API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Zero Trust

Zero TrustDevices

List devices (deprecated)

Deprecated

client.ZeroTrust.Devices.List(ctx, query) (*SinglePage[Device], error)

GET/accounts/{account_id}/devices

Get device (deprecated)

Deprecated

client.ZeroTrust.Devices.Get(ctx, deviceID, query) (*DeviceGetResponse, error)

GET/accounts/{account_id}/devices/{device_id}

ModelsExpand Collapse

type Device struct{…}

ID stringoptional

Registration ID. Equal to Device ID except for accounts which enabled multi-user mode.

maxLength36

Created Timeoptional

When the device was created.

formatdate-time

Deleted booloptional

True if the device was deleted.

DeviceType DeviceDeviceTypeoptional

One of the following:

const DeviceDeviceTypeWindows DeviceDeviceType = "windows"

const DeviceDeviceTypeMac DeviceDeviceType = "mac"

const DeviceDeviceTypeLinux DeviceDeviceType = "linux"

const DeviceDeviceTypeAndroid DeviceDeviceType = "android"

const DeviceDeviceTypeIos DeviceDeviceType = "ios"

const DeviceDeviceTypeChromeos DeviceDeviceType = "chromeos"

IP stringoptional

IPv4 or IPv6 address.

Key stringoptional

The device's public key.

LastSeen Timeoptional

When the device last connected to Cloudflare services.

formatdate-time

MacAddress stringoptional

The device mac address.

Manufacturer stringoptional

The device manufacturer name.

Model stringoptional

The device model name.

Name stringoptional

The device name.

OSDistroName stringoptional

The Linux distro name.

OSDistroRevision stringoptional

The Linux distro revision.

OSVersion stringoptional

The operating system version.

OSVersionExtra stringoptional

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

RevokedAt Timeoptional

When the device was revoked.

formatdate-time

SerialNumber stringoptional

The device serial number.

Updated Timeoptional

When the device was updated.

formatdate-time

User DeviceUseroptional

ID stringoptional

UUID.

maxLength36

Email stringoptional

The contact email address of the user.

maxLength90

Name stringoptional

The enrolled device user's name.

Version stringoptional

The WARP client version.

Zero TrustDevicesDevices

List devices

client.ZeroTrust.Devices.Devices.List(ctx, params) (*CursorPagination[DeviceDeviceListResponse], error)

GET/accounts/{account_id}/devices/physical-devices

Get device

client.ZeroTrust.Devices.Devices.Get(ctx, deviceID, params) (*DeviceDeviceGetResponse, error)

GET/accounts/{account_id}/devices/physical-devices/{device_id}

Delete device

client.ZeroTrust.Devices.Devices.Delete(ctx, deviceID, body) (*DeviceDeviceDeleteResponse, error)

DELETE/accounts/{account_id}/devices/physical-devices/{device_id}

Revoke device registrations

client.ZeroTrust.Devices.Devices.Revoke(ctx, deviceID, body) (*DeviceDeviceRevokeResponse, error)

POST/accounts/{account_id}/devices/physical-devices/{device_id}/revoke

Zero TrustDevicesResilience

Zero TrustDevicesResilienceGlobal WARP Override

Retrieve Global WARP override state

client.ZeroTrust.Devices.Resilience.GlobalWARPOverride.Get(ctx, query) (*DeviceResilienceGlobalWARPOverrideGetResponse, error)

GET/accounts/{account_id}/devices/resilience/disconnect

Set Global WARP override state

client.ZeroTrust.Devices.Resilience.GlobalWARPOverride.New(ctx, params) (*DeviceResilienceGlobalWARPOverrideNewResponse, error)

POST/accounts/{account_id}/devices/resilience/disconnect

Zero TrustDevicesRegistrations

List registrations

client.ZeroTrust.Devices.Registrations.List(ctx, params) (*CursorPagination[DeviceRegistrationListResponse], error)

GET/accounts/{account_id}/devices/registrations

Get registration

client.ZeroTrust.Devices.Registrations.Get(ctx, registrationID, params) (*DeviceRegistrationGetResponse, error)

GET/accounts/{account_id}/devices/registrations/{registration_id}

Delete registration

client.ZeroTrust.Devices.Registrations.Delete(ctx, registrationID, body) (*DeviceRegistrationDeleteResponse, error)

DELETE/accounts/{account_id}/devices/registrations/{registration_id}

Delete registrations

client.ZeroTrust.Devices.Registrations.BulkDelete(ctx, params) (*DeviceRegistrationBulkDeleteResponse, error)

DELETE/accounts/{account_id}/devices/registrations

Revoke registrations

client.ZeroTrust.Devices.Registrations.Revoke(ctx, params) (*DeviceRegistrationRevokeResponse, error)

POST/accounts/{account_id}/devices/registrations/revoke

Unrevoke registrations

client.ZeroTrust.Devices.Registrations.Unrevoke(ctx, params) (*DeviceRegistrationUnrevokeResponse, error)

POST/accounts/{account_id}/devices/registrations/unrevoke

Zero TrustDevicesDEX Tests

List Device DEX tests

client.ZeroTrust.Devices.DEXTests.List(ctx, params) (*V4PagePaginationArray[DeviceDEXTestListResponse], error)

GET/accounts/{account_id}/dex/devices/dex_tests

Get Device DEX test

client.ZeroTrust.Devices.DEXTests.Get(ctx, dexTestID, query) (*DeviceDEXTestGetResponse, error)

GET/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

Create Device DEX test

client.ZeroTrust.Devices.DEXTests.New(ctx, params) (*DeviceDEXTestNewResponse, error)

POST/accounts/{account_id}/dex/devices/dex_tests

Update Device DEX test

client.ZeroTrust.Devices.DEXTests.Update(ctx, dexTestID, params) (*DeviceDEXTestUpdateResponse, error)

PUT/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

Delete Device DEX test

client.ZeroTrust.Devices.DEXTests.Delete(ctx, dexTestID, body) (*DeviceDEXTestDeleteResponse, error)

DELETE/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}

ModelsExpand Collapse

type SchemaData struct{…}

The configuration object which contains the details for the WARP client to conduct the test.

Host stringoptional

The desired endpoint to test.

Kind stringoptional

The type of test.

Method stringoptional

The HTTP request method type.

type SchemaHTTP struct{…}

Data SchemaData

The configuration object which contains the details for the WARP client to conduct the test.

Enabled bool

Determines whether or not the test is active.

Interval string

How often the test will run.

Name string

The name of the DEX test. Must be unique.

Description stringoptional

Additional details about the test.

TargetPolicies []SchemaHTTPTargetPolicyoptional

Device settings profiles targeted by this test.

ID stringoptional

The id of the device settings profile.

Default booloptional

Whether the profile is the account default.

Name stringoptional

The name of the device settings profile.

Targeted booloptional

TestID stringoptional

The unique identifier for the test.

maxLength32

Zero TrustDevicesIP Profiles

List IP profiles

client.ZeroTrust.Devices.IPProfiles.List(ctx, params) (*SinglePage[IPProfile], error)

GET/accounts/{account_id}/devices/ip-profiles

Get IP profile

client.ZeroTrust.Devices.IPProfiles.Get(ctx, profileID, query) (*IPProfile, error)

GET/accounts/{account_id}/devices/ip-profiles/{profile_id}

Create IP profile

client.ZeroTrust.Devices.IPProfiles.New(ctx, params) (*IPProfile, error)

POST/accounts/{account_id}/devices/ip-profiles

Update IP profile

client.ZeroTrust.Devices.IPProfiles.Update(ctx, profileID, params) (*IPProfile, error)

PATCH/accounts/{account_id}/devices/ip-profiles/{profile_id}

Delete IP profile

client.ZeroTrust.Devices.IPProfiles.Delete(ctx, profileID, body) (*DeviceIPProfileDeleteResponse, error)

DELETE/accounts/{account_id}/devices/ip-profiles/{profile_id}

ModelsExpand Collapse

type IPProfile struct{…}

ID string

The ID of the Device IP profile.

CreatedAt string

The RFC3339Nano timestamp when the Device IP profile was created.

Description string

An optional description of the Device IP profile.

Enabled bool

Whether the Device IP profile is enabled.

Match string

The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes".

maxLength10000

Name string

A user-friendly name for the Device IP profile.

Precedence int64

The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field.

SubnetID string

The ID of the Subnet.

UpdatedAt string

The RFC3339Nano timestamp when the Device IP profile was last updated.

Zero TrustDevicesNetworks

List your device managed networks

client.ZeroTrust.Devices.Networks.List(ctx, query) (*SinglePage[DeviceNetwork], error)

GET/accounts/{account_id}/devices/networks

Get device managed network details

client.ZeroTrust.Devices.Networks.Get(ctx, networkID, query) (*DeviceNetwork, error)

GET/accounts/{account_id}/devices/networks/{network_id}

Create a device managed network

client.ZeroTrust.Devices.Networks.New(ctx, params) (*DeviceNetwork, error)

POST/accounts/{account_id}/devices/networks

Update a device managed network

client.ZeroTrust.Devices.Networks.Update(ctx, networkID, params) (*DeviceNetwork, error)

PUT/accounts/{account_id}/devices/networks/{network_id}

Delete a device managed network

client.ZeroTrust.Devices.Networks.Delete(ctx, networkID, body) (*SinglePage[DeviceNetwork], error)

DELETE/accounts/{account_id}/devices/networks/{network_id}

ModelsExpand Collapse

type DeviceNetwork struct{…}

Config DeviceNetworkConfigoptional

The configuration object containing information for the WARP client to detect the managed network.

TLSSockaddr string

A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host.

Sha256 stringoptional

The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate.

Name stringoptional

The name of the device managed network. This name must be unique.

NetworkID stringoptional

API UUID.

maxLength36

Type DeviceNetworkTypeoptional

The type of device managed network.

Zero TrustDevicesFleet Status

Get the live status of a latest device

client.ZeroTrust.Devices.FleetStatus.Get(ctx, deviceID, params) (*DeviceFleetStatusGetResponse, error)

GET/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live

Zero TrustDevicesPolicies

ModelsExpand Collapse

type DevicePolicyCertificates struct{…}

Enabled bool

The current status of the device policy certificate provisioning feature for WARP clients.

type FallbackDomain struct{…}

Suffix string

The domain suffix to match when resolving locally.

Description stringoptional

A description of the fallback domain, displayed in the client UI.

maxLength100

DNSServer []stringoptional

A list of IP addresses to handle domain resolution.

type FallbackDomainPolicy []FallbackDomain

Suffix string

The domain suffix to match when resolving locally.

Description stringoptional

A description of the fallback domain, displayed in the client UI.

maxLength100

DNSServer []stringoptional

A list of IP addresses to handle domain resolution.

type SettingsPolicy struct{…}

AllowModeSwitch booloptional

Whether to allow the user to switch WARP between modes.

AllowUpdates booloptional

Whether to receive update notifications when a new version of the client is available.

AllowedToLeave booloptional

Whether to allow devices to leave the organization.

AutoConnect float64optional

The amount of time in seconds to reconnect after having been disabled.

CaptivePortal float64optional

Turn on the captive portal after the specified amount of time.

Default booloptional

Whether the policy is the default policy for an account.

Description stringoptional

A description of the policy.

maxLength500

DisableAutoFallback booloptional

If the dns_server field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to true.

Enabled booloptional

Whether the policy will be applied to matching devices.

Exclude []SplitTunnelExcludeoptional

List of routes excluded in the WARP client's tunnel.

One of the following:

type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}

Address string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}

Host string

The domain name to exclude from the tunnel. If host is present, address must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

ExcludeOfficeIPs booloptional

Whether to add Microsoft IPs to Split Tunnel exclusions.

FallbackDomains []FallbackDomainoptional

Suffix string

The domain suffix to match when resolving locally.

Description stringoptional

A description of the fallback domain, displayed in the client UI.

maxLength100

DNSServer []stringoptional

A list of IP addresses to handle domain resolution.

GatewayUniqueID stringoptional

Include []SplitTunnelIncludeoptional

List of routes included in the WARP client's tunnel.

One of the following:

type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}

Address string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}

Host string

The domain name to include in the tunnel. If host is present, address must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

LANAllowMinutes float64optional

The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset.

LANAllowSubnetSize float64optional

The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset.

Match stringoptional

The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version".

maxLength500

Name stringoptional

The name of the device settings profile.

maxLength100

PolicyID stringoptional

maxLength36

Precedence float64optional

The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field.

RegisterInterfaceIPWithDNS booloptional

Determines if the operating system will register WARP's local interface IP with your on-premises DNS server.

SccmVpnBoundarySupport booloptional

Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only).

ServiceModeV2 SettingsPolicyServiceModeV2optional

Mode stringoptional

The mode to run the WARP client under.

Port float64optional

The port number when used with proxy mode.

SupportURL stringoptional

The URL to launch when the Send Feedback button is clicked.

SwitchLocked booloptional

Whether to allow the user to turn off the WARP switch and disconnect the client.

TargetTests []SettingsPolicyTargetTestoptional

ID stringoptional

The id of the DEX test targeting this policy.

Name stringoptional

The name of the DEX test targeting this policy.

TunnelProtocol stringoptional

Determines which tunnel protocol to use.

type SplitTunnelExclude interface{…}

One of the following:

type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithAddress struct{…}

Address string

The address in CIDR format to exclude from the tunnel. If address is present, host must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

type SplitTunnelExcludeTeamsDevicesExcludeSplitTunnelWithHost struct{…}

Host string

The domain name to exclude from the tunnel. If host is present, address must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

type SplitTunnelInclude interface{…}

One of the following:

type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithAddress struct{…}

Address string

The address in CIDR format to include in the tunnel. If address is present, host must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

type SplitTunnelIncludeTeamsDevicesIncludeSplitTunnelWithHost struct{…}

Host string

The domain name to include in the tunnel. If host is present, address must not be present.

Description stringoptional

A description of the Split Tunnel item, displayed in the client UI.

maxLength100

Zero TrustDevicesPoliciesDefault

Get the default device settings profile

client.ZeroTrust.Devices.Policies.Default.Get(ctx, query) (*DevicePolicyDefaultGetResponse, error)

GET/accounts/{account_id}/devices/policy

Update the default device settings profile

client.ZeroTrust.Devices.Policies.Default.Edit(ctx, params) (*DevicePolicyDefaultEditResponse, error)

PATCH/accounts/{account_id}/devices/policy

Zero TrustDevicesPoliciesDefaultExcludes

Get the Split Tunnel exclude list

client.ZeroTrust.Devices.Policies.Default.Excludes.Get(ctx, query) (*SinglePage[SplitTunnelExclude], error)

GET/accounts/{account_id}/devices/policy/exclude

Set the Split Tunnel exclude list

client.ZeroTrust.Devices.Policies.Default.Excludes.Update(ctx, params) (*SinglePage[SplitTunnelExclude], error)

PUT/accounts/{account_id}/devices/policy/exclude

Zero TrustDevicesPoliciesDefaultIncludes

Get the Split Tunnel include list

client.ZeroTrust.Devices.Policies.Default.Includes.Get(ctx, query) (*SinglePage[SplitTunnelInclude], error)

GET/accounts/{account_id}/devices/policy/include

Set the Split Tunnel include list

client.ZeroTrust.Devices.Policies.Default.Includes.Update(ctx, params) (*SinglePage[SplitTunnelInclude], error)

PUT/accounts/{account_id}/devices/policy/include

Zero TrustDevicesPoliciesDefaultFallback Domains

Get your Local Domain Fallback list

client.ZeroTrust.Devices.Policies.Default.FallbackDomains.Get(ctx, query) (*SinglePage[FallbackDomain], error)

GET/accounts/{account_id}/devices/policy/fallback_domains

Set your Local Domain Fallback list

client.ZeroTrust.Devices.Policies.Default.FallbackDomains.Update(ctx, params) (*SinglePage[FallbackDomain], error)

PUT/accounts/{account_id}/devices/policy/fallback_domains

Zero TrustDevicesPoliciesDefaultCertificates

Get device certificate provisioning status

client.ZeroTrust.Devices.Policies.Default.Certificates.Get(ctx, query) (*DevicePolicyCertificates, error)

GET/zones/{zone_id}/devices/policy/certificates

Update device certificate provisioning status

client.ZeroTrust.Devices.Policies.Default.Certificates.Edit(ctx, params) (*DevicePolicyCertificates, error)

PATCH/zones/{zone_id}/devices/policy/certificates

Zero TrustDevicesPoliciesCustom

List device settings profiles

client.ZeroTrust.Devices.Policies.Custom.List(ctx, query) (*SinglePage[SettingsPolicy], error)

GET/accounts/{account_id}/devices/policies

Get device settings profile by ID

client.ZeroTrust.Devices.Policies.Custom.Get(ctx, policyID, query) (*SettingsPolicy, error)

GET/accounts/{account_id}/devices/policy/{policy_id}

Create a device settings profile

client.ZeroTrust.Devices.Policies.Custom.New(ctx, params) (*SettingsPolicy, error)

POST/accounts/{account_id}/devices/policy

Update a device settings profile

client.ZeroTrust.Devices.Policies.Custom.Edit(ctx, policyID, params) (*SettingsPolicy, error)

PATCH/accounts/{account_id}/devices/policy/{policy_id}

Delete a device settings profile

client.ZeroTrust.Devices.Policies.Custom.Delete(ctx, policyID, body) (*SinglePage[SettingsPolicy], error)

DELETE/accounts/{account_id}/devices/policy/{policy_id}

Zero TrustDevicesPoliciesCustomExcludes

Get the Split Tunnel exclude list for a device settings profile

client.ZeroTrust.Devices.Policies.Custom.Excludes.Get(ctx, policyID, query) (*SinglePage[SplitTunnelExclude], error)

GET/accounts/{account_id}/devices/policy/{policy_id}/exclude

Set the Split Tunnel exclude list for a device settings profile

client.ZeroTrust.Devices.Policies.Custom.Excludes.Update(ctx, policyID, params) (*SinglePage[SplitTunnelExclude], error)

PUT/accounts/{account_id}/devices/policy/{policy_id}/exclude

Zero TrustDevicesPoliciesCustomIncludes

Get the Split Tunnel include list for a device settings profile

client.ZeroTrust.Devices.Policies.Custom.Includes.Get(ctx, policyID, query) (*SinglePage[SplitTunnelInclude], error)

GET/accounts/{account_id}/devices/policy/{policy_id}/include

Set the Split Tunnel include list for a device settings profile

client.ZeroTrust.Devices.Policies.Custom.Includes.Update(ctx, policyID, params) (*SinglePage[SplitTunnelInclude], error)

PUT/accounts/{account_id}/devices/policy/{policy_id}/include

Zero TrustDevicesPoliciesCustomFallback Domains

Get the Local Domain Fallback list for a device settings profile

client.ZeroTrust.Devices.Policies.Custom.FallbackDomains.Get(ctx, policyID, query) (*SinglePage[FallbackDomain], error)

GET/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Set the Local Domain Fallback list for a device settings profile

client.ZeroTrust.Devices.Policies.Custom.FallbackDomains.Update(ctx, policyID, params) (*SinglePage[FallbackDomain], error)

PUT/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains

Zero TrustDevicesPosture

List device posture rules

client.ZeroTrust.Devices.Posture.List(ctx, query) (*SinglePage[DevicePostureRule], error)

GET/accounts/{account_id}/devices/posture

Get device posture rule details

client.ZeroTrust.Devices.Posture.Get(ctx, ruleID, query) (*DevicePostureRule, error)

GET/accounts/{account_id}/devices/posture/{rule_id}

Create a device posture rule

client.ZeroTrust.Devices.Posture.New(ctx, params) (*DevicePostureRule, error)

POST/accounts/{account_id}/devices/posture

Update a device posture rule

client.ZeroTrust.Devices.Posture.Update(ctx, ruleID, params) (*DevicePostureRule, error)

PUT/accounts/{account_id}/devices/posture/{rule_id}

Delete a device posture rule

client.ZeroTrust.Devices.Posture.Delete(ctx, ruleID, body) (*DevicePostureDeleteResponse, error)

DELETE/accounts/{account_id}/devices/posture/{rule_id}

ModelsExpand Collapse

type CarbonblackInput string

type ClientCertificateInput struct{…}

CertificateID string

UUID of Cloudflare managed certificate.

maxLength36

Cn string

Common Name that is protected by the certificate.

type CrowdstrikeInput struct{…}

ConnectionID string

Posture Integration ID.

LastSeen stringoptional

For more details on last seen, please refer to the Crowdstrike documentation.

Operator CrowdstrikeInputOperatoroptional

Operator.

One of the following:

const CrowdstrikeInputOperatorLess CrowdstrikeInputOperator = "<"

const CrowdstrikeInputOperatorLessOrEquals CrowdstrikeInputOperator = "<="

const CrowdstrikeInputOperatorGreater CrowdstrikeInputOperator = ">"

const CrowdstrikeInputOperatorGreaterOrEquals CrowdstrikeInputOperator = ">="

const CrowdstrikeInputOperatorEquals CrowdstrikeInputOperator = "=="

OS stringoptional

Os Version.

Overall stringoptional

Overall.

SensorConfig stringoptional

SensorConfig.

State CrowdstrikeInputStateoptional

For more details on state, please refer to the Crowdstrike documentation.

One of the following:

const CrowdstrikeInputStateOnline CrowdstrikeInputState = "online"

const CrowdstrikeInputStateOffline CrowdstrikeInputState = "offline"

const CrowdstrikeInputStateUnknown CrowdstrikeInputState = "unknown"

Version stringoptional

Version.

VersionOperator CrowdstrikeInputVersionOperatoroptional

Version Operator.

One of the following:

const CrowdstrikeInputVersionOperatorLess CrowdstrikeInputVersionOperator = "<"

const CrowdstrikeInputVersionOperatorLessOrEquals CrowdstrikeInputVersionOperator = "<="

const CrowdstrikeInputVersionOperatorGreater CrowdstrikeInputVersionOperator = ">"

const CrowdstrikeInputVersionOperatorGreaterOrEquals CrowdstrikeInputVersionOperator = ">="

const CrowdstrikeInputVersionOperatorEquals CrowdstrikeInputVersionOperator = "=="

type DeviceInput interface{…}

The value to be checked against.

One of the following:

type FileInput struct{…}

OperatingSystem FileInputOperatingSystem

Operating system.

One of the following:

const FileInputOperatingSystemWindows FileInputOperatingSystem = "windows"

const FileInputOperatingSystemLinux FileInputOperatingSystem = "linux"

const FileInputOperatingSystemMac FileInputOperatingSystem = "mac"

Path string

File path.

Exists booloptional

Whether or not file exists.

Sha256 stringoptional

SHA-256.

Thumbprint stringoptional

Signing certificate thumbprint.

type UniqueClientIDInput struct{…}

ID string

List ID.

OperatingSystem UniqueClientIDInputOperatingSystem

Operating System.

One of the following:

const UniqueClientIDInputOperatingSystemAndroid UniqueClientIDInputOperatingSystem = "android"

const UniqueClientIDInputOperatingSystemIos UniqueClientIDInputOperatingSystem = "ios"

const UniqueClientIDInputOperatingSystemChromeos UniqueClientIDInputOperatingSystem = "chromeos"

type DomainJoinedInput struct{…}

OperatingSystem DomainJoinedInputOperatingSystem

Operating System.

Domain stringoptional

Domain.

type OSVersionInput struct{…}

OperatingSystem OSVersionInputOperatingSystem

Operating System.

Operator OSVersionInputOperator

Operator.

One of the following:

const OSVersionInputOperatorLess OSVersionInputOperator = "<"

const OSVersionInputOperatorLessOrEquals OSVersionInputOperator = "<="

const OSVersionInputOperatorGreater OSVersionInputOperator = ">"

const OSVersionInputOperatorGreaterOrEquals OSVersionInputOperator = ">="

const OSVersionInputOperatorEquals OSVersionInputOperator = "=="

Version string

Version of OS.

OSDistroName stringoptional

Operating System Distribution Name (linux only).

OSDistroRevision stringoptional

Version of OS Distribution (linux only).

OSVersionExtra stringoptional

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

type FirewallInput struct{…}

Enabled bool

Enabled.

OperatingSystem FirewallInputOperatingSystem

Operating System.

One of the following:

const FirewallInputOperatingSystemWindows FirewallInputOperatingSystem = "windows"

const FirewallInputOperatingSystemMac FirewallInputOperatingSystem = "mac"

type SentineloneInput struct{…}

OperatingSystem SentineloneInputOperatingSystem

Operating system.

One of the following:

const SentineloneInputOperatingSystemWindows SentineloneInputOperatingSystem = "windows"

const SentineloneInputOperatingSystemLinux SentineloneInputOperatingSystem = "linux"

const SentineloneInputOperatingSystemMac SentineloneInputOperatingSystem = "mac"

Path string

File path.

