs retrieval.
Deploys and manages Cloudflare Workers, KV Storage, R2 buckets, Pages projects, DNS records, and routes via API. Validates credentials and extracts deployment URLs for service setup.
Share bugs, ideas, or general feedback.
CRITICAL: many subcommands have unintuitive paths (e.g. fastly domain create fails with 403, correct is fastly service domain create; logging is under fastly service logging; alerts under fastly service alert; rate limits under fastly service rate-limit).
Covers: services, backends, domains, VCL snippets, cache purging, Compute/WASM deploys, log streaming (S3/Datadog/Splunk/Kafka/25+ providers), NGWAF/WAF, TLS/mTLS, KV/config/secret stores, stats, alerts, rate limiting, ACLs, and auth tokens.
| Topic | File | Use when... |
|---|---|---|
| Authentication | auth.md | Login, stored tokens, service auth, CI/CD auth setup |
| Compute | compute.md | Building/deploying edge applications, local dev server |
| Services | services.md | Service CRUD, backends, domains, ACLs, dictionaries, VCL, purging, rate limiting |
| Logging | logging.md | Log streaming to S3, GCS, Datadog, Splunk, Kafka, 25+ providers |
| NGWAF | ngwaf.md | Next-Gen WAF workspaces, IP/country lists, rules, signals, thresholds, alerts |
| Stats | stats.md | Historical/real-time metrics, cache hit ratios, error rates, bandwidth, regional traffic |
| Stores | stores.md | KV Stores, Config Stores, Secret Stores, resource links |
| TLS | tls.md | Platform TLS, Let's Encrypt subscriptions, custom certs, mutual TLS |
fastly <command> <subcommand> [flags]
| Category | Commands |
|---|---|
| Compute | compute - Build and deploy edge applications |
| Services | service - Manage CDN services, logging, backends, VCL, ACLs, purging |
| Security | ngwaf - Web application firewall |
| TLS | tls-subscription, tls-custom, tls-platform, tls-config - Certificate management |
| Storage | kv-store, config-store, secret-store - Edge data stores |
| Auth | auth - Login, stored tokens, active token output, revocation; auth-token (deprecated) |
| Info | stats, ip-list, pops, whoami - Information queries |
| Other | dashboard, domain, products, object-storage, tools |
Available on most commands:
# Service targeting
--service-id SERVICE_ID # Target service by ID
--service-name NAME # Target service by name
-s SERVICE_ID # Short form
# Version targeting (version-scoped commands like `fastly service domain/backend/...`)
# NOTE: `fastly domain create` does NOT accept --version (it uses a different API)
--version VERSION # Specific version number
--version active # Currently active version
--version latest # Most recent version
# Authentication
--token TOKEN # API token or stored token name (use 'default' for default)
# Output (--json is per-command, not global)
--verbose # Detailed output
--quiet # Minimal output
# Automation
--accept-defaults # Accept default values
--auto-yes # Skip confirmations
--non-interactive # No prompts
-s SERVICE_ID) or name (--service-name NAME)--version active, --version latest, or --version N--autoclone to auto-clone locked versions--json for scripted output, --non-interactive --accept-defaults for CI/CD.Name, .ServiceID, .ActiveVersion), not lowercasefastly auth login --sso to login, or set FASTLY_API_TOKEN env varfastly auth token; it prints the token only to non-terminal stdout and refuses to write it directly to a terminalfastly auth show --reveal bare. If you specifically need a stored token by name rather than the currently active token, use fastly auth show TOKEN_NAME --reveal --quiet | awk '/^Token:/ {print $2}' only inside a shell substitutionservice logging (e.g. fastly service logging s3 create)~/.config/fastly/config.toml (stored tokens), fastly.toml (project)These are the flags that cause the most confusion. Copy-paste these patterns directly.
# --autoclone automatically clones a locked version before making changes.
# Without it, you get "version is locked" errors and waste time cloning manually.
fastly service backend create --service-id $SID --version active --autoclone \
--name my-origin --address origin.example.com --port 443 --use-ssl
fastly service domain create --service-id $SID --version active --autoclone \
--name cdn.example.com
Always pass --autoclone when creating, updating, or deleting backends, domains, snippets, VCL, conditions, headers, or any other version-scoped resource. It is safe to use even on unlocked versions (it simply does nothing if the version is already editable).
# CORRECT - boolean flags are bare, no value
fastly service backend create --name origin --address example.com --port 443 --use-ssl
# WRONG - do not pass a value to boolean flags
fastly service backend create --name origin --address example.com --port 443 --use-ssl true
Other boolean flags that work the same way: --auto-yes, --non-interactive, --verbose, --quiet, --autoclone.
# CORRECT
fastly service domain create --service-id $SID --version active --autoclone --name cdn.example.com
# WRONG - domain is not a positional argument
fastly service domain create --service-id $SID --version active cdn.example.com
# WRONG - there is no -d flag
fastly service domain create --service-id $SID --version active -d cdn.example.com
# Historical stats by day for a date range (JSON output)
fastly stats historical --service-id $SID --by day \
--from "2026-02-01" --to "2026-03-01" --json
# Real-time stats (last second)
fastly stats realtime --service-id $SID --json
The --by flag accepts: day, hour, minute. The --from and --to flags use quoted date strings. Use --json for JSON output on stats commands.
Changes propagate across Fastly's network in seconds to minutes (up to 10 min for version activations, up to 5 min for TLS). Cache purges are 1-2 seconds. Retry with backoff when verifying changes.
New service activation sequence: After activating a brand new service, expect 500 "Domain Not Found" for 10-60 seconds while the domain propagates to edge POPs. This is normal — do not change configuration. Wait and retry. After version updates (e.g., fixing backend settings), allow 15-30 seconds for the new version to propagate.
fastly kv-store create then fastly service resource-link create --resource-id STORE_ID --service-id $SID --version active --autoclone.fastly kv-store list lists all stores on the account, not per-service. Use fastly service resource-link list to see which stores are linked to a given service.When the origin hostname differs from the desired Host header (e.g., origin is example.com but you want to send Host: download.example.com), use --override-host on the backend:
fastly service backend create --service-id $SID --version 1 \
--name my-origin --address example.com --port 443 --use-ssl \
--override-host download.example.com \
--ssl-cert-hostname example.com --ssl-sni-hostname example.com
The --override-host value is the Host header sent to the origin. The --ssl-cert-hostname and --ssl-sni-hostname must match the origin's TLS certificate (usually the --address value). Getting these backwards causes 503 errors.
When enumerating services (e.g., for bandwidth stats), always use fastly service list --json and check for pagination. Services with zero traffic still appear in the list. Loop over ALL service IDs from the list — do not rely on stats APIs that omit zero-traffic services.
See troubleshooting.md for the full list. The most common pitfalls:
--override-host differs from --address, always set --ssl-cert-hostname and --ssl-sni-hostname to the origin's actual hostname (the --address value, not the --override-host value).fastly service domain create, not fastly domain create.--autoclone or clone first. Better yet, always pass --autoclone on every mutation command.--version 1, then activate once.fastly service vcl (e.g. fastly service vcl snippet create), not fastly vcl.fastly auth show --reveal bare in an AI context — it exposes tokens.--use-ssl is a boolean flag: Write --use-ssl, not --use-ssl true. Passing a value causes the next argument to be misinterpreted.--name: The domain is passed via --name cdn.example.com, not as a positional argument and not with -d.