Skip to content
Access
Visit Access on GitHub
Set theme to dark (⇧+D)

Access API Examples

Access users can create policies, including individual rule blocks inside of group or policy bodies. For example, this policy allows all Cloudflare email account users to reach the application with the exception of one account:

{  "name": "allow cloudflare employees",  "decision": "allow",  "include": [    {      "email_domain": {        "domain": "cloudflare.com"      }    }  ],  "exclude": [    {      "email": {        "email": "notthisperson@cloudflare.com"      }    }  ],  "require": []}

Example rule configurations

These are commonly used rule configurations.

Email

Allow a specific email address

{  "email": {    "email": "james@example.com"  }}

Email domain

Allow an entire email domain

{  "email_domain": {    "domain": "cloudflare.com"  }}

Country code

Allow specific countries

{  "geo": {    "country_code": "US"  }}

Authentication method

Allow access based on the "amr" identifier

{  "auth_method": {    "auth_method": "hwk"  }}

IP range

Allow an IP Range

{  "ip": {    "ip": "127.0.0.1/32"  }}

Access group

Use a pre-existing Access group

{  "group": {    "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"  }}

Everyone

Allow anyone to login

{  "everyone": {}}

mTLS Certificate

The request will need to present a valid certificate

{  "certificate": {}}

Common name

The request will need to present a valid certificate with an expected common name

{  "common_name": {    "common_name": "james@example.com"  }}

Service token

The request will need to present the correct service token headers

{  "service_token": {    "token_id": "e9808c3a-705c-4afc-a507-6e4b083ff399"  }}

Any valid service token

The request will need to present the headers for any service token created for this account

{  "any_valid_service_token": {}}

G Suite® Group

Allow members of a specific G Suite group:

{  "gsuite": {    "email": "admins@mycompanygsuite.com",    "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"  }}

GitHub™ Organization

Allow members of a specific GitHub organization:

{  "github-organization": {    "name": "cloudflare",    "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"  }}

Azure® Group

Allow members of an Azure Group. The ID is the group UUID (id) in Azure:

{  "azureAD": {    "id": "86773093-5feb-48dd-814b-7ccd3676ff50",    "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"  }}

Okta® Group

Allow members of an Okta Group:

{  "okta": {    "name": "admins",    "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"  }}

SAML Attribute

Allow users with specific SAML attributes:

{  "saml": {    "attribute_name": "group",    "attribute_value": "admins",    "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"  }}