Sha256 stringoptional

SHA-256.

Thumbprint stringoptional

Signing certificate thumbprint.

type DeviceInputTeamsDevicesCarbonblackInputRequest struct{…}

OperatingSystem DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem

Operating system.

One of the following:

const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemWindows DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "windows"

const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemLinux DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "linux"

const DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystemMac DeviceInputTeamsDevicesCarbonblackInputRequestOperatingSystem = "mac"

Path string

File path.

Sha256 stringoptional

SHA-256.

Thumbprint stringoptional

Signing certificate thumbprint.

type DeviceInputTeamsDevicesAccessSerialNumberListInputRequest struct{…}

ID string

UUID of Access List.

maxLength36

type DiskEncryptionInput struct{…}

CheckDisks []CarbonblackInputoptional

List of volume names to be checked for encryption.

RequireAll booloptional

Whether to check all disks for encryption.

type DeviceInputTeamsDevicesApplicationInputRequest struct{…}

OperatingSystem DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem

Operating system.

One of the following:

const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemWindows DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "windows"

const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemLinux DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "linux"

const DeviceInputTeamsDevicesApplicationInputRequestOperatingSystemMac DeviceInputTeamsDevicesApplicationInputRequestOperatingSystem = "mac"

Path string

Path for the application.

Sha256 stringoptional

SHA-256.

Thumbprint stringoptional

Signing certificate thumbprint.

type ClientCertificateInput struct{…}

CertificateID string

UUID of Cloudflare managed certificate.

maxLength36

Cn string

Common Name that is protected by the certificate.

type DeviceInputTeamsDevicesClientCertificateV2InputRequest struct{…}

CertificateID string

UUID of Cloudflare managed certificate.

maxLength36

CheckPrivateKey bool

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

OperatingSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem

Operating system.

One of the following:

const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemWindows DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "windows"

const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemLinux DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "linux"

const DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystemMac DeviceInputTeamsDevicesClientCertificateV2InputRequestOperatingSystem = "mac"

Cn stringoptional

Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables.

ExtendedKeyUsage []DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageoptional

List of values indicating purposes for which the certificate public key can be used.

One of the following:

const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageClientAuth DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "clientAuth"

const DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsageEmailProtection DeviceInputTeamsDevicesClientCertificateV2InputRequestExtendedKeyUsage = "emailProtection"

Locations DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsoptional

Paths []stringoptional

List of paths to check for client certificate on linux.

TrustStores []DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreoptional

List of trust stores to check for client certificate.

One of the following:

const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreSystem DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "system"

const DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStoreUser DeviceInputTeamsDevicesClientCertificateV2InputRequestLocationsTrustStore = "user"

SubjectAlternativeNames []stringoptional

List of certificate Subject Alternative Names.

type DeviceInputTeamsDevicesAntivirusInputRequest struct{…}

UpdateWindowDays float64optional

Number of days that the antivirus should be updated within.

type WorkspaceOneInput struct{…}

ComplianceStatus WorkspaceOneInputComplianceStatus

Compliance Status.

One of the following:

const WorkspaceOneInputComplianceStatusCompliant WorkspaceOneInputComplianceStatus = "compliant"

const WorkspaceOneInputComplianceStatusNoncompliant WorkspaceOneInputComplianceStatus = "noncompliant"

const WorkspaceOneInputComplianceStatusUnknown WorkspaceOneInputComplianceStatus = "unknown"

ConnectionID string

Posture Integration ID.

type CrowdstrikeInput struct{…}

ConnectionID string

Posture Integration ID.

LastSeen stringoptional

For more details on last seen, please refer to the Crowdstrike documentation.

Operator CrowdstrikeInputOperatoroptional

Operator.

One of the following:

const CrowdstrikeInputOperatorLess CrowdstrikeInputOperator = "<"

const CrowdstrikeInputOperatorLessOrEquals CrowdstrikeInputOperator = "<="

const CrowdstrikeInputOperatorGreater CrowdstrikeInputOperator = ">"

const CrowdstrikeInputOperatorGreaterOrEquals CrowdstrikeInputOperator = ">="

const CrowdstrikeInputOperatorEquals CrowdstrikeInputOperator = "=="

OS stringoptional

Os Version.

Overall stringoptional

Overall.

SensorConfig stringoptional

SensorConfig.

State CrowdstrikeInputStateoptional

For more details on state, please refer to the Crowdstrike documentation.

One of the following:

const CrowdstrikeInputStateOnline CrowdstrikeInputState = "online"

const CrowdstrikeInputStateOffline CrowdstrikeInputState = "offline"

const CrowdstrikeInputStateUnknown CrowdstrikeInputState = "unknown"

Version stringoptional

Version.

VersionOperator CrowdstrikeInputVersionOperatoroptional

Version Operator.

One of the following:

const CrowdstrikeInputVersionOperatorLess CrowdstrikeInputVersionOperator = "<"

const CrowdstrikeInputVersionOperatorLessOrEquals CrowdstrikeInputVersionOperator = "<="

const CrowdstrikeInputVersionOperatorGreater CrowdstrikeInputVersionOperator = ">"

const CrowdstrikeInputVersionOperatorGreaterOrEquals CrowdstrikeInputVersionOperator = ">="

const CrowdstrikeInputVersionOperatorEquals CrowdstrikeInputVersionOperator = "=="

type IntuneInput struct{…}

ComplianceStatus IntuneInputComplianceStatus

Compliance Status.

One of the following:

const IntuneInputComplianceStatusCompliant IntuneInputComplianceStatus = "compliant"

const IntuneInputComplianceStatusNoncompliant IntuneInputComplianceStatus = "noncompliant"

const IntuneInputComplianceStatusUnknown IntuneInputComplianceStatus = "unknown"

const IntuneInputComplianceStatusNotapplicable IntuneInputComplianceStatus = "notapplicable"

const IntuneInputComplianceStatusIngraceperiod IntuneInputComplianceStatus = "ingraceperiod"

const IntuneInputComplianceStatusError IntuneInputComplianceStatus = "error"

ConnectionID string

Posture Integration ID.

type KolideInput struct{…}

ConnectionID string

Posture Integration ID.

CountOperator KolideInputCountOperator

Count Operator.

One of the following:

const KolideInputCountOperatorLess KolideInputCountOperator = "<"

const KolideInputCountOperatorLessOrEquals KolideInputCountOperator = "<="

const KolideInputCountOperatorGreater KolideInputCountOperator = ">"

const KolideInputCountOperatorGreaterOrEquals KolideInputCountOperator = ">="

const KolideInputCountOperatorEquals KolideInputCountOperator = "=="

IssueCount string

The Number of Issues.

type TaniumInput struct{…}

ConnectionID string

Posture Integration ID.

EidLastSeen stringoptional

For more details on eid last seen, refer to the Tanium documentation.

Operator TaniumInputOperatoroptional

Operator to evaluate risk_level or eid_last_seen.

One of the following:

const TaniumInputOperatorLess TaniumInputOperator = "<"

const TaniumInputOperatorLessOrEquals TaniumInputOperator = "<="

const TaniumInputOperatorGreater TaniumInputOperator = ">"

const TaniumInputOperatorGreaterOrEquals TaniumInputOperator = ">="

const TaniumInputOperatorEquals TaniumInputOperator = "=="

RiskLevel TaniumInputRiskLeveloptional

For more details on risk level, refer to the Tanium documentation.

One of the following:

const TaniumInputRiskLevelLow TaniumInputRiskLevel = "low"

const TaniumInputRiskLevelMedium TaniumInputRiskLevel = "medium"

const TaniumInputRiskLevelHigh TaniumInputRiskLevel = "high"

const TaniumInputRiskLevelCritical TaniumInputRiskLevel = "critical"

ScoreOperator TaniumInputScoreOperatoroptional

Score Operator.

One of the following:

const TaniumInputScoreOperatorLess TaniumInputScoreOperator = "<"

const TaniumInputScoreOperatorLessOrEquals TaniumInputScoreOperator = "<="

const TaniumInputScoreOperatorGreater TaniumInputScoreOperator = ">"

const TaniumInputScoreOperatorGreaterOrEquals TaniumInputScoreOperator = ">="

const TaniumInputScoreOperatorEquals TaniumInputScoreOperator = "=="

TotalScore float64optional

For more details on total score, refer to the Tanium documentation.

type SentineloneS2sInput struct{…}

ConnectionID string

Posture Integration ID.

ActiveThreats float64optional

The Number of active threats.

Infected booloptional

Whether device is infected.

IsActive booloptional

Whether device is active.

NetworkStatus SentineloneS2sInputNetworkStatusoptional

Network status of device.

One of the following:

const SentineloneS2sInputNetworkStatusConnected SentineloneS2sInputNetworkStatus = "connected"

const SentineloneS2sInputNetworkStatusDisconnected SentineloneS2sInputNetworkStatus = "disconnected"

const SentineloneS2sInputNetworkStatusDisconnecting SentineloneS2sInputNetworkStatus = "disconnecting"

const SentineloneS2sInputNetworkStatusConnecting SentineloneS2sInputNetworkStatus = "connecting"

OperationalState SentineloneS2sInputOperationalStateoptional

Agent operational state.

One of the following:

const SentineloneS2sInputOperationalStateNa SentineloneS2sInputOperationalState = "na"

const SentineloneS2sInputOperationalStatePartiallyDisabled SentineloneS2sInputOperationalState = "partially_disabled"

const SentineloneS2sInputOperationalStateAutoFullyDisabled SentineloneS2sInputOperationalState = "auto_fully_disabled"

const SentineloneS2sInputOperationalStateFullyDisabled SentineloneS2sInputOperationalState = "fully_disabled"

const SentineloneS2sInputOperationalStateAutoPartiallyDisabled SentineloneS2sInputOperationalState = "auto_partially_disabled"

const SentineloneS2sInputOperationalStateDisabledError SentineloneS2sInputOperationalState = "disabled_error"

const SentineloneS2sInputOperationalStateDBCorruption SentineloneS2sInputOperationalState = "db_corruption"

Operator SentineloneS2sInputOperatoroptional

Operator.

One of the following:

const SentineloneS2sInputOperatorLess SentineloneS2sInputOperator = "<"

const SentineloneS2sInputOperatorLessOrEquals SentineloneS2sInputOperator = "<="

const SentineloneS2sInputOperatorGreater SentineloneS2sInputOperator = ">"

const SentineloneS2sInputOperatorGreaterOrEquals SentineloneS2sInputOperator = ">="

const SentineloneS2sInputOperatorEquals SentineloneS2sInputOperator = "=="

type DeviceInputTeamsDevicesCustomS2sInputRequest struct{…}

ConnectionID string

Posture Integration ID.

Operator DeviceInputTeamsDevicesCustomS2sInputRequestOperator

Operator.

One of the following:

const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLess DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<"

const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorLessOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "<="

const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreater DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">"

const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorGreaterOrEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = ">="

const DeviceInputTeamsDevicesCustomS2sInputRequestOperatorEquals DeviceInputTeamsDevicesCustomS2sInputRequestOperator = "=="

Score float64

A value between 0-100 assigned to devices set by the 3rd party posture provider.

type DeviceMatch struct{…}

Platform DeviceMatchPlatformoptional

One of the following:

const DeviceMatchPlatformWindows DeviceMatchPlatform = "windows"

const DeviceMatchPlatformMac DeviceMatchPlatform = "mac"

const DeviceMatchPlatformLinux DeviceMatchPlatform = "linux"

const DeviceMatchPlatformAndroid DeviceMatchPlatform = "android"

const DeviceMatchPlatformIos DeviceMatchPlatform = "ios"

const DeviceMatchPlatformChromeos DeviceMatchPlatform = "chromeos"

type DevicePostureRule struct{…}

ID stringoptional

API UUID.

maxLength36

Description stringoptional

The description of the device posture rule.

Expiration stringoptional

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

Input DeviceInputoptional

The value to be checked against.

Match []DeviceMatchoptional

The conditions that the client must match to run the rule.

Platform DeviceMatchPlatformoptional

One of the following:

const DeviceMatchPlatformWindows DeviceMatchPlatform = "windows"

const DeviceMatchPlatformMac DeviceMatchPlatform = "mac"

const DeviceMatchPlatformLinux DeviceMatchPlatform = "linux"

const DeviceMatchPlatformAndroid DeviceMatchPlatform = "android"

const DeviceMatchPlatformIos DeviceMatchPlatform = "ios"

const DeviceMatchPlatformChromeos DeviceMatchPlatform = "chromeos"

Name stringoptional

The name of the device posture rule.

Schedule stringoptional

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

Type DevicePostureRuleTypeoptional

The type of device posture rule.

One of the following:

const DevicePostureRuleTypeFile DevicePostureRuleType = "file"

const DevicePostureRuleTypeApplication DevicePostureRuleType = "application"

const DevicePostureRuleTypeTanium DevicePostureRuleType = "tanium"

const DevicePostureRuleTypeGateway DevicePostureRuleType = "gateway"

const DevicePostureRuleTypeWARP DevicePostureRuleType = "warp"

const DevicePostureRuleTypeDiskEncryption DevicePostureRuleType = "disk_encryption"

const DevicePostureRuleTypeSerialNumber DevicePostureRuleType = "serial_number"

const DevicePostureRuleTypeSentinelone DevicePostureRuleType = "sentinelone"

const DevicePostureRuleTypeCarbonblack DevicePostureRuleType = "carbonblack"

const DevicePostureRuleTypeFirewall DevicePostureRuleType = "firewall"

const DevicePostureRuleTypeOSVersion DevicePostureRuleType = "os_version"

const DevicePostureRuleTypeDomainJoined DevicePostureRuleType = "domain_joined"

const DevicePostureRuleTypeClientCertificate DevicePostureRuleType = "client_certificate"

const DevicePostureRuleTypeClientCertificateV2 DevicePostureRuleType = "client_certificate_v2"

const DevicePostureRuleTypeAntivirus DevicePostureRuleType = "antivirus"

const DevicePostureRuleTypeUniqueClientID DevicePostureRuleType = "unique_client_id"

const DevicePostureRuleTypeKolide DevicePostureRuleType = "kolide"

const DevicePostureRuleTypeTaniumS2s DevicePostureRuleType = "tanium_s2s"

const DevicePostureRuleTypeCrowdstrikeS2s DevicePostureRuleType = "crowdstrike_s2s"

const DevicePostureRuleTypeIntune DevicePostureRuleType = "intune"

const DevicePostureRuleTypeWorkspaceOne DevicePostureRuleType = "workspace_one"

const DevicePostureRuleTypeSentineloneS2s DevicePostureRuleType = "sentinelone_s2s"

const DevicePostureRuleTypeCustomS2s DevicePostureRuleType = "custom_s2s"

type DiskEncryptionInput struct{…}

CheckDisks []CarbonblackInputoptional

List of volume names to be checked for encryption.

RequireAll booloptional

Whether to check all disks for encryption.

type DomainJoinedInput struct{…}

OperatingSystem DomainJoinedInputOperatingSystem

Operating System.

Domain stringoptional

Domain.

type FileInput struct{…}

OperatingSystem FileInputOperatingSystem

Operating system.

One of the following:

const FileInputOperatingSystemWindows FileInputOperatingSystem = "windows"

const FileInputOperatingSystemLinux FileInputOperatingSystem = "linux"

const FileInputOperatingSystemMac FileInputOperatingSystem = "mac"

Path string

File path.

Exists booloptional

Whether or not file exists.

Sha256 stringoptional

SHA-256.

Thumbprint stringoptional

Signing certificate thumbprint.

type FirewallInput struct{…}

Enabled bool

Enabled.

OperatingSystem FirewallInputOperatingSystem

Operating System.

One of the following:

const FirewallInputOperatingSystemWindows FirewallInputOperatingSystem = "windows"

const FirewallInputOperatingSystemMac FirewallInputOperatingSystem = "mac"

type IntuneInput struct{…}

ComplianceStatus IntuneInputComplianceStatus

Compliance Status.

One of the following:

const IntuneInputComplianceStatusCompliant IntuneInputComplianceStatus = "compliant"

const IntuneInputComplianceStatusNoncompliant IntuneInputComplianceStatus = "noncompliant"

const IntuneInputComplianceStatusUnknown IntuneInputComplianceStatus = "unknown"

const IntuneInputComplianceStatusNotapplicable IntuneInputComplianceStatus = "notapplicable"

const IntuneInputComplianceStatusIngraceperiod IntuneInputComplianceStatus = "ingraceperiod"

const IntuneInputComplianceStatusError IntuneInputComplianceStatus = "error"

ConnectionID string

Posture Integration ID.

type KolideInput struct{…}

ConnectionID string

Posture Integration ID.

CountOperator KolideInputCountOperator

Count Operator.

One of the following:

const KolideInputCountOperatorLess KolideInputCountOperator = "<"

const KolideInputCountOperatorLessOrEquals KolideInputCountOperator = "<="

const KolideInputCountOperatorGreater KolideInputCountOperator = ">"

const KolideInputCountOperatorGreaterOrEquals KolideInputCountOperator = ">="

const KolideInputCountOperatorEquals KolideInputCountOperator = "=="

IssueCount string

The Number of Issues.

type OSVersionInput struct{…}

OperatingSystem OSVersionInputOperatingSystem

Operating System.

Operator OSVersionInputOperator

Operator.

One of the following:

const OSVersionInputOperatorLess OSVersionInputOperator = "<"

const OSVersionInputOperatorLessOrEquals OSVersionInputOperator = "<="

const OSVersionInputOperatorGreater OSVersionInputOperator = ">"

const OSVersionInputOperatorGreaterOrEquals OSVersionInputOperator = ">="

const OSVersionInputOperatorEquals OSVersionInputOperator = "=="

Version string

Version of OS.

OSDistroName stringoptional

Operating System Distribution Name (linux only).

OSDistroRevision stringoptional

Version of OS Distribution (linux only).

OSVersionExtra stringoptional

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

type SentineloneInput struct{…}

OperatingSystem SentineloneInputOperatingSystem

Operating system.

One of the following:

const SentineloneInputOperatingSystemWindows SentineloneInputOperatingSystem = "windows"

const SentineloneInputOperatingSystemLinux SentineloneInputOperatingSystem = "linux"

const SentineloneInputOperatingSystemMac SentineloneInputOperatingSystem = "mac"

Path string

File path.

Sha256 stringoptional

SHA-256.

Thumbprint stringoptional

Signing certificate thumbprint.

type SentineloneS2sInput struct{…}

ConnectionID string

Posture Integration ID.

ActiveThreats float64optional

The Number of active threats.

Infected booloptional

Whether device is infected.

IsActive booloptional

Whether device is active.

NetworkStatus SentineloneS2sInputNetworkStatusoptional

Network status of device.

One of the following:

const SentineloneS2sInputNetworkStatusConnected SentineloneS2sInputNetworkStatus = "connected"

const SentineloneS2sInputNetworkStatusDisconnected SentineloneS2sInputNetworkStatus = "disconnected"

const SentineloneS2sInputNetworkStatusDisconnecting SentineloneS2sInputNetworkStatus = "disconnecting"

const SentineloneS2sInputNetworkStatusConnecting SentineloneS2sInputNetworkStatus = "connecting"

OperationalState SentineloneS2sInputOperationalStateoptional

Agent operational state.

One of the following:

const SentineloneS2sInputOperationalStateNa SentineloneS2sInputOperationalState = "na"

const SentineloneS2sInputOperationalStatePartiallyDisabled SentineloneS2sInputOperationalState = "partially_disabled"

const SentineloneS2sInputOperationalStateAutoFullyDisabled SentineloneS2sInputOperationalState = "auto_fully_disabled"

const SentineloneS2sInputOperationalStateFullyDisabled SentineloneS2sInputOperationalState = "fully_disabled"

const SentineloneS2sInputOperationalStateAutoPartiallyDisabled SentineloneS2sInputOperationalState = "auto_partially_disabled"

const SentineloneS2sInputOperationalStateDisabledError SentineloneS2sInputOperationalState = "disabled_error"

const SentineloneS2sInputOperationalStateDBCorruption SentineloneS2sInputOperationalState = "db_corruption"

Operator SentineloneS2sInputOperatoroptional

Operator.

One of the following:

const SentineloneS2sInputOperatorLess SentineloneS2sInputOperator = "<"

const SentineloneS2sInputOperatorLessOrEquals SentineloneS2sInputOperator = "<="

const SentineloneS2sInputOperatorGreater SentineloneS2sInputOperator = ">"

const SentineloneS2sInputOperatorGreaterOrEquals SentineloneS2sInputOperator = ">="

const SentineloneS2sInputOperatorEquals SentineloneS2sInputOperator = "=="

type TaniumInput struct{…}

ConnectionID string

Posture Integration ID.

EidLastSeen stringoptional

For more details on eid last seen, refer to the Tanium documentation.

Operator TaniumInputOperatoroptional

Operator to evaluate risk_level or eid_last_seen.

One of the following:

const TaniumInputOperatorLess TaniumInputOperator = "<"

const TaniumInputOperatorLessOrEquals TaniumInputOperator = "<="

const TaniumInputOperatorGreater TaniumInputOperator = ">"

const TaniumInputOperatorGreaterOrEquals TaniumInputOperator = ">="

const TaniumInputOperatorEquals TaniumInputOperator = "=="

RiskLevel TaniumInputRiskLeveloptional

For more details on risk level, refer to the Tanium documentation.

One of the following:

const TaniumInputRiskLevelLow TaniumInputRiskLevel = "low"

const TaniumInputRiskLevelMedium TaniumInputRiskLevel = "medium"

const TaniumInputRiskLevelHigh TaniumInputRiskLevel = "high"

const TaniumInputRiskLevelCritical TaniumInputRiskLevel = "critical"

ScoreOperator TaniumInputScoreOperatoroptional

Score Operator.

One of the following:

const TaniumInputScoreOperatorLess TaniumInputScoreOperator = "<"

const TaniumInputScoreOperatorLessOrEquals TaniumInputScoreOperator = "<="

const TaniumInputScoreOperatorGreater TaniumInputScoreOperator = ">"

const TaniumInputScoreOperatorGreaterOrEquals TaniumInputScoreOperator = ">="

const TaniumInputScoreOperatorEquals TaniumInputScoreOperator = "=="

TotalScore float64optional

For more details on total score, refer to the Tanium documentation.

type UniqueClientIDInput struct{…}

ID string

List ID.

OperatingSystem UniqueClientIDInputOperatingSystem

Operating System.

One of the following:

const UniqueClientIDInputOperatingSystemAndroid UniqueClientIDInputOperatingSystem = "android"

const UniqueClientIDInputOperatingSystemIos UniqueClientIDInputOperatingSystem = "ios"

const UniqueClientIDInputOperatingSystemChromeos UniqueClientIDInputOperatingSystem = "chromeos"

type WorkspaceOneInput struct{…}

ComplianceStatus WorkspaceOneInputComplianceStatus

Compliance Status.

One of the following:

const WorkspaceOneInputComplianceStatusCompliant WorkspaceOneInputComplianceStatus = "compliant"

const WorkspaceOneInputComplianceStatusNoncompliant WorkspaceOneInputComplianceStatus = "noncompliant"

const WorkspaceOneInputComplianceStatusUnknown WorkspaceOneInputComplianceStatus = "unknown"

ConnectionID string

Posture Integration ID.

Zero TrustDevicesPostureIntegrations

List your device posture integrations

client.ZeroTrust.Devices.Posture.Integrations.List(ctx, query) (*SinglePage[Integration], error)

GET/accounts/{account_id}/devices/posture/integration

Get device posture integration details

client.ZeroTrust.Devices.Posture.Integrations.Get(ctx, integrationID, query) (*Integration, error)

GET/accounts/{account_id}/devices/posture/integration/{integration_id}

Create a device posture integration

client.ZeroTrust.Devices.Posture.Integrations.New(ctx, params) (*Integration, error)

POST/accounts/{account_id}/devices/posture/integration

Update a device posture integration

client.ZeroTrust.Devices.Posture.Integrations.Edit(ctx, integrationID, params) (*Integration, error)

PATCH/accounts/{account_id}/devices/posture/integration/{integration_id}

Delete a device posture integration

client.ZeroTrust.Devices.Posture.Integrations.Delete(ctx, integrationID, body) (*unknown, error)

DELETE/accounts/{account_id}/devices/posture/integration/{integration_id}

ModelsExpand Collapse

type Integration struct{…}

ID stringoptional

API UUID.

maxLength36

Config IntegrationConfigoptional

The configuration object containing third-party integration information.

APIURL string

The Workspace One API URL provided in the Workspace One Admin Dashboard.

AuthURL string

The Workspace One Authorization URL depending on your region.

ClientID string

The Workspace One client ID provided in the Workspace One Admin Dashboard.

Interval stringoptional

The interval between each posture check with the third-party API. Use m for minutes (e.g. 5m) and h for hours (e.g. 12h).

Name stringoptional

The name of the device posture integration.

Type IntegrationTypeoptional

The type of device posture integration.

One of the following:

const IntegrationTypeWorkspaceOne IntegrationType = "workspace_one"

const IntegrationTypeCrowdstrikeS2s IntegrationType = "crowdstrike_s2s"

const IntegrationTypeUptycs IntegrationType = "uptycs"

const IntegrationTypeIntune IntegrationType = "intune"

const IntegrationTypeKolide IntegrationType = "kolide"

const IntegrationTypeTaniumS2s IntegrationType = "tanium_s2s"

const IntegrationTypeSentineloneS2s IntegrationType = "sentinelone_s2s"

const IntegrationTypeCustomS2s IntegrationType = "custom_s2s"

Zero TrustDevicesRevoke

Revoke devices (deprecated)

Deprecated

client.ZeroTrust.Devices.Revoke.New(ctx, params) (*unknown, error)

POST/accounts/{account_id}/devices/revoke

Zero TrustDevicesSettings

Get device settings for a Zero Trust account

client.ZeroTrust.Devices.Settings.Get(ctx, query) (*DeviceSettings, error)

GET/accounts/{account_id}/devices/settings

Update device settings for a Zero Trust account

client.ZeroTrust.Devices.Settings.Update(ctx, params) (*DeviceSettings, error)

PUT/accounts/{account_id}/devices/settings

Patch device settings for a Zero Trust account

client.ZeroTrust.Devices.Settings.Edit(ctx, params) (*DeviceSettings, error)

PATCH/accounts/{account_id}/devices/settings

Reset device settings for a Zero Trust account with defaults. This turns off all proxying.

client.ZeroTrust.Devices.Settings.Delete(ctx, body) (*DeviceSettings, error)

DELETE/accounts/{account_id}/devices/settings

ModelsExpand Collapse

type DeviceSettings struct{…}

DisableForTime float64optional

Sets the time limit, in seconds, that a user can use an override code to bypass WARP.

ExternalEmergencySignalEnabled booloptional

Controls whether the external emergency disconnect feature is enabled.

ExternalEmergencySignalFingerprint stringoptional

The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value.

ExternalEmergencySignalInterval stringoptional

The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds.

ExternalEmergencySignalURL stringoptional

The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host.

GatewayProxyEnabled booloptional

Enable gateway proxy filtering on TCP.

GatewayUdpProxyEnabled booloptional

Enable gateway proxy filtering on UDP.

RootCertificateInstallationEnabled booloptional

Enable installation of cloudflare managed root certificate.

UseZtVirtualIP booloptional

Enable using CGNAT virtual IPv4.

Zero TrustDevicesUnrevoke

Unrevoke devices (deprecated)

Deprecated

client.ZeroTrust.Devices.Unrevoke.New(ctx, params) (*unknown, error)

POST/accounts/{account_id}/devices/unrevoke

Zero TrustDevicesOverride Codes

Get override codes (deprecated)

Deprecated

client.ZeroTrust.Devices.OverrideCodes.List(ctx, deviceID, query) (*SinglePage[DeviceOverrideCodeListResponse], error)

GET/accounts/{account_id}/devices/{device_id}/override_codes

Get override codes

client.ZeroTrust.Devices.OverrideCodes.Get(ctx, registrationID, query) (*DeviceOverrideCodeGetResponse, error)

GET/accounts/{account_id}/devices/registrations/{registration_id}/override_codes

Zero TrustIdentity Providers

List Access identity providers

client.ZeroTrust.IdentityProviders.List(ctx, params) (*V4PagePaginationArray[IdentityProviderListResponse], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers

Get an Access identity provider

client.ZeroTrust.IdentityProviders.Get(ctx, identityProviderID, query) (*IdentityProvider, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Add an Access identity provider

client.ZeroTrust.IdentityProviders.New(ctx, params) (*IdentityProvider, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers

Update an Access identity provider

client.ZeroTrust.IdentityProviders.Update(ctx, identityProviderID, params) (*IdentityProvider, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

Delete an Access identity provider

client.ZeroTrust.IdentityProviders.Delete(ctx, identityProviderID, body) (*IdentityProviderDeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}

ModelsExpand Collapse

type AzureAD struct{…}

Config AzureADConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

ConditionalAccessEnabled booloptional

Should Cloudflare try to load authentication contexts from your account

DirectoryID stringoptional

Your Azure directory uuid

EmailClaimName stringoptional

The claim name for email in the id_token response.

Prompt AzureADConfigPromptoptional

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:

const AzureADConfigPromptLogin AzureADConfigPrompt = "login"

const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"

const AzureADConfigPromptNone AzureADConfigPrompt = "none"

SupportGroups booloptional

Should Cloudflare try to load groups from your account

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type GenericOAuthConfig struct{…}

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

type IdentityProvider interface{…}

One of the following:

type AzureAD struct{…}

Config AzureADConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

ConditionalAccessEnabled booloptional

Should Cloudflare try to load authentication contexts from your account

DirectoryID stringoptional

Your Azure directory uuid

EmailClaimName stringoptional

The claim name for email in the id_token response.

Prompt AzureADConfigPromptoptional

Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.

One of the following:

const AzureADConfigPromptLogin AzureADConfigPrompt = "login"

const AzureADConfigPromptSelectAccount AzureADConfigPrompt = "select_account"

const AzureADConfigPromptNone AzureADConfigPrompt = "none"

SupportGroups booloptional

Should Cloudflare try to load groups from your account

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessCentrify struct{…}

Config IdentityProviderAccessCentrifyConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

CentrifyAccount stringoptional

Your centrify account url

CentrifyAppID stringoptional

Your centrify app id

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessFacebook struct{…}

Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessGitHub struct{…}

Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessGoogle struct{…}

Config IdentityProviderAccessGoogleConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessGoogleApps struct{…}

Config IdentityProviderAccessGoogleAppsConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

AppsDomain stringoptional

Your companies TLD

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessLinkedin struct{…}

Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOIDC struct{…}

Config IdentityProviderAccessOIDCConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

AuthURL stringoptional

The authorization_endpoint URL of your IdP

CERTsURL stringoptional

The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

PKCEEnabled booloptional

Enable Proof Key for Code Exchange (PKCE)

Scopes []stringoptional

OAuth scopes

TokenURL stringoptional

The token_endpoint URL of your IdP

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOkta struct{…}

Config IdentityProviderAccessOktaConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

AuthorizationServerID stringoptional

Your okta authorization server id

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

OktaAccount stringoptional

Your okta account url

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOnelogin struct{…}

Config IdentityProviderAccessOneloginConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

OneloginAccount stringoptional

Your OneLogin account url

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessPingone struct{…}

Config IdentityProviderAccessPingoneConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Claims []stringoptional

Custom claims

ClientID stringoptional

Your OAuth Client ID

ClientSecret stringoptional

Your OAuth Client Secret

EmailClaimName stringoptional

The claim name for email in the id_token response.

PingEnvID stringoptional

Your PingOne environment identifier

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessSAML struct{…}

Config IdentityProviderAccessSAMLConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Attributes []stringoptional

A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules.

EmailAttributeName stringoptional

The attribute name for email in the SAML response.

HeaderAttributes []IdentityProviderAccessSAMLConfigHeaderAttributeoptional

Add a list of attribute names that will be returned in the response header from the Access callback.

AttributeName stringoptional

attribute name from the IDP

HeaderName stringoptional

header that will be added on the request to the origin

IdPPublicCERTs []stringoptional

X509 certificate to verify the signature in the SAML authentication response

IssuerURL stringoptional

IdP Entity ID or Issuer URL

SignRequest booloptional

Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints.

SSOTargetURL stringoptional

URL to send the SAML authentication requests to

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessYandex struct{…}

Config GenericOAuthConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderAccessOnetimepin struct{…}

Config IdentityProviderAccessOnetimepinConfig

The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our developer documentation.

RedirectURL stringoptional

Name string

The name of the identity provider, shown to users on the login page.

Type IdentityProviderType

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

ID stringoptional

UUID.

maxLength36

SCIMConfig IdentityProviderSCIMConfigoptional

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

type IdentityProviderSCIMConfig struct{…}

The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.

Enabled booloptional

A flag to enable or disable SCIM for the identity provider.

IdentityUpdateBehavior IdentityProviderSCIMConfigIdentityUpdateBehavioroptional

Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.

One of the following:

const IdentityProviderSCIMConfigIdentityUpdateBehaviorAutomatic IdentityProviderSCIMConfigIdentityUpdateBehavior = "automatic"

const IdentityProviderSCIMConfigIdentityUpdateBehaviorReauth IdentityProviderSCIMConfigIdentityUpdateBehavior = "reauth"

const IdentityProviderSCIMConfigIdentityUpdateBehaviorNoAction IdentityProviderSCIMConfigIdentityUpdateBehavior = "no_action"

SCIMBaseURL stringoptional

The base URL of Cloudflare's SCIM V2.0 API endpoint.

SeatDeprovision booloptional

A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled.

Secret stringoptional

A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret.

UserDeprovision booloptional

A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.

type IdentityProviderType string

The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.

One of the following:

const IdentityProviderTypeOnetimepin IdentityProviderType = "onetimepin"

const IdentityProviderTypeAzureAD IdentityProviderType = "azureAD"

const IdentityProviderTypeSAML IdentityProviderType = "saml"

const IdentityProviderTypeCentrify IdentityProviderType = "centrify"

const IdentityProviderTypeFacebook IdentityProviderType = "facebook"

const IdentityProviderTypeGitHub IdentityProviderType = "github"

const IdentityProviderTypeGoogleApps IdentityProviderType = "google-apps"

const IdentityProviderTypeGoogle IdentityProviderType = "google"

const IdentityProviderTypeLinkedin IdentityProviderType = "linkedin"

const IdentityProviderTypeOIDC IdentityProviderType = "oidc"

const IdentityProviderTypeOkta IdentityProviderType = "okta"

const IdentityProviderTypeOnelogin IdentityProviderType = "onelogin"

const IdentityProviderTypePingone IdentityProviderType = "pingone"

const IdentityProviderTypeYandex IdentityProviderType = "yandex"

Zero TrustIdentity ProvidersSCIM

Zero TrustIdentity ProvidersSCIMGroups

List SCIM Group resources

client.ZeroTrust.IdentityProviders.SCIM.Groups.List(ctx, identityProviderID, params) (*V4PagePaginationArray[ZeroTrustGroup], error)

GET/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/groups

Zero TrustIdentity ProvidersSCIMUsers

List SCIM User resources

client.ZeroTrust.IdentityProviders.SCIM.Users.List(ctx, identityProviderID, params) (*V4PagePaginationArray[AccessUser], error)

GET/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/users

Zero TrustOrganizations

Get your Zero Trust organization

client.ZeroTrust.Organizations.List(ctx, query) (*Organization, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Create your Zero Trust organization

client.ZeroTrust.Organizations.New(ctx, params) (*Organization, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Update your Zero Trust organization

client.ZeroTrust.Organizations.Update(ctx, params) (*Organization, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Revoke all Access tokens for a user

client.ZeroTrust.Organizations.RevokeUsers(ctx, params) (*OrganizationRevokeUsersResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/organizations/revoke_user

ModelsExpand Collapse

type LoginDesign struct{…}

BackgroundColor stringoptional

The background color on your login page.

FooterText stringoptional

The text at the bottom of your login page.

HeaderText stringoptional

The text at the top of your login page.

LogoPath stringoptional

The URL of the logo on your login page.

TextColor stringoptional

The text color on your login page.

type Organization struct{…}

AllowAuthenticateViaWARP booloptional

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

AuthDomain stringoptional

The unique subdomain assigned to your Zero Trust organization.

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login.

CustomPages OrganizationCustomPagesoptional

Forbidden stringoptional

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

IdentityDenied stringoptional

The uid of the custom page to use when a user is denied access.

DenyUnmatchedRequests booloptional

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

DenyUnmatchedRequestsExemptedZoneNames []stringoptional

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

IsUIReadOnly booloptional

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

LoginDesign LoginDesignoptional

MfaConfig OrganizationMfaConfigoptional

Configures multi-factor authentication (MFA) settings for an organization.

AllowedAuthenticators []OrganizationMfaConfigAllowedAuthenticatoroptional

Lists the MFA methods that users can authenticate with.

One of the following:

const OrganizationMfaConfigAllowedAuthenticatorTotp OrganizationMfaConfigAllowedAuthenticator = "totp"

const OrganizationMfaConfigAllowedAuthenticatorBiometrics OrganizationMfaConfigAllowedAuthenticator = "biometrics"

const OrganizationMfaConfigAllowedAuthenticatorSecurityKey OrganizationMfaConfigAllowedAuthenticator = "security_key"

SessionDuration stringoptional

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

MfaRequiredForAllApps booloptional

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

Name stringoptional

The name of your Zero Trust organization.

SessionDuration stringoptional

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UIReadOnlyToggleReason stringoptional

A description of the reason why the UI read only field is being toggled.

UserSeatExpirationInactiveTime stringoptional

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

WARPAuthSessionDuration stringoptional

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

Zero TrustOrganizationsDOH

Get your Zero Trust organization DoH settings

client.ZeroTrust.Organizations.DOH.Get(ctx, query) (*OrganizationDOHGetResponse, error)

GET/accounts/{account_id}/access/organizations/doh

Update your Zero Trust organization DoH settings

client.ZeroTrust.Organizations.DOH.Update(ctx, params) (*OrganizationDOHUpdateResponse, error)

PUT/accounts/{account_id}/access/organizations/doh

Zero TrustSeats

Update a user seat

client.ZeroTrust.Seats.Edit(ctx, params) (*SinglePage[Seat], error)

PATCH/accounts/{account_id}/access/seats

ModelsExpand Collapse

type Seat struct{…}

AccessSeat booloptional

True if the seat is part of Access.

CreatedAt Timeoptional

formatdate-time

GatewaySeat booloptional

True if the seat is part of Gateway.

SeatUID stringoptional

The unique API identifier for the Zero Trust seat.

maxLength36

UpdatedAt Timeoptional

formatdate-time

Zero TrustAccess

Zero TrustAccessAI Controls

Zero TrustAccessAI ControlsMcp

Zero TrustAccessAI ControlsMcpPortals

List MCP Portals

client.ZeroTrust.Access.AIControls.Mcp.Portals.List(ctx, params) (*V4PagePaginationArray[AccessAIControlMcpPortalListResponse], error)

GET/accounts/{account_id}/access/ai-controls/mcp/portals

Create a new MCP Portal

client.ZeroTrust.Access.AIControls.Mcp.Portals.New(ctx, params) (*AccessAIControlMcpPortalNewResponse, error)

POST/accounts/{account_id}/access/ai-controls/mcp/portals

Read details of an MCP Portal

client.ZeroTrust.Access.AIControls.Mcp.Portals.Read(ctx, id, query) (*AccessAIControlMcpPortalReadResponse, error)

GET/accounts/{account_id}/access/ai-controls/mcp/portals/{id}

Update a MCP Portal

client.ZeroTrust.Access.AIControls.Mcp.Portals.Update(ctx, id, params) (*AccessAIControlMcpPortalUpdateResponse, error)

PUT/accounts/{account_id}/access/ai-controls/mcp/portals/{id}

Delete a MCP Portal

client.ZeroTrust.Access.AIControls.Mcp.Portals.Delete(ctx, id, body) (*AccessAIControlMcpPortalDeleteResponse, error)

DELETE/accounts/{account_id}/access/ai-controls/mcp/portals/{id}

Zero TrustAccessAI ControlsMcpServers

List MCP Servers

client.ZeroTrust.Access.AIControls.Mcp.Servers.List(ctx, params) (*V4PagePaginationArray[AccessAIControlMcpServerListResponse], error)

GET/accounts/{account_id}/access/ai-controls/mcp/servers

Create a new MCP Server

client.ZeroTrust.Access.AIControls.Mcp.Servers.New(ctx, params) (*AccessAIControlMcpServerNewResponse, error)

POST/accounts/{account_id}/access/ai-controls/mcp/servers

Read the details of a MCP Server

client.ZeroTrust.Access.AIControls.Mcp.Servers.Read(ctx, id, query) (*AccessAIControlMcpServerReadResponse, error)

GET/accounts/{account_id}/access/ai-controls/mcp/servers/{id}

Update a MCP Server

client.ZeroTrust.Access.AIControls.Mcp.Servers.Update(ctx, id, params) (*AccessAIControlMcpServerUpdateResponse, error)

PUT/accounts/{account_id}/access/ai-controls/mcp/servers/{id}

Delete a MCP Server

client.ZeroTrust.Access.AIControls.Mcp.Servers.Delete(ctx, id, body) (*AccessAIControlMcpServerDeleteResponse, error)

DELETE/accounts/{account_id}/access/ai-controls/mcp/servers/{id}

Sync MCP Server Capabilities

client.ZeroTrust.Access.AIControls.Mcp.Servers.Sync(ctx, id, body) (*AccessAIControlMcpServerSyncResponse, error)

POST/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync

Zero TrustAccessGateway CA

List SSH Certificate Authorities (CA)

client.ZeroTrust.Access.GatewayCA.List(ctx, query) (*SinglePage[AccessGatewayCAListResponse], error)

GET/accounts/{account_id}/access/gateway_ca

Add a new SSH Certificate Authority (CA)

client.ZeroTrust.Access.GatewayCA.New(ctx, body) (*AccessGatewayCANewResponse, error)

POST/accounts/{account_id}/access/gateway_ca

Delete an SSH Certificate Authority (CA)

client.ZeroTrust.Access.GatewayCA.Delete(ctx, certificateID, body) (*AccessGatewayCADeleteResponse, error)

DELETE/accounts/{account_id}/access/gateway_ca/{certificate_id}

Zero TrustAccessInfrastructure

Zero TrustAccessInfrastructureTargets

List all targets

client.ZeroTrust.Access.Infrastructure.Targets.List(ctx, params) (*V4PagePaginationArray[AccessInfrastructureTargetListResponse], error)

GET/accounts/{account_id}/infrastructure/targets

Get target

client.ZeroTrust.Access.Infrastructure.Targets.Get(ctx, targetID, query) (*AccessInfrastructureTargetGetResponse, error)

GET/accounts/{account_id}/infrastructure/targets/{target_id}

Create new target

client.ZeroTrust.Access.Infrastructure.Targets.New(ctx, params) (*AccessInfrastructureTargetNewResponse, error)

POST/accounts/{account_id}/infrastructure/targets

Update target

client.ZeroTrust.Access.Infrastructure.Targets.Update(ctx, targetID, params) (*AccessInfrastructureTargetUpdateResponse, error)

PUT/accounts/{account_id}/infrastructure/targets/{target_id}

Delete target

client.ZeroTrust.Access.Infrastructure.Targets.Delete(ctx, targetID, body) error

DELETE/accounts/{account_id}/infrastructure/targets/{target_id}

Create new targets

client.ZeroTrust.Access.Infrastructure.Targets.BulkUpdate(ctx, params) (*SinglePage[AccessInfrastructureTargetBulkUpdateResponse], error)

PUT/accounts/{account_id}/infrastructure/targets/batch

Delete targets (Deprecated)

Deprecated

client.ZeroTrust.Access.Infrastructure.Targets.BulkDelete(ctx, body) error

DELETE/accounts/{account_id}/infrastructure/targets/batch

Delete targets

client.ZeroTrust.Access.Infrastructure.Targets.BulkDeleteV2(ctx, params) error

POST/accounts/{account_id}/infrastructure/targets/batch_delete

Zero TrustAccessApplications

List Access applications

client.ZeroTrust.Access.Applications.List(ctx, params) (*V4PagePaginationArray[AccessApplicationListResponse], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps

Get an Access application

client.ZeroTrust.Access.Applications.Get(ctx, appID, query) (*AccessApplicationGetResponse, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}

Add an Access application

client.ZeroTrust.Access.Applications.New(ctx, params) (*AccessApplicationNewResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps

Update an Access application

client.ZeroTrust.Access.Applications.Update(ctx, appID, params) (*AccessApplicationUpdateResponse, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}

Delete an Access application

client.ZeroTrust.Access.Applications.Delete(ctx, appID, body) (*AccessApplicationDeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}

Revoke application tokens

client.ZeroTrust.Access.Applications.RevokeTokens(ctx, appID, body) (*AccessApplicationRevokeTokensResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens

ModelsExpand Collapse

type AllowedHeaders string

type AllowedIdPs string

The identity providers selected for application.

type AllowedMethods string

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

type AllowedOrigins string

type AppID string

Identifier.

type Application interface{…}

One of the following:

ApplicationSelfHostedApplication

Domain string

The domain and path that Access will secure.

Type string

The application type.

ID stringoptional

UUID.

maxLength36

AllowIframe booloptional

Enables loading application content in an iFrame.

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AppLauncherVisible booloptional

Displays the application in the App Launcher.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CORSHeaders ApplicationSelfHostedApplicationCORSHeadersoptional

AllowAllHeaders booloptional

Allows all HTTP request headers.

AllowAllMethods booloptional

Allows all HTTP request methods.

AllowAllOrigins booloptional

Allows all origins.

AllowCredentials booloptional

When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.

AllowedHeaders []unknownoptional

Allowed HTTP request headers.

AllowedMethods []AllowedMethodsoptional

Allowed HTTP request methods.

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

AllowedOrigins []unknownoptional

Allowed origins.

MaxAge float64optional

The maximum number of seconds the results of a preflight request can be cached.

maximum86400

minimum-1

CreatedAt Timeoptional

formatdate-time

CustomDenyMessage stringoptional

The custom error message shown to a user when they are denied access to the application.

CustomDenyURL stringoptional

The custom URL a user is redirected to when they are denied access to the application.

EnableBindingCookie booloptional

Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.

HTTPOnlyCookieAttribute booloptional

Enables the HttpOnly cookie attribute, which increases security against XSS attacks.

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the application.

OptionsPreflightBypass booloptional

Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.

SameSiteCookieAttribute stringoptional

Sets the SameSite cookie setting, which provides increased security against CSRF attacks.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

ServiceAuth401Redirect booloptional

Returns a 401 status code when the request is blocked by a Service Auth policy.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

SkipInterstitial booloptional

Enables automatic authentication through cloudflared.

UpdatedAt Timeoptional

formatdate-time

UseClientlessIsolationAppLauncherURL booloptional

Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.

ApplicationSaaSApplication

ID stringoptional

UUID.

maxLength36

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AppLauncherVisible booloptional

Displays the application in the App Launcher.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CreatedAt Timeoptional

formatdate-time

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the application.

SaaSApp ApplicationSaaSApplicationSaaSAppoptional

One of the following:

ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSApp

AuthType ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthTypeoptional

Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthTypeSAML ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthType = "saml"

const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthTypeOIDC ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppAuthType = "oidc"

ConsumerServiceURL stringoptional

The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.

CreatedAt Timeoptional

formatdate-time

CustomAttributes []ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributeoptional

FriendlyName stringoptional

The SAML FriendlyName of the attribute.

Name stringoptional

The name of the attribute.

NameFormat ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatoptional

A globally unique name for an identity or service provider.

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"

const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

const ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Required booloptional

If the attribute is required when building a SAML assertion.

Source ApplicationSaaSApplicationSaaSAppAccessSchemasSAMLSaaSAppCustomAttributesSourceoptional

Name stringoptional

The name of the IdP attribute.

NameByIdP map[string, string]optional

A mapping from IdP ID to attribute name.

IdPEntityID stringoptional

The unique identifier for your SaaS application.

NameIDFormat SaaSAppNameIDFormatoptional

The format of the name identifier sent to the SaaS application.

NameIDTransformJsonata stringoptional

A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.

PublicKey stringoptional

The Access public certificate that will be used to verify your identity.

SPEntityID stringoptional

A globally unique name for an identity or service provider.

SSOEndpoint stringoptional

The endpoint where your SaaS application will send login requests.

UpdatedAt Timeoptional

formatdate-time

ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSApp

AccessTokenLifetime stringoptional

The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.

AllowPKCEWithoutClientSecret booloptional

If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.

AppLauncherURL stringoptional

The URL where this applications tile redirects users

AuthType ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthTypeoptional

Identifier of the authentication protocol used for the saas app. Required for OIDC.

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthTypeSAML ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthType = "saml"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthTypeOIDC ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppAuthType = "oidc"

ClientID stringoptional

The application client id

ClientSecret stringoptional

The application client secret, only returned on POST request.

CreatedAt Timeoptional

formatdate-time

CustomClaims []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimoptional

Name stringoptional

The name of the claim.

Required booloptional

If the claim is required when building an OIDC token.

Scope ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeoptional

The scope of the claim.

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeGroups ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "groups"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeProfile ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "profile"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeEmail ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "email"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScopeOpenid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsScope = "openid"

Source ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsSourceoptional

Name stringoptional

The name of the IdP claim.

NameByIdP []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppCustomClaimsSourceNameByIdPoptional

A mapping from IdP ID to attribute name.

IdPID stringoptional

The UID of the IdP.

SourceName stringoptional

The name of the IdP provided attribute.

GrantTypes []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeoptional

The OIDC flows supported by this application

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeAuthorizationCode ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "authorization_code"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "authorization_code_with_pkce"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeRefreshTokens ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "refresh_tokens"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeHybrid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "hybrid"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantTypeImplicit ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppGrantType = "implicit"

GroupFilterRegex stringoptional

A regex to filter Cloudflare groups returned in ID token and userinfo endpoint.

HybridAndImplicitOptions ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppHybridAndImplicitOptionsoptional

ReturnAccessTokenFromAuthorizationEndpoint booloptional

If an Access Token should be returned from the OIDC Authorization endpoint

ReturnIDTokenFromAuthorizationEndpoint booloptional

If an ID Token should be returned from the OIDC Authorization endpoint

PublicKey stringoptional

The Access public certificate that will be used to verify your identity.

RedirectURIs []stringoptional

The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens

RefreshTokenOptions ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppRefreshTokenOptionsoptional

Lifetime stringoptional

How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.

Scopes []ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeoptional

Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled

One of the following:

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeOpenid ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "openid"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeGroups ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "groups"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeEmail ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "email"

const ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScopeProfile ApplicationSaaSApplicationSaaSAppAccessSchemasOIDCSaaSAppScope = "profile"

UpdatedAt Timeoptional

formatdate-time

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

Type stringoptional

The application type.

UpdatedAt Timeoptional

formatdate-time

ApplicationBrowserSSHApplication

Domain string

The domain and path that Access will secure.

Type string

The application type.

ID stringoptional

UUID.

maxLength36

AllowIframe booloptional

Enables loading application content in an iFrame.

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AppLauncherVisible booloptional

Displays the application in the App Launcher.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CORSHeaders ApplicationBrowserSSHApplicationCORSHeadersoptional

AllowAllHeaders booloptional

Allows all HTTP request headers.

AllowAllMethods booloptional

Allows all HTTP request methods.

AllowAllOrigins booloptional

Allows all origins.

AllowCredentials booloptional

When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.

AllowedHeaders []unknownoptional

Allowed HTTP request headers.

AllowedMethods []AllowedMethodsoptional

Allowed HTTP request methods.

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

AllowedOrigins []unknownoptional

Allowed origins.

MaxAge float64optional

The maximum number of seconds the results of a preflight request can be cached.

maximum86400

minimum-1

CreatedAt Timeoptional

formatdate-time

CustomDenyMessage stringoptional

The custom error message shown to a user when they are denied access to the application.

CustomDenyURL stringoptional

The custom URL a user is redirected to when they are denied access to the application.

EnableBindingCookie booloptional

Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.

HTTPOnlyCookieAttribute booloptional

Enables the HttpOnly cookie attribute, which increases security against XSS attacks.

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the application.

OptionsPreflightBypass booloptional

Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.

SameSiteCookieAttribute stringoptional

Sets the SameSite cookie setting, which provides increased security against CSRF attacks.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

ServiceAuth401Redirect booloptional

Returns a 401 status code when the request is blocked by a Service Auth policy.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

SkipInterstitial booloptional

Enables automatic authentication through cloudflared.

UpdatedAt Timeoptional

formatdate-time

UseClientlessIsolationAppLauncherURL booloptional

Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.

ApplicationBrowserVNCApplication

Domain string

The domain and path that Access will secure.

Type string

The application type.

ID stringoptional

UUID.

maxLength36

AllowIframe booloptional

Enables loading application content in an iFrame.

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AppLauncherVisible booloptional

Displays the application in the App Launcher.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CORSHeaders ApplicationBrowserVNCApplicationCORSHeadersoptional

AllowAllHeaders booloptional

Allows all HTTP request headers.

AllowAllMethods booloptional

Allows all HTTP request methods.

AllowAllOrigins booloptional

Allows all origins.

AllowCredentials booloptional

When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.

AllowedHeaders []unknownoptional

Allowed HTTP request headers.

AllowedMethods []AllowedMethodsoptional

Allowed HTTP request methods.

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

AllowedOrigins []unknownoptional

Allowed origins.

MaxAge float64optional

The maximum number of seconds the results of a preflight request can be cached.

maximum86400

minimum-1

CreatedAt Timeoptional

formatdate-time

CustomDenyMessage stringoptional

The custom error message shown to a user when they are denied access to the application.

CustomDenyURL stringoptional

The custom URL a user is redirected to when they are denied access to the application.

EnableBindingCookie booloptional

Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.

HTTPOnlyCookieAttribute booloptional

Enables the HttpOnly cookie attribute, which increases security against XSS attacks.

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the application.

OptionsPreflightBypass booloptional

Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.

SameSiteCookieAttribute stringoptional

Sets the SameSite cookie setting, which provides increased security against CSRF attacks.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

ServiceAuth401Redirect booloptional

Returns a 401 status code when the request is blocked by a Service Auth policy.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

SkipInterstitial booloptional

Enables automatic authentication through cloudflared.

UpdatedAt Timeoptional

formatdate-time

UseClientlessIsolationAppLauncherURL booloptional

Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.

ApplicationAppLauncherApplication

Type ApplicationAppLauncherApplicationType

The application type.

One of the following:

const ApplicationAppLauncherApplicationTypeSelfHosted ApplicationAppLauncherApplicationType = "self_hosted"

const ApplicationAppLauncherApplicationTypeSaaS ApplicationAppLauncherApplicationType = "saas"

const ApplicationAppLauncherApplicationTypeSSH ApplicationAppLauncherApplicationType = "ssh"

const ApplicationAppLauncherApplicationTypeVNC ApplicationAppLauncherApplicationType = "vnc"

const ApplicationAppLauncherApplicationTypeAppLauncher ApplicationAppLauncherApplicationType = "app_launcher"

const ApplicationAppLauncherApplicationTypeWARP ApplicationAppLauncherApplicationType = "warp"

const ApplicationAppLauncherApplicationTypeBISO ApplicationAppLauncherApplicationType = "biso"

const ApplicationAppLauncherApplicationTypeBookmark ApplicationAppLauncherApplicationType = "bookmark"

const ApplicationAppLauncherApplicationTypeDashSSO ApplicationAppLauncherApplicationType = "dash_sso"

ID stringoptional

UUID.

maxLength36

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CreatedAt Timeoptional

formatdate-time

Domain stringoptional

The domain and path that Access will secure.

Name stringoptional

The name of the application.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UpdatedAt Timeoptional

formatdate-time

ApplicationDeviceEnrollmentPermissionsApplication

Type ApplicationDeviceEnrollmentPermissionsApplicationType

The application type.

One of the following:

const ApplicationDeviceEnrollmentPermissionsApplicationTypeSelfHosted ApplicationDeviceEnrollmentPermissionsApplicationType = "self_hosted"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeSaaS ApplicationDeviceEnrollmentPermissionsApplicationType = "saas"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeSSH ApplicationDeviceEnrollmentPermissionsApplicationType = "ssh"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeVNC ApplicationDeviceEnrollmentPermissionsApplicationType = "vnc"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeAppLauncher ApplicationDeviceEnrollmentPermissionsApplicationType = "app_launcher"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeWARP ApplicationDeviceEnrollmentPermissionsApplicationType = "warp"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeBISO ApplicationDeviceEnrollmentPermissionsApplicationType = "biso"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeBookmark ApplicationDeviceEnrollmentPermissionsApplicationType = "bookmark"

const ApplicationDeviceEnrollmentPermissionsApplicationTypeDashSSO ApplicationDeviceEnrollmentPermissionsApplicationType = "dash_sso"

ID stringoptional

UUID.

maxLength36

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CreatedAt Timeoptional

formatdate-time

Domain stringoptional

The domain and path that Access will secure.

Name stringoptional

The name of the application.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UpdatedAt Timeoptional

formatdate-time

ApplicationBrowserIsolationPermissionsApplication

Type ApplicationBrowserIsolationPermissionsApplicationType

The application type.

One of the following:

const ApplicationBrowserIsolationPermissionsApplicationTypeSelfHosted ApplicationBrowserIsolationPermissionsApplicationType = "self_hosted"

const ApplicationBrowserIsolationPermissionsApplicationTypeSaaS ApplicationBrowserIsolationPermissionsApplicationType = "saas"

const ApplicationBrowserIsolationPermissionsApplicationTypeSSH ApplicationBrowserIsolationPermissionsApplicationType = "ssh"

const ApplicationBrowserIsolationPermissionsApplicationTypeVNC ApplicationBrowserIsolationPermissionsApplicationType = "vnc"

const ApplicationBrowserIsolationPermissionsApplicationTypeAppLauncher ApplicationBrowserIsolationPermissionsApplicationType = "app_launcher"

const ApplicationBrowserIsolationPermissionsApplicationTypeWARP ApplicationBrowserIsolationPermissionsApplicationType = "warp"

const ApplicationBrowserIsolationPermissionsApplicationTypeBISO ApplicationBrowserIsolationPermissionsApplicationType = "biso"

const ApplicationBrowserIsolationPermissionsApplicationTypeBookmark ApplicationBrowserIsolationPermissionsApplicationType = "bookmark"

const ApplicationBrowserIsolationPermissionsApplicationTypeDashSSO ApplicationBrowserIsolationPermissionsApplicationType = "dash_sso"

ID stringoptional

UUID.

maxLength36

AllowedIdPs []AllowedIdPsoptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AUD stringoptional

Audience tag.

maxLength64

AutoRedirectToIdentity booloptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CreatedAt Timeoptional

formatdate-time

Domain stringoptional

The domain and path that Access will secure.

Name stringoptional

The name of the application.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

SessionDuration stringoptional

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UpdatedAt Timeoptional

formatdate-time

ApplicationBookmarkApplication

Domain string

The URL or domain of the bookmark.

Type string

The application type.

ID stringoptional

UUID.

maxLength36

AppLauncherVisible unknownoptional

AUD stringoptional

Audience tag.

maxLength64

CreatedAt Timeoptional

formatdate-time

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the application.

SCIMConfig ApplicationSCIMConfigoptional

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

UpdatedAt Timeoptional

formatdate-time

type ApplicationPolicy struct{…}

ID stringoptional

The UUID of the policy

maxLength36

ApprovalGroups []ApprovalGroupoptional

Administrators who can approve a temporary authentication request.

ApprovalsNeeded float64

The number of approvals needed to obtain access.

minimum0

EmailAddresses []stringoptional

A list of emails that can approve the access request.

EmailListUUID stringoptional

The UUID of an re-usable email list.

ApprovalRequired booloptional

Requires the user to request access from an administrator at the start of each session.

ConnectionRules ApplicationPolicyConnectionRulesoptional

The rules that define how users may connect to targets secured by your application.

RDP ApplicationPolicyConnectionRulesRDPoptional

The RDP-specific rules that define clipboard behavior for RDP connections.

AllowedClipboardLocalToRemoteFormats []ApplicationPolicyConnectionRulesRDPAllowedClipboardLocalToRemoteFormatoptional

Clipboard formats allowed when copying from local machine to remote RDP session.

AllowedClipboardRemoteToLocalFormats []ApplicationPolicyConnectionRulesRDPAllowedClipboardRemoteToLocalFormatoptional

Clipboard formats allowed when copying from remote RDP session to local machine.

CreatedAt Timeoptional

formatdate-time

Decision Decisionoptional

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

Exclude []AccessRuleoptional

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user's risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

Include []AccessRuleoptional

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user's risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

IsolationRequired booloptional

Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.

MfaConfig ApplicationPolicyMfaConfigoptional

Configures multi-factor authentication (MFA) settings.

AllowedAuthenticators []ApplicationPolicyMfaConfigAllowedAuthenticatoroptional

Lists the MFA methods that users can authenticate with.

One of the following:

const ApplicationPolicyMfaConfigAllowedAuthenticatorTotp ApplicationPolicyMfaConfigAllowedAuthenticator = "totp"

const ApplicationPolicyMfaConfigAllowedAuthenticatorBiometrics ApplicationPolicyMfaConfigAllowedAuthenticator = "biometrics"

const ApplicationPolicyMfaConfigAllowedAuthenticatorSecurityKey ApplicationPolicyMfaConfigAllowedAuthenticator = "security_key"

MfaDisabled booloptional

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

SessionDuration stringoptional

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

Name stringoptional

The name of the Access policy.

PurposeJustificationPrompt stringoptional

A custom message that will appear on the purpose justification screen.

PurposeJustificationRequired booloptional

Require users to enter a justification when they log in to the application.

Require []AccessRuleoptional

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user's risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

SessionDuration stringoptional

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

UpdatedAt Timeoptional

formatdate-time

type ApplicationSCIMConfig struct{…}

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

IdPUID string

The UID of the IdP to use as the source for SCIM resources to provision to this application.

RemoteURI string

The base URI for the application's SCIM-compatible API.

Authentication ApplicationSCIMConfigAuthenticationUnionoptional

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

One of the following:

type SCIMConfigAuthenticationHTTPBasic struct{…}

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

Password string

Password used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationHTTPBasicScheme

The authentication scheme to use when making SCIM requests to this application.

User string

User name used to authenticate with the remote SCIM service.

ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken

Token string

Token used to authenticate with the remote SCIM service.

Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme

The authentication scheme to use when making SCIM requests to this application.

type SCIMConfigAuthenticationOauth2 struct{…}

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

AuthorizationURL string

URL used to generate the auth code used during token generation.

ClientID string

Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.

ClientSecret string

Secret used to authenticate when generating a token for authenticating with the remove SCIM service.

Scheme SCIMConfigAuthenticationOauth2Scheme

The authentication scheme to use when making SCIM requests to this application.

TokenURL string

URL used to generate the token used to authenticate with the remote SCIM service.

Scopes []stringoptional

The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.

ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken

ClientID string

Client ID of the Access service token used to authenticate with the remote service.

ClientSecret string

Client secret of the Access service token used to authenticate with the remote service.

Scheme ApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme

The authentication scheme to use when making SCIM requests to this application.

ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthentication

One of the following:

type SCIMConfigAuthenticationHTTPBasic struct{…}

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

Password string

Password used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationHTTPBasicScheme

The authentication scheme to use when making SCIM requests to this application.

User string

User name used to authenticate with the remote SCIM service.

ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerToken

Token string

Token used to authenticate with the remote SCIM service.

Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSchemasSCIMConfigAuthenticationOAuthBearerTokenScheme

The authentication scheme to use when making SCIM requests to this application.

type SCIMConfigAuthenticationOauth2 struct{…}

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

AuthorizationURL string

URL used to generate the auth code used during token generation.

ClientID string

Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.

ClientSecret string

Secret used to authenticate when generating a token for authenticating with the remove SCIM service.

Scheme SCIMConfigAuthenticationOauth2Scheme

The authentication scheme to use when making SCIM requests to this application.

TokenURL string

URL used to generate the token used to authenticate with the remote SCIM service.

Scopes []stringoptional

The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.

ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken

ClientID string

Client ID of the Access service token used to authenticate with the remote service.

ClientSecret string

Client secret of the Access service token used to authenticate with the remote service.

Scheme ApplicationSCIMConfigAuthenticationAccessSchemasSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme

The authentication scheme to use when making SCIM requests to this application.

DeactivateOnDelete booloptional

If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.

Enabled booloptional

Whether SCIM provisioning is turned on for this application.

Mappings []SCIMConfigMappingoptional

A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.

Schema string

Which SCIM resource type this mapping applies to.

Enabled booloptional

Whether or not this mapping is enabled.

Filter stringoptional

A SCIM filter expression that matches resources that should be provisioned to this application.

Operations SCIMConfigMappingOperationsoptional

Whether or not this mapping applies to creates, updates, or deletes.

Create booloptional

Whether or not this mapping applies to create (POST) operations.

Delete booloptional

Whether or not this mapping applies to DELETE operations.

Update booloptional

Whether or not this mapping applies to update (PATCH/PUT) operations.

Strictness SCIMConfigMappingStrictnessoptional

The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.

One of the following:

const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"

const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"

TransformJsonata stringoptional

A JSONata expression that transforms the resource before provisioning it in the application.

type ApplicationType string

The application type.

One of the following:

const ApplicationTypeSelfHosted ApplicationType = "self_hosted"

const ApplicationTypeSaaS ApplicationType = "saas"

const ApplicationTypeSSH ApplicationType = "ssh"

const ApplicationTypeVNC ApplicationType = "vnc"

const ApplicationTypeAppLauncher ApplicationType = "app_launcher"

const ApplicationTypeWARP ApplicationType = "warp"

const ApplicationTypeBISO ApplicationType = "biso"

const ApplicationTypeBookmark ApplicationType = "bookmark"

const ApplicationTypeDashSSO ApplicationType = "dash_sso"

const ApplicationTypeInfrastructure ApplicationType = "infrastructure"

const ApplicationTypeRDP ApplicationType = "rdp"

const ApplicationTypeMcp ApplicationType = "mcp"

const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"

const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"

type CORSHeaders struct{…}

AllowAllHeaders booloptional

Allows all HTTP request headers.

AllowAllMethods booloptional

Allows all HTTP request methods.

AllowAllOrigins booloptional

Allows all origins.

AllowCredentials booloptional

When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.

AllowedHeaders []AllowedHeadersoptional

Allowed HTTP request headers.

AllowedMethods []AllowedMethodsoptional

Allowed HTTP request methods.

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

AllowedOrigins []AllowedOriginsoptional

Allowed origins.

MaxAge float64optional

The maximum number of seconds the results of a preflight request can be cached.

maximum86400

minimum-1

type Decision string

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

One of the following:

const DecisionAllow Decision = "allow"

const DecisionDeny Decision = "deny"

const DecisionNonIdentity Decision = "non_identity"

const DecisionBypass Decision = "bypass"

type OIDCSaaSApp struct{…}

AccessTokenLifetime stringoptional

The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.

AllowPKCEWithoutClientSecret booloptional

If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.

AppLauncherURL stringoptional

The URL where this applications tile redirects users

AuthType OIDCSaaSAppAuthTypeoptional

Identifier of the authentication protocol used for the saas app. Required for OIDC.

One of the following:

const OIDCSaaSAppAuthTypeSAML OIDCSaaSAppAuthType = "saml"

const OIDCSaaSAppAuthTypeOIDC OIDCSaaSAppAuthType = "oidc"

ClientID stringoptional

The application client id

ClientSecret stringoptional

The application client secret, only returned on POST request.

CustomClaims []OIDCSaaSAppCustomClaimoptional

Name stringoptional

The name of the claim.

Required booloptional

If the claim is required when building an OIDC token.

Scope OIDCSaaSAppCustomClaimsScopeoptional

The scope of the claim.

One of the following:

const OIDCSaaSAppCustomClaimsScopeGroups OIDCSaaSAppCustomClaimsScope = "groups"

const OIDCSaaSAppCustomClaimsScopeProfile OIDCSaaSAppCustomClaimsScope = "profile"

const OIDCSaaSAppCustomClaimsScopeEmail OIDCSaaSAppCustomClaimsScope = "email"

const OIDCSaaSAppCustomClaimsScopeOpenid OIDCSaaSAppCustomClaimsScope = "openid"

Source OIDCSaaSAppCustomClaimsSourceoptional

Name stringoptional

The name of the IdP claim.

NameByIdP map[string, string]optional

A mapping from IdP ID to claim name.

GrantTypes []OIDCSaaSAppGrantTypeoptional

The OIDC flows supported by this application

One of the following:

const OIDCSaaSAppGrantTypeAuthorizationCode OIDCSaaSAppGrantType = "authorization_code"

const OIDCSaaSAppGrantTypeAuthorizationCodeWithPKCE OIDCSaaSAppGrantType = "authorization_code_with_pkce"

const OIDCSaaSAppGrantTypeRefreshTokens OIDCSaaSAppGrantType = "refresh_tokens"

const OIDCSaaSAppGrantTypeHybrid OIDCSaaSAppGrantType = "hybrid"

const OIDCSaaSAppGrantTypeImplicit OIDCSaaSAppGrantType = "implicit"

GroupFilterRegex stringoptional

A regex to filter Cloudflare groups returned in ID token and userinfo endpoint

HybridAndImplicitOptions OIDCSaaSAppHybridAndImplicitOptionsoptional

ReturnAccessTokenFromAuthorizationEndpoint booloptional

If an Access Token should be returned from the OIDC Authorization endpoint

ReturnIDTokenFromAuthorizationEndpoint booloptional

If an ID Token should be returned from the OIDC Authorization endpoint

PublicKey stringoptional

The Access public certificate that will be used to verify your identity.

RedirectURIs []stringoptional

The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens

RefreshTokenOptions OIDCSaaSAppRefreshTokenOptionsoptional

Lifetime stringoptional

How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.

Scopes []OIDCSaaSAppScopeoptional

Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled

One of the following:

const OIDCSaaSAppScopeOpenid OIDCSaaSAppScope = "openid"

const OIDCSaaSAppScopeGroups OIDCSaaSAppScope = "groups"

const OIDCSaaSAppScopeEmail OIDCSaaSAppScope = "email"

const OIDCSaaSAppScopeProfile OIDCSaaSAppScope = "profile"

type SaaSAppNameIDFormat string

The format of the name identifier sent to the SaaS application.

One of the following:

const SaaSAppNameIDFormatID SaaSAppNameIDFormat = "id"

const SaaSAppNameIDFormatEmail SaaSAppNameIDFormat = "email"

type SAMLSaaSApp struct{…}

AuthType SAMLSaaSAppAuthTypeoptional

Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"

One of the following:

const SAMLSaaSAppAuthTypeSAML SAMLSaaSAppAuthType = "saml"

const SAMLSaaSAppAuthTypeOIDC SAMLSaaSAppAuthType = "oidc"

ConsumerServiceURL stringoptional

The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.

CustomAttributes []SAMLSaaSAppCustomAttributeoptional

FriendlyName stringoptional

The SAML FriendlyName of the attribute.

Name stringoptional

The name of the attribute.

NameFormat SAMLSaaSAppCustomAttributesNameFormatoptional

A globally unique name for an identity or service provider.

One of the following:

const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatUnspecified SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"

const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatBasic SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

const SAMLSaaSAppCustomAttributesNameFormatUrnOasisNamesTcSAML2_0AttrnameFormatURI SAMLSaaSAppCustomAttributesNameFormat = "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

Required booloptional

If the attribute is required when building a SAML assertion.

Source SAMLSaaSAppCustomAttributesSourceoptional

Name stringoptional

The name of the IdP attribute.

NameByIdP []SAMLSaaSAppCustomAttributesSourceNameByIdPoptional

A mapping from IdP ID to attribute name.

IdPID stringoptional

The UID of the IdP.

SourceName stringoptional

The name of the IdP provided attribute.

DefaultRelayState stringoptional

The URL that the user will be redirected to after a successful login for IDP initiated logins.

IdPEntityID stringoptional

The unique identifier for your SaaS application.

NameIDFormat SaaSAppNameIDFormatoptional

The format of the name identifier sent to the SaaS application.

NameIDTransformJsonata stringoptional

A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.

PublicKey stringoptional

The Access public certificate that will be used to verify your identity.

SAMLAttributeTransformJsonata stringoptional

A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.

SPEntityID stringoptional

A globally unique name for an identity or service provider.

SSOEndpoint stringoptional

The endpoint where your SaaS application will send login requests.

type SCIMConfigAuthenticationHTTPBasic struct{…}

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

Password string

Password used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationHTTPBasicScheme

The authentication scheme to use when making SCIM requests to this application.

User string

User name used to authenticate with the remote SCIM service.

type SCIMConfigAuthenticationOAuthBearerToken struct{…}

Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.

Token string

Token used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme

The authentication scheme to use when making SCIM requests to this application.

type SCIMConfigAuthenticationOauth2 struct{…}

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

AuthorizationURL string

URL used to generate the auth code used during token generation.

ClientID string

Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.

ClientSecret string

Secret used to authenticate when generating a token for authenticating with the remove SCIM service.

Scheme SCIMConfigAuthenticationOauth2Scheme

The authentication scheme to use when making SCIM requests to this application.

TokenURL string

URL used to generate the token used to authenticate with the remote SCIM service.

Scopes []stringoptional

The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.

type SCIMConfigMapping struct{…}

Transformations and filters applied to resources before they are provisioned in the remote SCIM service.

Schema string

Which SCIM resource type this mapping applies to.

Enabled booloptional

Whether or not this mapping is enabled.

Filter stringoptional

A SCIM filter expression that matches resources that should be provisioned to this application.

Operations SCIMConfigMappingOperationsoptional

Whether or not this mapping applies to creates, updates, or deletes.

Create booloptional

Whether or not this mapping applies to create (POST) operations.

Delete booloptional

Whether or not this mapping applies to DELETE operations.

Update booloptional

Whether or not this mapping applies to update (PATCH/PUT) operations.

Strictness SCIMConfigMappingStrictnessoptional

The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.

One of the following:

const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"

const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"

TransformJsonata stringoptional

A JSONata expression that transforms the resource before provisioning it in the application.

type SelfHostedDomains string

A domain that Access will secure.

Zero TrustAccessApplicationsCAs

List short-lived certificate CAs

client.ZeroTrust.Access.Applications.CAs.List(ctx, params) (*V4PagePaginationArray[CA], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/ca

Get a short-lived certificate CA

client.ZeroTrust.Access.Applications.CAs.Get(ctx, appID, query) (*CA, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca

Create a short-lived certificate CA

client.ZeroTrust.Access.Applications.CAs.New(ctx, appID, body) (*CA, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca

Delete a short-lived certificate CA

client.ZeroTrust.Access.Applications.CAs.Delete(ctx, appID, body) (*AccessApplicationCADeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca

ModelsExpand Collapse

type CA struct{…}

ID stringoptional

The ID of the CA.

maxLength48

AUD stringoptional

The Application Audience (AUD) tag. Identifies the application associated with the CA.

maxLength64

PublicKey stringoptional

The public key to add to your SSH server configuration.

Zero TrustAccessApplicationsUser Policy Checks

Test Access policies

client.ZeroTrust.Access.Applications.UserPolicyChecks.List(ctx, appID, query) (*AccessApplicationUserPolicyCheckListResponse, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks

ModelsExpand Collapse

type UserPolicyCheckGeo struct{…}

Country stringoptional

Zero TrustAccessApplicationsPolicies

List Access application policies

client.ZeroTrust.Access.Applications.Policies.List(ctx, appID, params) (*V4PagePaginationArray[AccessApplicationPolicyListResponse], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies

Get an Access application policy

client.ZeroTrust.Access.Applications.Policies.Get(ctx, appID, policyID, query) (*AccessApplicationPolicyGetResponse, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Create an Access application policy

client.ZeroTrust.Access.Applications.Policies.New(ctx, appID, params) (*AccessApplicationPolicyNewResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies

Update an Access application policy

client.ZeroTrust.Access.Applications.Policies.Update(ctx, appID, policyID, params) (*AccessApplicationPolicyUpdateResponse, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Delete an Access application policy

client.ZeroTrust.Access.Applications.Policies.Delete(ctx, appID, policyID, body) (*AccessApplicationPolicyDeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

ModelsExpand Collapse

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type AccessRule interface{…}

Matches an Access group.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user's risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

Zero TrustAccessApplicationsPolicy Tests

Get the current status of a given Access policy test

client.ZeroTrust.Access.Applications.PolicyTests.Get(ctx, policyTestID, query) (*AccessApplicationPolicyTestGetResponse, error)

GET/accounts/{account_id}/access/policy-tests/{policy_test_id}

Start Access policy test

client.ZeroTrust.Access.Applications.PolicyTests.New(ctx, params) (*AccessApplicationPolicyTestNewResponse, error)

POST/accounts/{account_id}/access/policy-tests

Zero TrustAccessApplicationsPolicy TestsUsers

Get an Access policy test users page

client.ZeroTrust.Access.Applications.PolicyTests.Users.List(ctx, policyTestID, params) (*V4PagePaginationArray[AccessApplicationPolicyTestUserListResponse], error)

GET/accounts/{account_id}/access/policy-tests/{policy_test_id}/users

Zero TrustAccessApplicationsSettings

Update Access application settings

client.ZeroTrust.Access.Applications.Settings.Update(ctx, appID, params) (*AccessApplicationSettingUpdateResponse, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings

Update Access application settings

client.ZeroTrust.Access.Applications.Settings.Edit(ctx, appID, params) (*AccessApplicationSettingEditResponse, error)

PATCH/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings

Zero TrustAccessCertificates

List mTLS certificates

client.ZeroTrust.Access.Certificates.List(ctx, params) (*V4PagePaginationArray[Certificate], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/certificates

Get an mTLS certificate

client.ZeroTrust.Access.Certificates.Get(ctx, certificateID, query) (*Certificate, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}

Add an mTLS certificate

client.ZeroTrust.Access.Certificates.New(ctx, params) (*Certificate, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/certificates

Update an mTLS certificate

client.ZeroTrust.Access.Certificates.Update(ctx, certificateID, params) (*Certificate, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}

Delete an mTLS certificate

client.ZeroTrust.Access.Certificates.Delete(ctx, certificateID, body) (*AccessCertificateDeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}

ModelsExpand Collapse

type AssociatedHostnames string

A fully-qualified domain name (FQDN).

type Certificate struct{…}

ID stringoptional

The ID of the application that will use this certificate.

AssociatedHostnames []AssociatedHostnamesoptional

The hostnames of the applications that will use this certificate.

ExpiresOn Timeoptional

formatdate-time

Fingerprint stringoptional

The MD5 fingerprint of the certificate.

Name stringoptional

The name of the certificate.

Zero TrustAccessCertificatesSettings

List all mTLS hostname settings

client.ZeroTrust.Access.Certificates.Settings.Get(ctx, query) (*SinglePage[CertificateSettings], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings

Update an mTLS certificate's hostname settings

client.ZeroTrust.Access.Certificates.Settings.Update(ctx, params) (*SinglePage[CertificateSettings], error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings

ModelsExpand Collapse

type CertificateSettings struct{…}

ChinaNetwork bool

Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.

ClientCertificateForwarding bool

Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.

Hostname string

The hostname that these settings apply to.

Zero TrustAccessGroups

List Access groups

client.ZeroTrust.Access.Groups.List(ctx, params) (*V4PagePaginationArray[AccessGroupListResponse], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/groups

Get an Access group

client.ZeroTrust.Access.Groups.Get(ctx, groupID, query) (*AccessGroupGetResponse, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}

Create an Access group

client.ZeroTrust.Access.Groups.New(ctx, params) (*AccessGroupNewResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/groups

Update an Access group

client.ZeroTrust.Access.Groups.Update(ctx, groupID, params) (*AccessGroupUpdateResponse, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}

Delete an Access group

client.ZeroTrust.Access.Groups.Delete(ctx, groupID, body) (*AccessGroupDeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}

ModelsExpand Collapse

type ZeroTrustGroup struct{…}

ID stringoptional

The unique Cloudflare-generated Id of the SCIM resource.

DisplayName stringoptional

The display name of the SCIM Group resource.

ExternalID stringoptional

The IdP-generated Id of the SCIM resource.

Meta ZeroTrustGroupMetaoptional

The metadata of the SCIM resource.

Created Timeoptional

The timestamp of when the SCIM resource was created.

formatdate-time

LastModified Timeoptional

The timestamp of when the SCIM resource was last modified.

formatdate-time

Schemas []stringoptional

The list of URIs which indicate the attributes contained within a SCIM resource.

Zero TrustAccessService Tokens

List service tokens

client.ZeroTrust.Access.ServiceTokens.List(ctx, params) (*V4PagePaginationArray[ServiceToken], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens

Get a service token

client.ZeroTrust.Access.ServiceTokens.Get(ctx, serviceTokenID, query) (*ServiceToken, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}

Create a service token

client.ZeroTrust.Access.ServiceTokens.New(ctx, params) (*AccessServiceTokenNewResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens

Update a service token

client.ZeroTrust.Access.ServiceTokens.Update(ctx, serviceTokenID, params) (*ServiceToken, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}

Delete a service token

client.ZeroTrust.Access.ServiceTokens.Delete(ctx, serviceTokenID, body) (*ServiceToken, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}

Refresh a service token

client.ZeroTrust.Access.ServiceTokens.Refresh(ctx, serviceTokenID, body) (*ServiceToken, error)

POST/accounts/{account_id}/access/service_tokens/{service_token_id}/refresh

Rotate a service token

client.ZeroTrust.Access.ServiceTokens.Rotate(ctx, serviceTokenID, params) (*AccessServiceTokenRotateResponse, error)

POST/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate

ModelsExpand Collapse

type ServiceToken struct{…}

ID stringoptional

The ID of the service token.

maxLength36

ClientID stringoptional

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

Duration stringoptional

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

ExpiresAt Timeoptional

formatdate-time

Name stringoptional

The name of the service token.

Zero TrustAccessBookmarks

List Bookmark applications

Deprecated

client.ZeroTrust.Access.Bookmarks.List(ctx, query) (*SinglePage[Bookmark], error)

GET/accounts/{account_id}/access/bookmarks

Get a Bookmark application

Deprecated

client.ZeroTrust.Access.Bookmarks.Get(ctx, bookmarkID, query) (*Bookmark, error)

GET/accounts/{account_id}/access/bookmarks/{bookmark_id}

Create a Bookmark application

Deprecated

client.ZeroTrust.Access.Bookmarks.New(ctx, bookmarkID, params) (*Bookmark, error)

POST/accounts/{account_id}/access/bookmarks/{bookmark_id}

Update a Bookmark application

Deprecated

client.ZeroTrust.Access.Bookmarks.Update(ctx, bookmarkID, params) (*Bookmark, error)

PUT/accounts/{account_id}/access/bookmarks/{bookmark_id}

Delete a Bookmark application

Deprecated

client.ZeroTrust.Access.Bookmarks.Delete(ctx, bookmarkID, body) (*AccessBookmarkDeleteResponse, error)

DELETE/accounts/{account_id}/access/bookmarks/{bookmark_id}

ModelsExpand Collapse

type Bookmark struct{…}

ID stringoptional

The unique identifier for the Bookmark application.

AppLauncherVisible booloptional

Displays the application in the App Launcher.

Domain stringoptional

The domain of the Bookmark application.

LogoURL stringoptional

The image URL for the logo shown in the App Launcher dashboard.

Name stringoptional

The name of the Bookmark application.

Zero TrustAccessKeys

Get the Access key configuration

client.ZeroTrust.Access.Keys.Get(ctx, query) (*AccessKeyGetResponse, error)

GET/accounts/{account_id}/access/keys

Update the Access key configuration

client.ZeroTrust.Access.Keys.Update(ctx, params) (*AccessKeyUpdateResponse, error)

PUT/accounts/{account_id}/access/keys

Rotate Access keys

client.ZeroTrust.Access.Keys.Rotate(ctx, body) (*AccessKeyRotateResponse, error)

POST/accounts/{account_id}/access/keys/rotate

Zero TrustAccessLogs

Zero TrustAccessLogsAccess Requests

Get Access authentication logs

client.ZeroTrust.Access.Logs.AccessRequests.List(ctx, params) (*[]AccessRequest, error)

GET/accounts/{account_id}/access/logs/access_requests

Zero TrustAccessLogsSCIM

ModelsExpand Collapse

type AccessRequest struct{…}

Action stringoptional

The event that occurred, such as a login attempt.

Allowed booloptional

The result of the authentication event.

AppDomain stringoptional

The URL of the Access application.

AppUID stringoptional

The unique identifier for the Access application.

Connection stringoptional

The IdP used to authenticate.

CreatedAt Timeoptional

formatdate-time

IPAddress stringoptional

The IP address of the authenticating user.

RayID stringoptional

The unique identifier for the request to Cloudflare.

maxLength16

UserEmail stringoptional

The email address of the authenticating user.

formatemail

Zero TrustAccessLogsSCIMUpdates

List Access SCIM update logs

client.ZeroTrust.Access.Logs.SCIM.Updates.List(ctx, params) (*V4PagePaginationArray[AccessLogSCIMUpdateListResponse], error)

GET/accounts/{account_id}/access/logs/scim/updates

Zero TrustAccessUsers

Get users

client.ZeroTrust.Access.Users.List(ctx, params) (*V4PagePaginationArray[AccessUserListResponse], error)

GET/accounts/{account_id}/access/users

Get a user

client.ZeroTrust.Access.Users.Get(ctx, userID, query) (*AccessUserGetResponse, error)

GET/accounts/{account_id}/access/users/{user_id}

Create a user

client.ZeroTrust.Access.Users.New(ctx, params) (*AccessUserNewResponse, error)

POST/accounts/{account_id}/access/users

Update a user

client.ZeroTrust.Access.Users.Update(ctx, userID, params) (*AccessUserUpdateResponse, error)

PUT/accounts/{account_id}/access/users/{user_id}

Delete a user

client.ZeroTrust.Access.Users.Delete(ctx, userID, body) (*AccessUserDeleteResponse, error)

DELETE/accounts/{account_id}/access/users/{user_id}

ModelsExpand Collapse

type AccessUser struct{…}

ID stringoptional

The unique Cloudflare-generated Id of the SCIM resource.

Active booloptional

Determines the status of the SCIM User resource.

DisplayName stringoptional

The name of the SCIM User resource.

Emails []AccessUserEmailoptional

Primary booloptional

Indicates if the email address is the primary email belonging to the SCIM User resource.

Type stringoptional

Indicates the type of the email address.

Value stringoptional

The email address of the SCIM User resource.

formatemail

ExternalID stringoptional

The IdP-generated Id of the SCIM resource.

Meta AccessUserMetaoptional

The metadata of the SCIM resource.

Created Timeoptional

The timestamp of when the SCIM resource was created.

formatdate-time

LastModified Timeoptional

The timestamp of when the SCIM resource was last modified.

formatdate-time

Schemas []stringoptional

The list of URIs which indicate the attributes contained within a SCIM resource.

Zero TrustAccessUsersActive Sessions

Get active sessions

client.ZeroTrust.Access.Users.ActiveSessions.List(ctx, userID, query) (*SinglePage[AccessUserActiveSessionListResponse], error)

GET/accounts/{account_id}/access/users/{user_id}/active_sessions

Get single active session

client.ZeroTrust.Access.Users.ActiveSessions.Get(ctx, userID, nonce, query) (*AccessUserActiveSessionGetResponse, error)

GET/accounts/{account_id}/access/users/{user_id}/active_sessions/{nonce}

Zero TrustAccessUsersLast Seen Identity

Get last seen identity

client.ZeroTrust.Access.Users.LastSeenIdentity.Get(ctx, userID, query) (*Identity, error)

GET/accounts/{account_id}/access/users/{user_id}/last_seen_identity

ModelsExpand Collapse

type Identity struct{…}

AccountID stringoptional

AuthStatus stringoptional

CommonName stringoptional

DeviceID stringoptional

DeviceSessions map[string, IdentityDeviceSession]optional

LastAuthenticated float64optional

DevicePosture map[string, IdentityDevicePosture]optional

ID stringoptional

Check IdentityDevicePostureCheckoptional

Exists booloptional

Path stringoptional

Data unknownoptional

Description stringoptional

Error stringoptional

RuleName stringoptional

Success booloptional

Timestamp stringoptional

Type stringoptional

Email stringoptional

Geo UserPolicyCheckGeooptional

Iat float64optional

IdP IdentityIdPoptional

ID stringoptional

Type stringoptional

IP stringoptional

IsGateway booloptional

IsWARP booloptional

MTLSAuth IdentityMTLSAuthoptional

AuthStatus stringoptional

CERTIssuerDn stringoptional

CERTIssuerSki stringoptional

CERTPresented booloptional

CERTSerial stringoptional

ServiceTokenID stringoptional

ServiceTokenStatus booloptional

UserUUID stringoptional

Version float64optional

Zero TrustAccessUsersFailed Logins

Get failed logins

client.ZeroTrust.Access.Users.FailedLogins.List(ctx, userID, query) (*SinglePage[AccessUserFailedLoginListResponse], error)

GET/accounts/{account_id}/access/users/{user_id}/failed_logins

Zero TrustAccessCustom Pages

List custom pages

client.ZeroTrust.Access.CustomPages.List(ctx, params) (*V4PagePaginationArray[CustomPageWithoutHTML], error)

GET/accounts/{account_id}/access/custom_pages

Get a custom page

client.ZeroTrust.Access.CustomPages.Get(ctx, customPageID, query) (*CustomPage, error)

GET/accounts/{account_id}/access/custom_pages/{custom_page_id}

Create a custom page

client.ZeroTrust.Access.CustomPages.New(ctx, params) (*CustomPageWithoutHTML, error)

POST/accounts/{account_id}/access/custom_pages

Update a custom page

client.ZeroTrust.Access.CustomPages.Update(ctx, customPageID, params) (*CustomPageWithoutHTML, error)

PUT/accounts/{account_id}/access/custom_pages/{custom_page_id}

Delete a custom page

client.ZeroTrust.Access.CustomPages.Delete(ctx, customPageID, body) (*AccessCustomPageDeleteResponse, error)

DELETE/accounts/{account_id}/access/custom_pages/{custom_page_id}

ModelsExpand Collapse

type CustomPage struct{…}

CustomHTML string

Custom page HTML.

Name string

Custom page name.

Type CustomPageType

Custom page type.

One of the following:

const CustomPageTypeIdentityDenied CustomPageType = "identity_denied"

const CustomPageTypeForbidden CustomPageType = "forbidden"

UID stringoptional

UUID.

maxLength36

type CustomPageWithoutHTML struct{…}

Name string

Custom page name.

Type CustomPageWithoutHTMLType

Custom page type.

One of the following:

const CustomPageWithoutHTMLTypeIdentityDenied CustomPageWithoutHTMLType = "identity_denied"

const CustomPageWithoutHTMLTypeForbidden CustomPageWithoutHTMLType = "forbidden"

UID stringoptional

UUID.

maxLength36

Zero TrustAccessTags

List tags

client.ZeroTrust.Access.Tags.List(ctx, params) (*V4PagePaginationArray[Tag], error)

GET/accounts/{account_id}/access/tags

Get a tag

client.ZeroTrust.Access.Tags.Get(ctx, tagName, query) (*Tag, error)

GET/accounts/{account_id}/access/tags/{tag_name}

Create a tag

client.ZeroTrust.Access.Tags.New(ctx, params) (*Tag, error)

POST/accounts/{account_id}/access/tags

Update a tag

client.ZeroTrust.Access.Tags.Update(ctx, tagName, params) (*Tag, error)

PUT/accounts/{account_id}/access/tags/{tag_name}

Delete a tag

client.ZeroTrust.Access.Tags.Delete(ctx, tagName, body) (*AccessTagDeleteResponse, error)

DELETE/accounts/{account_id}/access/tags/{tag_name}

ModelsExpand Collapse

type Tag struct{…}

A tag

Name string

The name of the tag

Zero TrustAccessPolicies

List Access reusable policies

client.ZeroTrust.Access.Policies.List(ctx, params) (*V4PagePaginationArray[AccessPolicyListResponse], error)

GET/accounts/{account_id}/access/policies

Get an Access reusable policy

client.ZeroTrust.Access.Policies.Get(ctx, policyID, query) (*AccessPolicyGetResponse, error)

GET/accounts/{account_id}/access/policies/{policy_id}

Create an Access reusable policy

client.ZeroTrust.Access.Policies.New(ctx, params) (*AccessPolicyNewResponse, error)

POST/accounts/{account_id}/access/policies

Update an Access reusable policy

client.ZeroTrust.Access.Policies.Update(ctx, policyID, params) (*AccessPolicyUpdateResponse, error)

PUT/accounts/{account_id}/access/policies/{policy_id}

Delete an Access reusable policy

client.ZeroTrust.Access.Policies.Delete(ctx, policyID, body) (*AccessPolicyDeleteResponse, error)

DELETE/accounts/{account_id}/access/policies/{policy_id}

ModelsExpand Collapse

type ApprovalGroup struct{…}

A group of email addresses that can approve a temporary authentication request.

ApprovalsNeeded float64

The number of approvals needed to obtain access.

minimum0

EmailAddresses []stringoptional

A list of emails that can approve the access request.

EmailListUUID stringoptional

The UUID of an re-usable email list.

type Policy struct{…}

ID stringoptional

UUID.

maxLength36

ApprovalGroups []PolicyApprovalGroupoptional

Administrators who can approve a temporary authentication request.

ApprovalsNeeded float64

The number of approvals needed to obtain access.

minimum0

EmailAddresses []unknownoptional

A list of emails that can approve the access request.

EmailListUUID stringoptional

The UUID of an re-usable email list.

ApprovalRequired booloptional

Requires the user to request access from an administrator at the start of each session.

CreatedAt Timeoptional

formatdate-time

Decision PolicyDecisionoptional

The action Access will take if a user matches this policy.

One of the following:

const PolicyDecisionAllow PolicyDecision = "allow"

const PolicyDecisionDeny PolicyDecision = "deny"

const PolicyDecisionNonIdentity PolicyDecision = "non_identity"

const PolicyDecisionBypass PolicyDecision = "bypass"

Exclude []AccessRuleoptional

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user's risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

Include []AccessRuleoptional

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user's risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

IsolationRequired booloptional

Require this application to be served in an isolated browser for users matching this policy.

Name stringoptional

The name of the Access policy.

Precedence int64optional

The order of execution for this policy. Must be unique for each policy.

PurposeJustificationPrompt stringoptional

A custom message that will appear on the purpose justification screen.

PurposeJustificationRequired booloptional

Require users to enter a justification when they log in to the application.

Require []AccessRuleoptional

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringoptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user's risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

UpdatedAt Timeoptional

formatdate-time

Zero TrustDEX

ModelsExpand Collapse

type DigitalExperienceMonitor struct{…}

ID string

API Resource UUID tag.

maxLength36

Default bool

Whether the policy is the default for the account

Name string

type NetworkPath struct{…}

Slots []NetworkPathSlot

ID string

API Resource UUID tag.

maxLength36

ClientToAppRTTMs int64

Round trip time in ms of the client to app mile

ClientToCfEgressRTTMs int64

Round trip time in ms of the client to Cloudflare egress mile

ClientToCfIngressRTTMs int64

Round trip time in ms of the client to Cloudflare ingress mile

Timestamp string

ClientToISPRTTMs int64optional

Round trip time in ms of the client to ISP mile

Sampling NetworkPathSamplingoptional

Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval.

Unit NetworkPathSamplingUnit

Value int64

type NetworkPathResponse struct{…}

ID string

API Resource UUID tag.

maxLength36

DeviceName stringoptional

Interval stringoptional

The interval at which the Traceroute synthetic application test is set to run.

Kind NetworkPathResponseKindoptional

Name stringoptional

NetworkPath NetworkPathoptional

URL stringoptional

The host of the Traceroute synthetic application test

type Percentiles struct{…}

P50 float64optional

p50 observed in the time period

P90 float64optional

p90 observed in the time period

P95 float64optional

p95 observed in the time period

P99 float64optional

p99 observed in the time period

Zero TrustDEXWARP Change Events

List WARP change events.

client.ZeroTrust.DEX.WARPChangeEvents.Get(ctx, params) (*[]DexwarpChangeEventGetResponse, error)

GET/accounts/{account_id}/dex/warp-change-events

Zero TrustDEXCommands

List account commands

client.ZeroTrust.DEX.Commands.List(ctx, params) (*V4PagePagination[DEXCommandListResponse], error)

GET/accounts/{account_id}/dex/commands

Create account commands

client.ZeroTrust.DEX.Commands.New(ctx, params) (*DEXCommandNewResponse, error)

POST/accounts/{account_id}/dex/commands

Zero TrustDEXCommandsDevices

List devices eligible for remote captures

client.ZeroTrust.DEX.Commands.Devices.List(ctx, params) (*V4PagePagination[DEXCommandDeviceListResponse], error)

GET/accounts/{account_id}/dex/commands/devices

Zero TrustDEXCommandsDownloads

Download command output file

client.ZeroTrust.DEX.Commands.Downloads.Get(ctx, commandID, filename, query) (*Response, error)

GET/accounts/{account_id}/dex/commands/{command_id}/downloads/{filename}

Zero TrustDEXCommandsQuota

Returns account commands usage, quota, and reset time

client.ZeroTrust.DEX.Commands.Quota.Get(ctx, query) (*DEXCommandQuotaGetResponse, error)

GET/accounts/{account_id}/dex/commands/quota

Zero TrustDEXColos

List Cloudflare colos

client.ZeroTrust.DEX.Colos.List(ctx, params) (*SinglePage[DEXColoListResponse], error)

GET/accounts/{account_id}/dex/colos

Zero TrustDEXFleet Status

List fleet status details by dimension

client.ZeroTrust.DEX.FleetStatus.Live(ctx, params) (*DEXFleetStatusLiveResponse, error)

GET/accounts/{account_id}/dex/fleet-status/live

List fleet status aggregate details by dimension

client.ZeroTrust.DEX.FleetStatus.OverTime(ctx, params) (*DEXFleetStatusOverTimeResponse, error)

GET/accounts/{account_id}/dex/fleet-status/over-time

ModelsExpand Collapse

type LiveStat struct{…}

UniqueDevicesTotal float64optional

Number of unique devices

Value stringoptional

Zero TrustDEXFleet StatusDevices

List fleet status devices

client.ZeroTrust.DEX.FleetStatus.Devices.List(ctx, params) (*V4PagePaginationArray[DEXFleetStatusDeviceListResponse], error)

GET/accounts/{account_id}/dex/fleet-status/devices

Zero TrustDEXHTTP Tests

Get details and aggregate metrics for an http test

client.ZeroTrust.DEX.HTTPTests.Get(ctx, testID, params) (*HTTPDetails, error)

GET/accounts/{account_id}/dex/http-tests/{test_id}

ModelsExpand Collapse

type HTTPDetails struct{…}

Host stringoptional

The url of the HTTP synthetic application test

HTTPStats HTTPDetailsHTTPStatsoptional

AvailabilityPct HTTPDetailsHTTPStatsAvailabilityPct

Slots []HTTPDetailsHTTPStatsAvailabilityPctSlot

Timestamp string

Value float64

formatfloat

Avg float64optional

average observed in the time period

formatfloat

Max float64optional

highest observed in the time period

formatfloat

Min float64optional

lowest observed in the time period

formatfloat

DNSResponseTimeMs TestStatOverTime

HTTPStatusCode []HTTPDetailsHTTPStatsHTTPStatusCode

Status200 int64

Status300 int64

Status400 int64

Status500 int64

Timestamp string

ResourceFetchTimeMs TestStatOverTime

ServerResponseTimeMs TestStatOverTime

UniqueDevicesTotal int64

Count of unique devices that have run this test in the given time period

HTTPStatsByColo []HTTPDetailsHTTPStatsByColooptional

AvailabilityPct HTTPDetailsHTTPStatsByColoAvailabilityPct

Slots []HTTPDetailsHTTPStatsByColoAvailabilityPctSlot

Timestamp string

Value float64

formatfloat

Avg float64optional

average observed in the time period

formatfloat

Max float64optional

highest observed in the time period

formatfloat

Min float64optional

lowest observed in the time period

formatfloat

Colo string

DNSResponseTimeMs TestStatOverTime

HTTPStatusCode []HTTPDetailsHTTPStatsByColoHTTPStatusCode

Status200 int64

Status300 int64

Status400 int64

Status500 int64

Timestamp string

ResourceFetchTimeMs TestStatOverTime

ServerResponseTimeMs TestStatOverTime

UniqueDevicesTotal int64

Count of unique devices that have run this test in the given time period

Interval stringoptional

The interval at which the HTTP synthetic application test is set to run.

Kind HTTPDetailsKindoptional

Method stringoptional

The HTTP method to use when running the test

Name stringoptional

The name of the HTTP synthetic application test

TargetPolicies []DigitalExperienceMonitoroptional

ID string

API Resource UUID tag.

maxLength36

Default bool

Whether the policy is the default for the account

Name string

Targeted booloptional

Zero TrustDEXHTTP TestsPercentiles

Get percentiles for an http test

client.ZeroTrust.DEX.HTTPTests.Percentiles.Get(ctx, testID, params) (*HTTPDetailsPercentiles, error)

GET/accounts/{account_id}/dex/http-tests/{test_id}/percentiles

ModelsExpand Collapse

type HTTPDetailsPercentiles struct{…}

DNSResponseTimeMs Percentilesoptional

ResourceFetchTimeMs Percentilesoptional

ServerResponseTimeMs Percentilesoptional

type TestStatOverTime struct{…}

Slots []TestStatOverTimeSlot

Timestamp string

Value int64

Avg int64optional

average observed in the time period

Max int64optional

highest observed in the time period

Min int64optional

lowest observed in the time period

Zero TrustDEXTests

List DEX test analytics

client.ZeroTrust.DEX.Tests.List(ctx, params) (*V4PagePagination[Tests], error)

GET/accounts/{account_id}/dex/tests/overview

ModelsExpand Collapse

type AggregateTimePeriod struct{…}

Units AggregateTimePeriodUnits

One of the following:

const AggregateTimePeriodUnitsHours AggregateTimePeriodUnits = "hours"

const AggregateTimePeriodUnitsDays AggregateTimePeriodUnits = "days"

const AggregateTimePeriodUnitsTestRuns AggregateTimePeriodUnits = "testRuns"

Value int64

type Tests struct{…}

OverviewMetrics TestsOverviewMetrics

TestsTotal int64

number of tests.

AvgHTTPAvailabilityPct float64optional

percentage availability for all HTTP test results in response

formatfloat

AvgTracerouteAvailabilityPct float64optional

percentage availability for all traceroutes results in response

formatfloat

Tests []TestsTest

array of test results objects.

ID string

API Resource UUID tag.

maxLength36

Created string

date the test was created.

Description string

the test description defined during configuration

Enabled bool

if true, then the test will run on targeted devices. Else, the test will not run.

Host string

Interval string

The interval at which the synthetic application test is set to run.

Kind TestsTestsKind

test type, http or traceroute

One of the following:

const TestsTestsKindHTTP TestsTestsKind = "http"

const TestsTestsKindTraceroute TestsTestsKind = "traceroute"

Name string

name given to this test

Updated string

HTTPResults TestsTestsHTTPResultsoptional

ResourceFetchTime TestsTestsHTTPResultsResourceFetchTime

History []TestsTestsHTTPResultsResourceFetchTimeHistory

TimePeriod AggregateTimePeriod

AvgMs int64optional

DeltaPct float64optional

formatfloat

AvgMs int64optional

OverTime TestsTestsHTTPResultsResourceFetchTimeOverTimeoptional

TimePeriod AggregateTimePeriod

Values []TestsTestsHTTPResultsResourceFetchTimeOverTimeValue

AvgMs int64

Timestamp string

HTTPResultsByColo []TestsTestsHTTPResultsByColooptional

Colo string

Cloudflare colo

ResourceFetchTime TestsTestsHTTPResultsByColoResourceFetchTime

History []TestsTestsHTTPResultsByColoResourceFetchTimeHistory

TimePeriod AggregateTimePeriod

AvgMs int64optional

DeltaPct float64optional

formatfloat

AvgMs int64optional

OverTime TestsTestsHTTPResultsByColoResourceFetchTimeOverTimeoptional

TimePeriod AggregateTimePeriod

Values []TestsTestsHTTPResultsByColoResourceFetchTimeOverTimeValue

AvgMs int64

Timestamp string

Method stringoptional

for HTTP, the method to use when running the test

TargetPolicies []DigitalExperienceMonitoroptional

ID string

API Resource UUID tag.

maxLength36

Default bool

Whether the policy is the default for the account

Name string

Targeted booloptional

TracerouteResults TestsTestsTracerouteResultsoptional

RoundTripTime TestsTestsTracerouteResultsRoundTripTime

History []TestsTestsTracerouteResultsRoundTripTimeHistory

TimePeriod AggregateTimePeriod

AvgMs int64optional

DeltaPct float64optional

formatfloat

AvgMs int64optional

OverTime TestsTestsTracerouteResultsRoundTripTimeOverTimeoptional

TimePeriod AggregateTimePeriod

Values []TestsTestsTracerouteResultsRoundTripTimeOverTimeValue

AvgMs int64

Timestamp string

TracerouteResultsByColo []TestsTestsTracerouteResultsByColooptional

Colo string

Cloudflare colo

RoundTripTime TestsTestsTracerouteResultsByColoRoundTripTime

History []TestsTestsTracerouteResultsByColoRoundTripTimeHistory

TimePeriod AggregateTimePeriod

AvgMs int64optional

DeltaPct float64optional

formatfloat

AvgMs int64optional

OverTime TestsTestsTracerouteResultsByColoRoundTripTimeOverTimeoptional

TimePeriod AggregateTimePeriod

Values []TestsTestsTracerouteResultsByColoRoundTripTimeOverTimeValue

AvgMs int64

Timestamp string

Zero TrustDEXTestsUnique Devices

Get count of devices targeted

client.ZeroTrust.DEX.Tests.UniqueDevices.List(ctx, params) (*UniqueDevices, error)

GET/accounts/{account_id}/dex/tests/unique-devices

ModelsExpand Collapse

type UniqueDevices struct{…}

UniqueDevicesTotal int64

total number of unique devices

Zero TrustDEXTraceroute Test Results

Zero TrustDEXTraceroute Test ResultsNetwork Path

Get details for a specific traceroute test run

client.ZeroTrust.DEX.TracerouteTestResults.NetworkPath.Get(ctx, testResultID, query) (*DEXTracerouteTestResultNetworkPathGetResponse, error)

GET/accounts/{account_id}/dex/traceroute-test-results/{test_result_id}/network-path

Zero TrustDEXTraceroute Tests

Get details and aggregate metrics for a traceroute test

client.ZeroTrust.DEX.TracerouteTests.Get(ctx, testID, params) (*Traceroute, error)

GET/accounts/{account_id}/dex/traceroute-tests/{test_id}

Get percentiles for a traceroute test

client.ZeroTrust.DEX.TracerouteTests.Percentiles(ctx, testID, params) (*DEXTracerouteTestPercentilesResponse, error)

GET/accounts/{account_id}/dex/traceroute-tests/{test_id}/percentiles

Get network path breakdown for a traceroute test

client.ZeroTrust.DEX.TracerouteTests.NetworkPath(ctx, testID, params) (*NetworkPathResponse, error)

GET/accounts/{account_id}/dex/traceroute-tests/{test_id}/network-path

ModelsExpand Collapse

type Traceroute struct{…}

Host string

The host of the Traceroute synthetic application test

Interval string

The interval at which the Traceroute synthetic application test is set to run.

Kind TracerouteKind

Name string

The name of the Traceroute synthetic application test

TargetPolicies []DigitalExperienceMonitoroptional

ID string

API Resource UUID tag.

maxLength36

Default bool

Whether the policy is the default for the account

Name string

Targeted booloptional

TracerouteStats TracerouteTracerouteStatsoptional

AvailabilityPct TracerouteTracerouteStatsAvailabilityPct

Slots []TracerouteTracerouteStatsAvailabilityPctSlot

Timestamp string

Value float64

formatfloat

Avg float64optional

average observed in the time period

formatfloat

Max float64optional

highest observed in the time period

formatfloat

Min float64optional

lowest observed in the time period

formatfloat

HopsCount TestStatOverTime

PacketLossPct TracerouteTracerouteStatsPacketLossPct

Slots []TracerouteTracerouteStatsPacketLossPctSlot

Timestamp string

Value float64

formatfloat

Avg float64optional

average observed in the time period

formatfloat

Max float64optional

highest observed in the time period

formatfloat

Min float64optional

lowest observed in the time period

formatfloat

RoundTripTimeMs TestStatOverTime

UniqueDevicesTotal int64

Count of unique devices that have run this test in the given time period

TracerouteStatsByColo []TracerouteTracerouteStatsByColooptional

AvailabilityPct TracerouteTracerouteStatsByColoAvailabilityPct

Slots []TracerouteTracerouteStatsByColoAvailabilityPctSlot

Timestamp string

Value float64

formatfloat

Avg float64optional

average observed in the time period

formatfloat

Max float64optional

highest observed in the time period

formatfloat

Min float64optional

lowest observed in the time period

formatfloat

Colo string

HopsCount TestStatOverTime

PacketLossPct TracerouteTracerouteStatsByColoPacketLossPct

Slots []TracerouteTracerouteStatsByColoPacketLossPctSlot

Timestamp string

Value float64

formatfloat

Avg float64optional

average observed in the time period

formatfloat

Max float64optional

highest observed in the time period

formatfloat

Min float64optional

lowest observed in the time period

formatfloat

RoundTripTimeMs TestStatOverTime

UniqueDevicesTotal int64

Count of unique devices that have run this test in the given time period

Zero TrustDEXRules

Get DEX Rule

client.ZeroTrust.DEX.Rules.Get(ctx, ruleID, query) (*DEXRuleGetResponse, error)

GET/accounts/{account_id}/dex/rules/{rule_id}

Delete a DEX Rule

client.ZeroTrust.DEX.Rules.Delete(ctx, ruleID, body) (*bool, error)

DELETE/accounts/{account_id}/dex/rules/{rule_id}

Update a DEX Rule

client.ZeroTrust.DEX.Rules.Update(ctx, ruleID, params) (*DEXRuleUpdateResponse, error)

PATCH/accounts/{account_id}/dex/rules/{rule_id}

Create a DEX Rule

client.ZeroTrust.DEX.Rules.New(ctx, params) (*DEXRuleNewResponse, error)

POST/accounts/{account_id}/dex/rules

List DEX Rules

client.ZeroTrust.DEX.Rules.List(ctx, params) (*V4PagePagination[DEXRuleListResponse], error)

GET/accounts/{account_id}/dex/rules

Zero TrustTunnels

List All Tunnels

client.ZeroTrust.Tunnels.List(ctx, params) (*V4PagePaginationArray[TunnelListResponse], error)

GET/accounts/{account_id}/tunnels

ModelsExpand Collapse

type Connection struct{…}

ColoName stringoptional

The Cloudflare data center used for this connection.

IsPendingReconnect booloptional

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

UUID stringoptional

UUID of the Cloudflare Tunnel connection.

formatuuid

maxLength36

Zero TrustTunnelsCloudflared

List Cloudflare Tunnels

client.ZeroTrust.Tunnels.Cloudflared.List(ctx, params) (*V4PagePaginationArray[CloudflareTunnel], error)

GET/accounts/{account_id}/cfd_tunnel

Get a Cloudflare Tunnel

client.ZeroTrust.Tunnels.Cloudflared.Get(ctx, tunnelID, query) (*CloudflareTunnel, error)

GET/accounts/{account_id}/cfd_tunnel/{tunnel_id}

Create a Cloudflare Tunnel

client.ZeroTrust.Tunnels.Cloudflared.New(ctx, params) (*CloudflareTunnel, error)

POST/accounts/{account_id}/cfd_tunnel

Update a Cloudflare Tunnel

client.ZeroTrust.Tunnels.Cloudflared.Edit(ctx, tunnelID, params) (*CloudflareTunnel, error)

PATCH/accounts/{account_id}/cfd_tunnel/{tunnel_id}

Delete a Cloudflare Tunnel

client.ZeroTrust.Tunnels.Cloudflared.Delete(ctx, tunnelID, body) (*CloudflareTunnel, error)

DELETE/accounts/{account_id}/cfd_tunnel/{tunnel_id}

Zero TrustTunnelsCloudflaredConfigurations

Get configuration

client.ZeroTrust.Tunnels.Cloudflared.Configurations.Get(ctx, tunnelID, query) (*TunnelCloudflaredConfigurationGetResponse, error)

GET/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations

Put configuration

client.ZeroTrust.Tunnels.Cloudflared.Configurations.Update(ctx, tunnelID, params) (*TunnelCloudflaredConfigurationUpdateResponse, error)

PUT/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations

Zero TrustTunnelsCloudflaredConnections

List Cloudflare Tunnel connections

client.ZeroTrust.Tunnels.Cloudflared.Connections.Get(ctx, tunnelID, query) (*SinglePage[Client], error)

GET/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections

Clean up Cloudflare Tunnel connections

client.ZeroTrust.Tunnels.Cloudflared.Connections.Delete(ctx, tunnelID, params) (*TunnelCloudflaredConnectionDeleteResponse, error)

DELETE/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections

ModelsExpand Collapse

type Client struct{…}

A client (typically cloudflared) that maintains connections to a Cloudflare data center.

ID stringoptional

UUID of the Cloudflare Tunnel connection.

formatuuid

maxLength36

Arch stringoptional

The cloudflared OS architecture used to establish this connection.

ConfigVersion int64optional

The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard.

Conns []ClientConnoptional

The Cloudflare Tunnel connections between your origin and Cloudflare's edge.

ID stringoptional

UUID of the Cloudflare Tunnel connection.

formatuuid

maxLength36

ClientID stringoptional

UUID of the Cloudflare Tunnel connector.

formatuuid

maxLength36

ClientVersion stringoptional

The cloudflared version used to establish this connection.

ColoName stringoptional

The Cloudflare data center used for this connection.

IsPendingReconnect booloptional

Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If true, the connection has disconnected but is still being tracked. If false, the connection is actively serving traffic.

OpenedAt Timeoptional

Timestamp of when the connection was established.

formatdate-time

OriginIP stringoptional

The public IP address of the host running cloudflared.

UUID stringoptional

UUID of the Cloudflare Tunnel connection.

formatuuid

maxLength36

Features []stringoptional

Features enabled for the Cloudflare Tunnel.

RunAt Timeoptional

Timestamp of when the tunnel connection was started.

formatdate-time

Version stringoptional

The cloudflared version used to establish this connection.

Zero TrustTunnelsCloudflaredToken

Get a Cloudflare Tunnel token

client.ZeroTrust.Tunnels.Cloudflared.Token.Get(ctx, tunnelID, query) (*string, error)

GET/accounts/{account_id}/cfd_tunnel/{tunnel_id}/token

Zero TrustTunnelsCloudflaredConnectors

Get Cloudflare Tunnel connector

client.ZeroTrust.Tunnels.Cloudflared.Connectors.Get(ctx, tunnelID, connectorID, query) (*Client, error)

GET/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connectors/{connector_id}

Zero TrustTunnelsCloudflaredManagement

Get a Cloudflare Tunnel management token

client.ZeroTrust.Tunnels.Cloudflared.Management.New(ctx, tunnelID, params) (*string, error)

POST/accounts/{account_id}/cfd_tunnel/{tunnel_id}/management

Zero TrustTunnelsWARP Connector

List Warp Connector Tunnels

client.ZeroTrust.Tunnels.WARPConnector.List(ctx, params) (*V4PagePaginationArray[TunnelWARPConnectorListResponse], error)

GET/accounts/{account_id}/warp_connector

Get a Warp Connector Tunnel

client.ZeroTrust.Tunnels.WARPConnector.Get(ctx, tunnelID, query) (*TunnelWARPConnectorGetResponse, error)

GET/accounts/{account_id}/warp_connector/{tunnel_id}

Create a Warp Connector Tunnel

client.ZeroTrust.Tunnels.WARPConnector.New(ctx, params) (*TunnelWARPConnectorNewResponse, error)

POST/accounts/{account_id}/warp_connector

Update a Warp Connector Tunnel

client.ZeroTrust.Tunnels.WARPConnector.Edit(ctx, tunnelID, params) (*TunnelWARPConnectorEditResponse, error)

PATCH/accounts/{account_id}/warp_connector/{tunnel_id}

Delete a Warp Connector Tunnel

client.ZeroTrust.Tunnels.WARPConnector.Delete(ctx, tunnelID, body) (*TunnelWARPConnectorDeleteResponse, error)

DELETE/accounts/{account_id}/warp_connector/{tunnel_id}

Zero TrustTunnelsWARP ConnectorToken

Get a Warp Connector Tunnel token

client.ZeroTrust.Tunnels.WARPConnector.Token.Get(ctx, tunnelID, query) (*string, error)

GET/accounts/{account_id}/warp_connector/{tunnel_id}/token

Zero TrustTunnelsWARP ConnectorConnections

List WARP Connector Tunnel connections

client.ZeroTrust.Tunnels.WARPConnector.Connections.Get(ctx, tunnelID, query) (*SinglePage[TunnelWARPConnectorConnectionGetResponse], error)

GET/accounts/{account_id}/warp_connector/{tunnel_id}/connections

Zero TrustTunnelsWARP ConnectorConnectors

Get WARP Connector Tunnel connector

client.ZeroTrust.Tunnels.WARPConnector.Connectors.Get(ctx, tunnelID, connectorID, query) (*TunnelWARPConnectorConnectorGetResponse, error)

GET/accounts/{account_id}/warp_connector/{tunnel_id}/connectors/{connector_id}

Zero TrustTunnelsWARP ConnectorFailover

Trigger a manual failover for a WARP Connector Tunnel

client.ZeroTrust.Tunnels.WARPConnector.Failover.Update(ctx, tunnelID, params) (*TunnelWARPConnectorFailoverUpdateResponse, error)

PUT/accounts/{account_id}/warp_connector/{tunnel_id}/failover

Zero TrustConnectivity Settings

Get Zero Trust Connectivity Settings

client.ZeroTrust.ConnectivitySettings.Get(ctx, query) (*ConnectivitySettingGetResponse, error)

GET/accounts/{account_id}/zerotrust/connectivity_settings

Updates the Zero Trust Connectivity Settings

client.ZeroTrust.ConnectivitySettings.Edit(ctx, params) (*ConnectivitySettingEditResponse, error)

PATCH/accounts/{account_id}/zerotrust/connectivity_settings

Zero TrustDLP

Zero TrustDLPDatasets

Fetch all datasets

client.ZeroTrust.DLP.Datasets.List(ctx, query) (*SinglePage[Dataset], error)

GET/accounts/{account_id}/dlp/datasets

Fetch a specific dataset

client.ZeroTrust.DLP.Datasets.Get(ctx, datasetID, query) (*Dataset, error)

GET/accounts/{account_id}/dlp/datasets/{dataset_id}

Create a new dataset

client.ZeroTrust.DLP.Datasets.New(ctx, params) (*DatasetCreation, error)

POST/accounts/{account_id}/dlp/datasets

Update details about a dataset

client.ZeroTrust.DLP.Datasets.Update(ctx, datasetID, params) (*Dataset, error)

PUT/accounts/{account_id}/dlp/datasets/{dataset_id}

Delete a dataset

client.ZeroTrust.DLP.Datasets.Delete(ctx, datasetID, body) error

DELETE/accounts/{account_id}/dlp/datasets/{dataset_id}

ModelsExpand Collapse

type Dataset struct{…}

ID string

formatuuid

Columns []DatasetColumn

EntryID string

formatuuid

HeaderName string

NumCells int64

formatint64

UploadStatus DatasetColumnsUploadStatus

One of the following:

const DatasetColumnsUploadStatusEmpty DatasetColumnsUploadStatus = "empty"

const DatasetColumnsUploadStatusUploading DatasetColumnsUploadStatus = "uploading"

const DatasetColumnsUploadStatusPending DatasetColumnsUploadStatus = "pending"

const DatasetColumnsUploadStatusProcessing DatasetColumnsUploadStatus = "processing"

const DatasetColumnsUploadStatusFailed DatasetColumnsUploadStatus = "failed"

const DatasetColumnsUploadStatusComplete DatasetColumnsUploadStatus = "complete"

CreatedAt Time

formatdate-time

EncodingVersion int64

formatint32

minimum0

Name string

NumCells int64

formatint64

Secret bool

Status DatasetStatus

One of the following:

const DatasetStatusEmpty DatasetStatus = "empty"

const DatasetStatusUploading DatasetStatus = "uploading"

const DatasetStatusPending DatasetStatus = "pending"

const DatasetStatusProcessing DatasetStatus = "processing"

const DatasetStatusFailed DatasetStatus = "failed"

const DatasetStatusComplete DatasetStatus = "complete"

UpdatedAt Time

Stores when the dataset was last updated.

This includes name or description changes as well as uploads.

formatdate-time

Uploads []DatasetUpload

NumCells int64

formatint64

Status DatasetUploadsStatus

One of the following:

const DatasetUploadsStatusEmpty DatasetUploadsStatus = "empty"

const DatasetUploadsStatusUploading DatasetUploadsStatus = "uploading"

const DatasetUploadsStatusPending DatasetUploadsStatus = "pending"

const DatasetUploadsStatusProcessing DatasetUploadsStatus = "processing"

const DatasetUploadsStatusFailed DatasetUploadsStatus = "failed"

const DatasetUploadsStatusComplete DatasetUploadsStatus = "complete"

Version int64

formatint64

CaseSensitive booloptional

Description stringoptional

The description of the dataset.

type DatasetArray []Dataset

ID string

formatuuid

Columns []DatasetColumn

EntryID string

formatuuid

HeaderName string

NumCells int64

formatint64

UploadStatus DatasetColumnsUploadStatus

One of the following:

const DatasetColumnsUploadStatusEmpty DatasetColumnsUploadStatus = "empty"

const DatasetColumnsUploadStatusUploading DatasetColumnsUploadStatus = "uploading"

const DatasetColumnsUploadStatusPending DatasetColumnsUploadStatus = "pending"

const DatasetColumnsUploadStatusProcessing DatasetColumnsUploadStatus = "processing"

const DatasetColumnsUploadStatusFailed DatasetColumnsUploadStatus = "failed"

const DatasetColumnsUploadStatusComplete DatasetColumnsUploadStatus = "complete"

CreatedAt Time

formatdate-time

EncodingVersion int64

formatint32

minimum0

Name string

NumCells int64

formatint64

Secret bool

Status DatasetStatus

One of the following:

const DatasetStatusEmpty DatasetStatus = "empty"

const DatasetStatusUploading DatasetStatus = "uploading"

const DatasetStatusPending DatasetStatus = "pending"

const DatasetStatusProcessing DatasetStatus = "processing"

const DatasetStatusFailed DatasetStatus = "failed"

const DatasetStatusComplete DatasetStatus = "complete"

UpdatedAt Time

Stores when the dataset was last updated.

This includes name or description changes as well as uploads.

formatdate-time

Uploads []DatasetUpload

NumCells int64

formatint64

Status DatasetUploadsStatus

One of the following:

const DatasetUploadsStatusEmpty DatasetUploadsStatus = "empty"

const DatasetUploadsStatusUploading DatasetUploadsStatus = "uploading"

const DatasetUploadsStatusPending DatasetUploadsStatus = "pending"

const DatasetUploadsStatusProcessing DatasetUploadsStatus = "processing"

const DatasetUploadsStatusFailed DatasetUploadsStatus = "failed"

const DatasetUploadsStatusComplete DatasetUploadsStatus = "complete"

Version int64

formatint64

CaseSensitive booloptional

Description stringoptional

The description of the dataset.

type DatasetCreation struct{…}

Dataset Dataset

EncodingVersion int64

Encoding version to use for dataset.

formatint32

minimum0

MaxCells int64

formatint64

minimum0

Version int64

The version to use when uploading the dataset.

formatint64

Secret stringoptional

The secret to use for Exact Data Match datasets.

This is not present in Custom Wordlists.

formatpassword

Zero TrustDLPDatasetsUpload

Prepare to upload a new version of a dataset

client.ZeroTrust.DLP.Datasets.Upload.New(ctx, datasetID, body) (*NewVersion, error)

POST/accounts/{account_id}/dlp/datasets/{dataset_id}/upload

Upload a new version of a dataset

client.ZeroTrust.DLP.Datasets.Upload.Edit(ctx, datasetID, version, dataset, params) (*Dataset, error)

POST/accounts/{account_id}/dlp/datasets/{dataset_id}/upload/{version}

ModelsExpand Collapse

type NewVersion struct{…}

EncodingVersion int64

formatint32

minimum0

MaxCells int64

formatint64

minimum0

Version int64

formatint64

CaseSensitive booloptional

Columns []NewVersionColumnoptional

EntryID string

formatuuid

HeaderName string

NumCells int64

formatint64

UploadStatus NewVersionColumnsUploadStatus

One of the following:

const NewVersionColumnsUploadStatusEmpty NewVersionColumnsUploadStatus = "empty"

const NewVersionColumnsUploadStatusUploading NewVersionColumnsUploadStatus = "uploading"

const NewVersionColumnsUploadStatusPending NewVersionColumnsUploadStatus = "pending"

const NewVersionColumnsUploadStatusProcessing NewVersionColumnsUploadStatus = "processing"

const NewVersionColumnsUploadStatusFailed NewVersionColumnsUploadStatus = "failed"

const NewVersionColumnsUploadStatusComplete NewVersionColumnsUploadStatus = "complete"

Secret stringoptional

formatpassword

Zero TrustDLPDatasetsVersions

Sets the column information for a multi-column upload

client.ZeroTrust.DLP.Datasets.Versions.New(ctx, datasetID, version, params) (*SinglePage[DLPDatasetVersionNewResponse], error)

POST/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}

Zero TrustDLPDatasetsVersionsEntries

Upload a new version of a multi-column dataset

client.ZeroTrust.DLP.Datasets.Versions.Entries.New(ctx, datasetID, version, entryID, datasetVersionEntry, params) (*DLPDatasetVersionEntryNewResponse, error)

POST/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}/entries/{entry_id}

Zero TrustDLPPatterns

Validate a DLP regex pattern

client.ZeroTrust.DLP.Patterns.Validate(ctx, params) (*DLPPatternValidateResponse, error)

POST/accounts/{account_id}/dlp/patterns/validate

Zero TrustDLPPayload Logs

Get payload log settings

client.ZeroTrust.DLP.PayloadLogs.Get(ctx, query) (*DLPPayloadLogGetResponse, error)

GET/accounts/{account_id}/dlp/payload_log

Set payload log settings

client.ZeroTrust.DLP.PayloadLogs.Update(ctx, params) (*DLPPayloadLogUpdateResponse, error)

PUT/accounts/{account_id}/dlp/payload_log

Zero TrustDLPEmail

Zero TrustDLPEmailAccount Mapping

Get mapping

client.ZeroTrust.DLP.Email.AccountMapping.Get(ctx, query) (*DLPEmailAccountMappingGetResponse, error)

GET/accounts/{account_id}/dlp/email/account_mapping

Create mapping

client.ZeroTrust.DLP.Email.AccountMapping.New(ctx, params) (*DLPEmailAccountMappingNewResponse, error)

POST/accounts/{account_id}/dlp/email/account_mapping

Zero TrustDLPEmailRules

List all email scanner rules

client.ZeroTrust.DLP.Email.Rules.List(ctx, query) (*SinglePage[DLPEmailRuleListResponse], error)

GET/accounts/{account_id}/dlp/email/rules

Get an email scanner rule

client.ZeroTrust.DLP.Email.Rules.Get(ctx, ruleID, query) (*DLPEmailRuleGetResponse, error)

GET/accounts/{account_id}/dlp/email/rules/{rule_id}

Create email scanner rule

client.ZeroTrust.DLP.Email.Rules.New(ctx, params) (*DLPEmailRuleNewResponse, error)

POST/accounts/{account_id}/dlp/email/rules

Update email scanner rule

client.ZeroTrust.DLP.Email.Rules.Update(ctx, ruleID, params) (*DLPEmailRuleUpdateResponse, error)

PUT/accounts/{account_id}/dlp/email/rules/{rule_id}

Delete email scanner rule

client.ZeroTrust.DLP.Email.Rules.Delete(ctx, ruleID, body) (*DLPEmailRuleDeleteResponse, error)

DELETE/accounts/{account_id}/dlp/email/rules/{rule_id}

Update email scanner rule priorities

client.ZeroTrust.DLP.Email.Rules.BulkEdit(ctx, params) (*DLPEmailRuleBulkEditResponse, error)

PATCH/accounts/{account_id}/dlp/email/rules

Zero TrustDLPProfiles

List all profiles

client.ZeroTrust.DLP.Profiles.List(ctx, params) (*SinglePage[Profile], error)

GET/accounts/{account_id}/dlp/profiles

Get DLP Profile

client.ZeroTrust.DLP.Profiles.Get(ctx, profileID, query) (*Profile, error)

GET/accounts/{account_id}/dlp/profiles/{profile_id}

ModelsExpand Collapse

type ContextAwareness struct{…}

Scan the context of predefined entries to only return matches surrounded by keywords.

Enabled bool

If true, scan the context of predefined entries to only return matches surrounded by keywords.

Skip SkipConfiguration

Content types to exclude from context analysis and return all matches.

type Profile interface{…}

One of the following:

type ProfileCustomProfile struct{…}

ID string

The id of the profile (uuid).

formatuuid

AllowedMatchCount int64

Related DLP policies will trigger when the match count exceeds the number set.

formatint32

maximum1000

minimum0

CreatedAt Time

When the profile was created.

formatdate-time

Name string

The name of the profile.

OCREnabled bool

Type ProfileCustomProfileType

UpdatedAt Time

When the profile was lasted updated.

formatdate-time

AIContextEnabled booloptional

ConfidenceThreshold ProfileCustomProfileConfidenceThresholdoptional

One of the following:

const ProfileCustomProfileConfidenceThresholdLow ProfileCustomProfileConfidenceThreshold = "low"

const ProfileCustomProfileConfidenceThresholdMedium ProfileCustomProfileConfidenceThreshold = "medium"

const ProfileCustomProfileConfidenceThresholdHigh ProfileCustomProfileConfidenceThreshold = "high"

const ProfileCustomProfileConfidenceThresholdVeryHigh ProfileCustomProfileConfidenceThreshold = "very_high"

DeprecatedContextAwareness ContextAwarenessoptional

Scan the context of predefined entries to only return matches surrounded by keywords.

DataClasses []stringoptional

Data classes associated with this profile.

DataTags []stringoptional

Data tags associated with this profile.

Description stringoptional

The description of the profile.

DeprecatedEntries []ProfileCustomProfileEntryoptional

One of the following:

type ProfileCustomProfileEntriesCustomEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

DeprecatedEnabled bool

Name string

Pattern Pattern

Type ProfileCustomProfileEntriesCustomEntryType

UpdatedAt Time

formatdate-time

Description stringoptional

DeprecatedProfileID stringoptional

formatuuid

type ProfileCustomProfileEntriesPredefinedEntry struct{…}

ID string

formatuuid

Confidence ProfileCustomProfileEntriesPredefinedEntryConfidence

AIContextAvailable bool

Indicates whether this entry has AI remote service validation.

Available bool

Indicates whether this entry has any form of validation that is not an AI remote service.

Enabled bool

Name string

Type ProfileCustomProfileEntriesPredefinedEntryType

DeprecatedProfileID stringoptional

formatuuid

Variant ProfileCustomProfileEntriesPredefinedEntryVariantoptional

TopicType ProfileCustomProfileEntriesPredefinedEntryVariantTopicType

One of the following:

const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Intent"

const ProfileCustomProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileEntriesPredefinedEntryVariantTopicType = "Content"

Type ProfileCustomProfileEntriesPredefinedEntryVariantType

Description stringoptional

type ProfileCustomProfileEntriesIntegrationEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileCustomProfileEntriesIntegrationEntryType

UpdatedAt Time

formatdate-time

ProfileID stringoptional

formatuuid

type ProfileCustomProfileEntriesExactDataEntry struct{…}

ID string

formatuuid

CaseSensitive bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

CreatedAt Time

formatdate-time

Enabled bool

Name string

Secret bool

Type ProfileCustomProfileEntriesExactDataEntryType

UpdatedAt Time

formatdate-time

type ProfileCustomProfileEntriesDocumentFingerprintEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileCustomProfileEntriesDocumentFingerprintEntryType

UpdatedAt Time

formatdate-time

type ProfileCustomProfileEntriesWordListEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileCustomProfileEntriesWordListEntryType

UpdatedAt Time

formatdate-time

WordList unknown

ProfileID stringoptional

formatuuid

SensitivityLevels [][]stringoptional

Sensitivity levels associated with this profile as (group_id, level_id) tuples.

SharedEntries []ProfileCustomProfileSharedEntryoptional

One of the following:

type ProfileCustomProfileSharedEntriesCustomEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

DeprecatedEnabled bool

Name string

Pattern Pattern

Type ProfileCustomProfileSharedEntriesCustomEntryType

UpdatedAt Time

formatdate-time

Description stringoptional

DeprecatedProfileID stringoptional

formatuuid

type ProfileCustomProfileSharedEntriesPredefinedEntry struct{…}

ID string

formatuuid

Confidence ProfileCustomProfileSharedEntriesPredefinedEntryConfidence

AIContextAvailable bool

Indicates whether this entry has AI remote service validation.

Available bool

Indicates whether this entry has any form of validation that is not an AI remote service.

Enabled bool

Name string

Type ProfileCustomProfileSharedEntriesPredefinedEntryType

DeprecatedProfileID stringoptional

formatuuid

Variant ProfileCustomProfileSharedEntriesPredefinedEntryVariantoptional

TopicType ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType

One of the following:

const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"

const ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileCustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"

Type ProfileCustomProfileSharedEntriesPredefinedEntryVariantType

Description stringoptional

type ProfileCustomProfileSharedEntriesIntegrationEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileCustomProfileSharedEntriesIntegrationEntryType

UpdatedAt Time

formatdate-time

ProfileID stringoptional

formatuuid

type ProfileCustomProfileSharedEntriesExactDataEntry struct{…}

ID string

formatuuid

CaseSensitive bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

CreatedAt Time

formatdate-time

Enabled bool

Name string

Secret bool

Type ProfileCustomProfileSharedEntriesExactDataEntryType

UpdatedAt Time

formatdate-time

type ProfileCustomProfileSharedEntriesDocumentFingerprintEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileCustomProfileSharedEntriesDocumentFingerprintEntryType

UpdatedAt Time

formatdate-time

type ProfileCustomProfileSharedEntriesWordListEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileCustomProfileSharedEntriesWordListEntryType

UpdatedAt Time

formatdate-time

WordList unknown

ProfileID stringoptional

formatuuid

type ProfilePredefinedProfile struct{…}

ID string

The id of the predefined profile (uuid).

formatuuid

AllowedMatchCount int64

formatint32

DeprecatedEntries []ProfilePredefinedProfileEntry

One of the following:

type ProfilePredefinedProfileEntriesCustomEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

DeprecatedEnabled bool

Name string

Pattern Pattern

Type ProfilePredefinedProfileEntriesCustomEntryType

UpdatedAt Time

formatdate-time

Description stringoptional

DeprecatedProfileID stringoptional

formatuuid

type ProfilePredefinedProfileEntriesPredefinedEntry struct{…}

ID string

formatuuid

Confidence ProfilePredefinedProfileEntriesPredefinedEntryConfidence

AIContextAvailable bool

Indicates whether this entry has AI remote service validation.

Available bool

Indicates whether this entry has any form of validation that is not an AI remote service.

Enabled bool

Name string

Type ProfilePredefinedProfileEntriesPredefinedEntryType

DeprecatedProfileID stringoptional

formatuuid

Variant ProfilePredefinedProfileEntriesPredefinedEntryVariantoptional

TopicType ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType

One of the following:

const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"

const ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent ProfilePredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"

Type ProfilePredefinedProfileEntriesPredefinedEntryVariantType

Description stringoptional

type ProfilePredefinedProfileEntriesIntegrationEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfilePredefinedProfileEntriesIntegrationEntryType

UpdatedAt Time

formatdate-time

ProfileID stringoptional

formatuuid

type ProfilePredefinedProfileEntriesExactDataEntry struct{…}

ID string

formatuuid

CaseSensitive bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

CreatedAt Time

formatdate-time

Enabled bool

Name string

Secret bool

Type ProfilePredefinedProfileEntriesExactDataEntryType

UpdatedAt Time

formatdate-time

type ProfilePredefinedProfileEntriesDocumentFingerprintEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfilePredefinedProfileEntriesDocumentFingerprintEntryType

UpdatedAt Time

formatdate-time

type ProfilePredefinedProfileEntriesWordListEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfilePredefinedProfileEntriesWordListEntryType

UpdatedAt Time

formatdate-time

WordList unknown

ProfileID stringoptional

formatuuid

Name string

The name of the predefined profile.

Type ProfilePredefinedProfileType

AIContextEnabled booloptional

ConfidenceThreshold ProfilePredefinedProfileConfidenceThresholdoptional

One of the following:

const ProfilePredefinedProfileConfidenceThresholdLow ProfilePredefinedProfileConfidenceThreshold = "low"

const ProfilePredefinedProfileConfidenceThresholdMedium ProfilePredefinedProfileConfidenceThreshold = "medium"

const ProfilePredefinedProfileConfidenceThresholdHigh ProfilePredefinedProfileConfidenceThreshold = "high"

const ProfilePredefinedProfileConfidenceThresholdVeryHigh ProfilePredefinedProfileConfidenceThreshold = "very_high"

DeprecatedContextAwareness ContextAwarenessoptional

Scan the context of predefined entries to only return matches surrounded by keywords.

OCREnabled booloptional

OpenAccess booloptional

Whether this profile can be accessed by anyone.

type ProfileIntegrationProfile struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

DeprecatedEntries []ProfileIntegrationProfileEntry

One of the following:

type ProfileIntegrationProfileEntriesCustomEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

DeprecatedEnabled bool

Name string

Pattern Pattern

Type ProfileIntegrationProfileEntriesCustomEntryType

UpdatedAt Time

formatdate-time

Description stringoptional

DeprecatedProfileID stringoptional

formatuuid

type ProfileIntegrationProfileEntriesPredefinedEntry struct{…}

ID string

formatuuid

Confidence ProfileIntegrationProfileEntriesPredefinedEntryConfidence

AIContextAvailable bool

Indicates whether this entry has AI remote service validation.

Available bool

Indicates whether this entry has any form of validation that is not an AI remote service.

Enabled bool

Name string

Type ProfileIntegrationProfileEntriesPredefinedEntryType

DeprecatedProfileID stringoptional

formatuuid

Variant ProfileIntegrationProfileEntriesPredefinedEntryVariantoptional

TopicType ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType

One of the following:

const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Intent"

const ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileEntriesPredefinedEntryVariantTopicType = "Content"

Type ProfileIntegrationProfileEntriesPredefinedEntryVariantType

Description stringoptional

type ProfileIntegrationProfileEntriesIntegrationEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileIntegrationProfileEntriesIntegrationEntryType

UpdatedAt Time

formatdate-time

ProfileID stringoptional

formatuuid

type ProfileIntegrationProfileEntriesExactDataEntry struct{…}

ID string

formatuuid

CaseSensitive bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

CreatedAt Time

formatdate-time

Enabled bool

Name string

Secret bool

Type ProfileIntegrationProfileEntriesExactDataEntryType

UpdatedAt Time

formatdate-time

type ProfileIntegrationProfileEntriesDocumentFingerprintEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileIntegrationProfileEntriesDocumentFingerprintEntryType

UpdatedAt Time

formatdate-time

type ProfileIntegrationProfileEntriesWordListEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileIntegrationProfileEntriesWordListEntryType

UpdatedAt Time

formatdate-time

WordList unknown

ProfileID stringoptional

formatuuid

Name string

SharedEntries []ProfileIntegrationProfileSharedEntry

One of the following:

type ProfileIntegrationProfileSharedEntriesCustomEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

DeprecatedEnabled bool

Name string

Pattern Pattern

Type ProfileIntegrationProfileSharedEntriesCustomEntryType

UpdatedAt Time

formatdate-time

Description stringoptional

DeprecatedProfileID stringoptional

formatuuid

type ProfileIntegrationProfileSharedEntriesPredefinedEntry struct{…}

ID string

formatuuid

Confidence ProfileIntegrationProfileSharedEntriesPredefinedEntryConfidence

AIContextAvailable bool

Indicates whether this entry has AI remote service validation.

Available bool

Indicates whether this entry has any form of validation that is not an AI remote service.

Enabled bool

Name string

Type ProfileIntegrationProfileSharedEntriesPredefinedEntryType

DeprecatedProfileID stringoptional

formatuuid

Variant ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantoptional

TopicType ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType

One of the following:

const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"

const ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicTypeContent ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"

Type ProfileIntegrationProfileSharedEntriesPredefinedEntryVariantType

Description stringoptional

type ProfileIntegrationProfileSharedEntriesIntegrationEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileIntegrationProfileSharedEntriesIntegrationEntryType

UpdatedAt Time

formatdate-time

ProfileID stringoptional

formatuuid

type ProfileIntegrationProfileSharedEntriesExactDataEntry struct{…}

ID string

formatuuid

CaseSensitive bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

CreatedAt Time

formatdate-time

Enabled bool

Name string

Secret bool

Type ProfileIntegrationProfileSharedEntriesExactDataEntryType

UpdatedAt Time

formatdate-time

type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileIntegrationProfileSharedEntriesDocumentFingerprintEntryType

UpdatedAt Time

formatdate-time

type ProfileIntegrationProfileSharedEntriesWordListEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type ProfileIntegrationProfileSharedEntriesWordListEntryType

UpdatedAt Time

formatdate-time

WordList unknown

ProfileID stringoptional

formatuuid

Type ProfileIntegrationProfileType

UpdatedAt Time

formatdate-time

Description stringoptional

The description of the profile.

type SkipConfiguration struct{…}

Content types to exclude from context analysis and return all matches.

Files bool

If the content type is a file, skip context analysis and return all matches.

Zero TrustDLPProfilesCustom

Get custom profile

client.ZeroTrust.DLP.Profiles.Custom.Get(ctx, profileID, query) (*Profile, error)

GET/accounts/{account_id}/dlp/profiles/custom/{profile_id}

Create custom profile

client.ZeroTrust.DLP.Profiles.Custom.New(ctx, params) (*Profile, error)

POST/accounts/{account_id}/dlp/profiles/custom

Update custom profile

client.ZeroTrust.DLP.Profiles.Custom.Update(ctx, profileID, params) (*Profile, error)

PUT/accounts/{account_id}/dlp/profiles/custom/{profile_id}

Delete custom profile

client.ZeroTrust.DLP.Profiles.Custom.Delete(ctx, profileID, body) (*DLPProfileCustomDeleteResponse, error)

DELETE/accounts/{account_id}/dlp/profiles/custom/{profile_id}

ModelsExpand Collapse

type CustomProfile struct{…}

ID string

The id of the profile (uuid).

formatuuid

AllowedMatchCount int64

Related DLP policies will trigger when the match count exceeds the number set.

formatint32

maximum1000

minimum0

CreatedAt Time

When the profile was created.

formatdate-time

Name string

The name of the profile.

OCREnabled bool

UpdatedAt Time

When the profile was lasted updated.

formatdate-time

AIContextEnabled booloptional

ConfidenceThreshold CustomProfileConfidenceThresholdoptional

One of the following:

const CustomProfileConfidenceThresholdLow CustomProfileConfidenceThreshold = "low"

const CustomProfileConfidenceThresholdMedium CustomProfileConfidenceThreshold = "medium"

const CustomProfileConfidenceThresholdHigh CustomProfileConfidenceThreshold = "high"

const CustomProfileConfidenceThresholdVeryHigh CustomProfileConfidenceThreshold = "very_high"

DeprecatedContextAwareness ContextAwarenessoptional

Scan the context of predefined entries to only return matches surrounded by keywords.

DataClasses []stringoptional

Data classes associated with this profile.

DataTags []stringoptional

Data tags associated with this profile.

Description stringoptional

The description of the profile.

DeprecatedEntries []CustomProfileEntryoptional

One of the following:

CustomProfileEntriesCustomEntry

ID string

formatuuid

CreatedAt Time

formatdate-time

DeprecatedEnabled bool

Name string

Pattern Pattern

Type CustomProfileEntriesCustomEntryType

UpdatedAt Time

formatdate-time

Description stringoptional

DeprecatedProfileID stringoptional

formatuuid

CustomProfileEntriesPredefinedEntry

ID string

formatuuid

Confidence CustomProfileEntriesPredefinedEntryConfidence

AIContextAvailable bool

Indicates whether this entry has AI remote service validation.

Available bool

Indicates whether this entry has any form of validation that is not an AI remote service.

Enabled bool

Name string

Type CustomProfileEntriesPredefinedEntryType

DeprecatedProfileID stringoptional

formatuuid

Variant CustomProfileEntriesPredefinedEntryVariantoptional

TopicType CustomProfileEntriesPredefinedEntryVariantTopicType

One of the following:

const CustomProfileEntriesPredefinedEntryVariantTopicTypeIntent CustomProfileEntriesPredefinedEntryVariantTopicType = "Intent"

const CustomProfileEntriesPredefinedEntryVariantTopicTypeContent CustomProfileEntriesPredefinedEntryVariantTopicType = "Content"

Type CustomProfileEntriesPredefinedEntryVariantType

Description stringoptional

CustomProfileEntriesIntegrationEntry

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type CustomProfileEntriesIntegrationEntryType

UpdatedAt Time

formatdate-time

ProfileID stringoptional

formatuuid

CustomProfileEntriesExactDataEntry

ID string

formatuuid

CaseSensitive bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

CreatedAt Time

formatdate-time

Enabled bool

Name string

Secret bool

Type CustomProfileEntriesExactDataEntryType

UpdatedAt Time

formatdate-time

CustomProfileEntriesDocumentFingerprintEntry

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type CustomProfileEntriesDocumentFingerprintEntryType

UpdatedAt Time

formatdate-time

CustomProfileEntriesWordListEntry

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type CustomProfileEntriesWordListEntryType

UpdatedAt Time

formatdate-time

WordList unknown

ProfileID stringoptional

formatuuid

SensitivityLevels [][]stringoptional

Sensitivity levels associated with this profile as (group_id, level_id) tuples.

SharedEntries []CustomProfileSharedEntryoptional

One of the following:

CustomProfileSharedEntriesCustomEntry

ID string

formatuuid

CreatedAt Time

formatdate-time

DeprecatedEnabled bool

Name string

Pattern Pattern

Type CustomProfileSharedEntriesCustomEntryType

UpdatedAt Time

formatdate-time

Description stringoptional

DeprecatedProfileID stringoptional

formatuuid

CustomProfileSharedEntriesPredefinedEntry

ID string

formatuuid

Confidence CustomProfileSharedEntriesPredefinedEntryConfidence

AIContextAvailable bool

Indicates whether this entry has AI remote service validation.

Available bool

Indicates whether this entry has any form of validation that is not an AI remote service.

Enabled bool

Name string

Type CustomProfileSharedEntriesPredefinedEntryType

DeprecatedProfileID stringoptional

formatuuid

Variant CustomProfileSharedEntriesPredefinedEntryVariantoptional

TopicType CustomProfileSharedEntriesPredefinedEntryVariantTopicType

One of the following:

const CustomProfileSharedEntriesPredefinedEntryVariantTopicTypeIntent CustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Intent"

const CustomProfileSharedEntriesPredefinedEntryVariantTopicTypeContent CustomProfileSharedEntriesPredefinedEntryVariantTopicType = "Content"

Type CustomProfileSharedEntriesPredefinedEntryVariantType

Description stringoptional

CustomProfileSharedEntriesIntegrationEntry

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type CustomProfileSharedEntriesIntegrationEntryType

UpdatedAt Time

formatdate-time

ProfileID stringoptional

formatuuid

CustomProfileSharedEntriesExactDataEntry

ID string

formatuuid

CaseSensitive bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

CreatedAt Time

formatdate-time

Enabled bool

Name string

Secret bool

Type CustomProfileSharedEntriesExactDataEntryType

UpdatedAt Time

formatdate-time

CustomProfileSharedEntriesDocumentFingerprintEntry

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type CustomProfileSharedEntriesDocumentFingerprintEntryType

UpdatedAt Time

formatdate-time

CustomProfileSharedEntriesWordListEntry

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type CustomProfileSharedEntriesWordListEntryType

UpdatedAt Time

formatdate-time

WordList unknown

ProfileID stringoptional

formatuuid

type Pattern struct{…}

Regex string

DeprecatedValidation PatternValidationoptional

Zero TrustDLPProfilesPredefined

Get predefined profile config

client.ZeroTrust.DLP.Profiles.Predefined.Get(ctx, profileID, query) (*PredefinedProfile, error)

GET/accounts/{account_id}/dlp/profiles/predefined/{profile_id}/config

Update predefined profile config

client.ZeroTrust.DLP.Profiles.Predefined.Update(ctx, profileID, params) (*PredefinedProfile, error)

PUT/accounts/{account_id}/dlp/profiles/predefined/{profile_id}/config

Delete predefined profile

client.ZeroTrust.DLP.Profiles.Predefined.Delete(ctx, profileID, body) (*DLPProfilePredefinedDeleteResponse, error)

DELETE/accounts/{account_id}/dlp/profiles/predefined/{profile_id}

ModelsExpand Collapse

type PredefinedProfile struct{…}

ID string

The id of the predefined profile (uuid).

formatuuid

AllowedMatchCount int64

formatint32

ConfidenceThreshold string

EnabledEntries []string

Entries to enable for this predefined profile. Any entries not provided will be disabled.

DeprecatedEntries []PredefinedProfileEntry

This field has been deprecated for enabled_entries.

One of the following:

type PredefinedProfileEntriesCustomEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

DeprecatedEnabled bool

Name string

Pattern Pattern

Type PredefinedProfileEntriesCustomEntryType

UpdatedAt Time

formatdate-time

Description stringoptional

DeprecatedProfileID stringoptional

formatuuid

type PredefinedProfileEntriesPredefinedEntry struct{…}

ID string

formatuuid

Confidence PredefinedProfileEntriesPredefinedEntryConfidence

AIContextAvailable bool

Indicates whether this entry has AI remote service validation.

Available bool

Indicates whether this entry has any form of validation that is not an AI remote service.

Enabled bool

Name string

Type PredefinedProfileEntriesPredefinedEntryType

DeprecatedProfileID stringoptional

formatuuid

Variant PredefinedProfileEntriesPredefinedEntryVariantoptional

TopicType PredefinedProfileEntriesPredefinedEntryVariantTopicType

One of the following:

const PredefinedProfileEntriesPredefinedEntryVariantTopicTypeIntent PredefinedProfileEntriesPredefinedEntryVariantTopicType = "Intent"

const PredefinedProfileEntriesPredefinedEntryVariantTopicTypeContent PredefinedProfileEntriesPredefinedEntryVariantTopicType = "Content"

Type PredefinedProfileEntriesPredefinedEntryVariantType

Description stringoptional

type PredefinedProfileEntriesIntegrationEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type PredefinedProfileEntriesIntegrationEntryType

UpdatedAt Time

formatdate-time

ProfileID stringoptional

formatuuid

type PredefinedProfileEntriesExactDataEntry struct{…}

ID string

formatuuid

CaseSensitive bool

Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true

CreatedAt Time

formatdate-time

Enabled bool

Name string

Secret bool

Type PredefinedProfileEntriesExactDataEntryType

UpdatedAt Time

formatdate-time

type PredefinedProfileEntriesDocumentFingerprintEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type PredefinedProfileEntriesDocumentFingerprintEntryType

UpdatedAt Time

formatdate-time

type PredefinedProfileEntriesWordListEntry struct{…}

ID string

formatuuid

CreatedAt Time

formatdate-time

Enabled bool

Name string

Type PredefinedProfileEntriesWordListEntryType

UpdatedAt Time

formatdate-time

WordList unknown

ProfileID stringoptional

formatuuid

Name string

The name of the predefined profile.

AIContextEnabled booloptional

OCREnabled booloptional

OpenAccess booloptional

Whether this profile can be accessed by anyone.

Zero TrustDLPLimits

Fetch limits associated with DLP for account

client.ZeroTrust.DLP.Limits.List(ctx, query) (*DLPLimitListResponse, error)

GET/accounts/{account_id}/dlp/limits

Zero TrustDLPEntries

List all entries

client.ZeroTrust.DLP.Entries.List(ctx, query) (*SinglePage[DLPEntryListResponse], error)

GET/accounts/{account_id}/dlp/entries

Get DLP Entry

client.ZeroTrust.DLP.Entries.Get(ctx, entryID, query) (*DLPEntryGetResponse, error)

GET/accounts/{account_id}/dlp/entries/{entry_id}

Create custom entry

client.ZeroTrust.DLP.Entries.New(ctx, params) (*DLPEntryNewResponse, error)

POST/accounts/{account_id}/dlp/entries

Update entry

client.ZeroTrust.DLP.Entries.Update(ctx, entryID, params) (*DLPEntryUpdateResponse, error)

PUT/accounts/{account_id}/dlp/entries/{entry_id}

Delete custom entry

client.ZeroTrust.DLP.Entries.Delete(ctx, entryID, body) (*DLPEntryDeleteResponse, error)

DELETE/accounts/{account_id}/dlp/entries/{entry_id}

Zero TrustDLPEntriesCustom

Create custom entry

client.ZeroTrust.DLP.Entries.Custom.New(ctx, params) (*DLPEntryCustomNewResponse, error)

POST/accounts/{account_id}/dlp/entries

Update custom entry

client.ZeroTrust.DLP.Entries.Custom.Update(ctx, entryID, params) (*DLPEntryCustomUpdateResponse, error)

PUT/accounts/{account_id}/dlp/entries/custom/{entry_id}

Delete custom entry

client.ZeroTrust.DLP.Entries.Custom.Delete(ctx, entryID, body) (*DLPEntryCustomDeleteResponse, error)

DELETE/accounts/{account_id}/dlp/entries/{entry_id}

Get DLP Entry

client.ZeroTrust.DLP.Entries.Custom.Get(ctx, entryID, query) (*DLPEntryCustomGetResponse, error)

GET/accounts/{account_id}/dlp/entries/{entry_id}

List all entries

client.ZeroTrust.DLP.Entries.Custom.List(ctx, query) (*SinglePage[DLPEntryCustomListResponse], error)

GET/accounts/{account_id}/dlp/entries

Zero TrustDLPEntriesPredefined

Create predefined entry

client.ZeroTrust.DLP.Entries.Predefined.New(ctx, params) (*DLPEntryPredefinedNewResponse, error)

POST/accounts/{account_id}/dlp/entries/predefined

Update predefined entry

client.ZeroTrust.DLP.Entries.Predefined.Update(ctx, entryID, params) (*DLPEntryPredefinedUpdateResponse, error)

PUT/accounts/{account_id}/dlp/entries/predefined/{entry_id}

Delete predefined entry

client.ZeroTrust.DLP.Entries.Predefined.Delete(ctx, entryID, body) (*DLPEntryPredefinedDeleteResponse, error)

DELETE/accounts/{account_id}/dlp/entries/predefined/{entry_id}

Get DLP Entry

client.ZeroTrust.DLP.Entries.Predefined.Get(ctx, entryID, query) (*DLPEntryPredefinedGetResponse, error)

GET/accounts/{account_id}/dlp/entries/{entry_id}

List all entries

client.ZeroTrust.DLP.Entries.Predefined.List(ctx, query) (*SinglePage[DLPEntryPredefinedListResponse], error)

GET/accounts/{account_id}/dlp/entries

Zero TrustDLPEntriesIntegration

Create integration entry

client.ZeroTrust.DLP.Entries.Integration.New(ctx, params) (*DLPEntryIntegrationNewResponse, error)

POST/accounts/{account_id}/dlp/entries/integration

Update integration entry

client.ZeroTrust.DLP.Entries.Integration.Update(ctx, entryID, params) (*DLPEntryIntegrationUpdateResponse, error)

PUT/accounts/{account_id}/dlp/entries/integration/{entry_id}

Delete integration entry

client.ZeroTrust.DLP.Entries.Integration.Delete(ctx, entryID, body) (*DLPEntryIntegrationDeleteResponse, error)

DELETE/accounts/{account_id}/dlp/entries/integration/{entry_id}

Get DLP Entry

client.ZeroTrust.DLP.Entries.Integration.Get(ctx, entryID, query) (*DLPEntryIntegrationGetResponse, error)

GET/accounts/{account_id}/dlp/entries/{entry_id}

List all entries

client.ZeroTrust.DLP.Entries.Integration.List(ctx, query) (*SinglePage[DLPEntryIntegrationListResponse], error)

GET/accounts/{account_id}/dlp/entries

Zero TrustGateway

Get Zero Trust account information

client.ZeroTrust.Gateway.List(ctx, query) (*GatewayListResponse, error)

GET/accounts/{account_id}/gateway

Create Zero Trust account

client.ZeroTrust.Gateway.New(ctx, body) (*GatewayNewResponse, error)

POST/accounts/{account_id}/gateway

Zero TrustGatewayAudit SSH Settings

Get Zero Trust SSH settings

client.ZeroTrust.Gateway.AuditSSHSettings.Get(ctx, query) (*GatewaySettings, error)

GET/accounts/{account_id}/gateway/audit_ssh_settings

Update Zero Trust SSH settings

client.ZeroTrust.Gateway.AuditSSHSettings.Update(ctx, params) (*GatewaySettings, error)

PUT/accounts/{account_id}/gateway/audit_ssh_settings

Rotate Zero Trust SSH account seed

client.ZeroTrust.Gateway.AuditSSHSettings.RotateSeed(ctx, body) (*GatewaySettings, error)

POST/accounts/{account_id}/gateway/audit_ssh_settings/rotate_seed

ModelsExpand Collapse

type GatewaySettings struct{…}

CreatedAt Timeoptional

formatdate-time

PublicKey stringoptional

Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging.

SeedID stringoptional

Identify the seed ID.

maxLength36

UpdatedAt Timeoptional

formatdate-time

Zero TrustGatewayCategories

List categories

client.ZeroTrust.Gateway.Categories.List(ctx, query) (*SinglePage[Category], error)

GET/accounts/{account_id}/gateway/categories

ModelsExpand Collapse

type Category struct{…}

ID int64optional

Identify this category. Only one category per ID.

Beta booloptional

Indicate whether the category is in beta and subject to change.

Class CategoryClassoptional

Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.

One of the following:

const CategoryClassFree CategoryClass = "free"

const CategoryClassPremium CategoryClass = "premium"

const CategoryClassBlocked CategoryClass = "blocked"

const CategoryClassRemovalPending CategoryClass = "removalPending"

const CategoryClassNoBlock CategoryClass = "noBlock"

Description stringoptional

Provide a short summary of domains in the category.

Name stringoptional

Specify the category name.

Subcategories []CategorySubcategoryoptional

Provide all subcategories for this category.

ID int64optional

Identify this category. Only one category per ID.

Beta booloptional

Indicate whether the category is in beta and subject to change.

Class CategorySubcategoriesClassoptional

Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.

One of the following:

const CategorySubcategoriesClassFree CategorySubcategoriesClass = "free"

const CategorySubcategoriesClassPremium CategorySubcategoriesClass = "premium"

const CategorySubcategoriesClassBlocked CategorySubcategoriesClass = "blocked"

const CategorySubcategoriesClassRemovalPending CategorySubcategoriesClass = "removalPending"

const CategorySubcategoriesClassNoBlock CategorySubcategoriesClass = "noBlock"

Description stringoptional

Provide a short summary of domains in the category.

Name stringoptional

Specify the category name.

Zero TrustGatewayApp Types

List application and application type mappings

client.ZeroTrust.Gateway.AppTypes.List(ctx, query) (*SinglePage[AppType], error)

GET/accounts/{account_id}/gateway/app_types

ModelsExpand Collapse

type AppType interface{…}

One of the following:

type AppTypeZeroTrustGatewayApplication struct{…}

ID int64optional

Identify this application. Only one application per ID.

ApplicationTypeID int64optional

Identify the type of this application. Multiple applications can share the same type. Refers to the id of a returned application type.

CreatedAt Timeoptional

formatdate-time

Name stringoptional

Specify the name of the application or application type.

type AppTypeZeroTrustGatewayApplicationType struct{…}

ID int64optional

Identify the type of this application. Multiple applications can share the same type. Refers to the id of a returned application type.

CreatedAt Timeoptional

formatdate-time

Description stringoptional

Provide a short summary of applications with this type.

Name stringoptional

Specify the name of the application or application type.

Zero TrustGatewayConfigurations

Get Zero Trust account configuration

client.ZeroTrust.Gateway.Configurations.Get(ctx, query) (*GatewayConfigurationGetResponse, error)

GET/accounts/{account_id}/gateway/configuration

Update Zero Trust account configuration

client.ZeroTrust.Gateway.Configurations.Update(ctx, params) (*GatewayConfigurationUpdateResponse, error)

PUT/accounts/{account_id}/gateway/configuration

Patch Zero Trust account configuration

client.ZeroTrust.Gateway.Configurations.Edit(ctx, params) (*GatewayConfigurationEditResponse, error)

PATCH/accounts/{account_id}/gateway/configuration

ModelsExpand Collapse

type ActivityLogSettings struct{…}

Specify activity log settings.

Enabled booloptional

Specify whether to log activity.

type AntiVirusSettings struct{…}

Specify anti-virus settings.

EnabledDownloadPhase booloptional

Specify whether to enable anti-virus scanning on downloads.

EnabledUploadPhase booloptional

Specify whether to enable anti-virus scanning on uploads.

FailClosed booloptional

Specify whether to block requests for unscannable files.

NotificationSettings NotificationSettingsoptional

Configure the message the user's device shows during an antivirus scan.

type BlockPageSettings struct{…}

Specify block page layout settings.

BackgroundColor stringoptional

Specify the block page background color in #rrggbb format when the mode is customized_block_page.

Enabled booloptional

Specify whether to enable the custom block page.

FooterText stringoptional

Specify the block page footer text when the mode is customized_block_page.

HeaderText stringoptional

Specify the block page header text when the mode is customized_block_page.

IncludeContext booloptional

Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.

LogoPath stringoptional

Specify the full URL to the logo file when the mode is customized_block_page.

MailtoAddress stringoptional

Specify the admin email for users to contact when the mode is customized_block_page.

MailtoSubject stringoptional

Specify the subject line for emails created from the block page when the mode is customized_block_page.

Mode BlockPageSettingsModeoptional

Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.

One of the following:

const BlockPageSettingsModeEmpty BlockPageSettingsMode = ""

const BlockPageSettingsModeCustomizedBlockPage BlockPageSettingsMode = "customized_block_page"

const BlockPageSettingsModeRedirectURI BlockPageSettingsMode = "redirect_uri"

Name stringoptional

Specify the block page title when the mode is customized_block_page.

ReadOnly booloptional

Indicate that this setting was shared via the Orgs API and read only for the current account.

SourceAccount stringoptional

Indicate the account tag of the account that shared this setting.

SuppressFooter booloptional

Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.

TargetURI stringoptional

Specify the URI to redirect users to when the mode is redirect_uri.

formaturi

Version int64optional

Indicate the version number of the setting.

type BodyScanningSettings struct{…}

Specify the DLP inspection mode.

InspectionMode BodyScanningSettingsInspectionModeoptional

Specify the inspection mode as either deep or shallow.

One of the following:

const BodyScanningSettingsInspectionModeDeep BodyScanningSettingsInspectionMode = "deep"

const BodyScanningSettingsInspectionModeShallow BodyScanningSettingsInspectionMode = "shallow"

type BrowserIsolationSettings struct{…}

Specify Clientless Browser Isolation settings.

NonIdentityEnabled booloptional

Specify whether to enable non-identity onramp support for Browser Isolation.

URLBrowserIsolationEnabled booloptional

Specify whether to enable Clientless Browser Isolation.

type CustomCertificateSettings struct{…}

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

Enabled bool

Specify whether to enable a custom certificate authority for signing Gateway traffic.

ID stringoptional

Specify the UUID of the certificate (ID from MTLS certificate store).

BindingStatus stringoptional

Indicate the internal certificate status.

UpdatedAt Timeoptional

formatdate-time

type ExtendedEmailMatching struct{…}

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

Enabled booloptional

Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies.

ReadOnly booloptional

Indicate that this setting was shared via the Orgs API and read only for the current account.

SourceAccount stringoptional

Indicate the account tag of the account that shared this setting.

Version int64optional

Indicate the version number of the setting.

type FipsSettings struct{…}

Specify FIPS settings.

TLS booloptional

Enforce cipher suites and TLS versions compliant with FIPS 140-2.

type GatewayConfigurationSettings struct{…}

Specify account settings.

ActivityLog ActivityLogSettingsoptional

Specify activity log settings.

Antivirus AntiVirusSettingsoptional

Specify anti-virus settings.

BlockPage BlockPageSettingsoptional

Specify block page layout settings.

BodyScanning BodyScanningSettingsoptional

Specify the DLP inspection mode.

BrowserIsolation BrowserIsolationSettingsoptional

Specify Clientless Browser Isolation settings.

Certificate GatewayConfigurationSettingsCertificateoptional

Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.

ID string

Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA.

DeprecatedCustomCertificate CustomCertificateSettingsoptional

Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.

ExtendedEmailMatching ExtendedEmailMatchingoptional

Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.

Fips FipsSettingsoptional

Specify FIPS settings.

HostSelector GatewayConfigurationSettingsHostSelectoroptional

Enable host selection in egress policies.

Enabled booloptional

Specify whether to enable filtering via hosts for egress policies.

Inspection GatewayConfigurationSettingsInspectionoptional

Define the proxy inspection mode.

Mode GatewayConfigurationSettingsInspectionModeoptional

Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.

One of the following:

const GatewayConfigurationSettingsInspectionModeStatic GatewayConfigurationSettingsInspectionMode = "static"

const GatewayConfigurationSettingsInspectionModeDynamic GatewayConfigurationSettingsInspectionMode = "dynamic"

ProtocolDetection ProtocolDetectionoptional

Specify whether to detect protocols from the initial bytes of client traffic.

Sandbox GatewayConfigurationSettingsSandboxoptional

Specify whether to enable the sandbox.

Enabled booloptional

Specify whether to enable the sandbox.

FallbackAction GatewayConfigurationSettingsSandboxFallbackActionoptional

Specify the action to take when the system cannot scan the file.

One of the following:

const GatewayConfigurationSettingsSandboxFallbackActionAllow GatewayConfigurationSettingsSandboxFallbackAction = "allow"

const GatewayConfigurationSettingsSandboxFallbackActionBlock GatewayConfigurationSettingsSandboxFallbackAction = "block"

TLSDecrypt TLSSettingsoptional

Specify whether to inspect encrypted HTTP traffic.

type NotificationSettings struct{…}

Configure the message the user's device shows during an antivirus scan.

Enabled booloptional

Specify whether to enable notifications.

IncludeContext booloptional

Specify whether to include context information as query parameters.

Msg stringoptional

Specify the message to show in the notification.

SupportURL stringoptional

Specify a URL that directs users to more information. If unset, the notification opens a block page.

type ProtocolDetection struct{…}

Specify whether to detect protocols from the initial bytes of client traffic.

Enabled booloptional

Specify whether to detect protocols from the initial bytes of client traffic.

type TLSSettings struct{…}

Specify whether to inspect encrypted HTTP traffic.

Enabled booloptional

Specify whether to inspect encrypted HTTP traffic.

Zero TrustGatewayConfigurationsCustom Certificate

Get Zero Trust certificate configuration

Deprecated

client.ZeroTrust.Gateway.Configurations.CustomCertificate.Get(ctx, query) (*CustomCertificateSettings, error)

GET/accounts/{account_id}/gateway/configuration/custom_certificate

Zero TrustGatewayLists

List Zero Trust lists

client.ZeroTrust.Gateway.Lists.List(ctx, params) (*SinglePage[GatewayList], error)

GET/accounts/{account_id}/gateway/lists

Get Zero Trust list details

client.ZeroTrust.Gateway.Lists.Get(ctx, listID, query) (*GatewayList, error)

GET/accounts/{account_id}/gateway/lists/{list_id}

Create Zero Trust list

client.ZeroTrust.Gateway.Lists.New(ctx, params) (*GatewayListNewResponse, error)

POST/accounts/{account_id}/gateway/lists

Update Zero Trust list

client.ZeroTrust.Gateway.Lists.Update(ctx, listID, params) (*GatewayList, error)

PUT/accounts/{account_id}/gateway/lists/{list_id}

Patch Zero Trust list.

client.ZeroTrust.Gateway.Lists.Edit(ctx, listID, params) (*GatewayList, error)

PATCH/accounts/{account_id}/gateway/lists/{list_id}

Delete Zero Trust list

client.ZeroTrust.Gateway.Lists.Delete(ctx, listID, body) (*GatewayListDeleteResponse, error)

DELETE/accounts/{account_id}/gateway/lists/{list_id}

ModelsExpand Collapse

type GatewayItem struct{…}

CreatedAt Timeoptional

formatdate-time

Description stringoptional

Provide the list item description (optional).

minimum0

Value stringoptional

Specify the item value.

type GatewayList struct{…}

ID stringoptional

Identify the API resource with a UUID.

maxLength36

Count float64optional

Indicate the number of items in the list.

CreatedAt Timeoptional

formatdate-time

Description stringoptional

Provide the list description.

Items []GatewayItemoptional

Provide the list items.

CreatedAt Timeoptional

formatdate-time

Description stringoptional

Provide the list item description (optional).

minimum0

Value stringoptional

Specify the item value.

Name stringoptional

Specify the list name.

Type GatewayListTypeoptional

Specify the list type.

One of the following:

const GatewayListTypeSerial GatewayListType = "SERIAL"

const GatewayListTypeURL GatewayListType = "URL"

const GatewayListTypeDomain GatewayListType = "DOMAIN"

const GatewayListTypeEmail GatewayListType = "EMAIL"

const GatewayListTypeIP GatewayListType = "IP"

const GatewayListTypeCategory GatewayListType = "CATEGORY"

const GatewayListTypeLocation GatewayListType = "LOCATION"

const GatewayListTypeDevice GatewayListType = "DEVICE"

UpdatedAt Timeoptional

formatdate-time

Zero TrustGatewayListsItems

Get Zero Trust list items

client.ZeroTrust.Gateway.Lists.Items.List(ctx, listID, query) (*SinglePage[[]GatewayItem], error)

GET/accounts/{account_id}/gateway/lists/{list_id}/items

Zero TrustGatewayLocations

List Zero Trust Gateway locations

client.ZeroTrust.Gateway.Locations.List(ctx, query) (*SinglePage[Location], error)

GET/accounts/{account_id}/gateway/locations

Get Zero Trust Gateway location details

client.ZeroTrust.Gateway.Locations.Get(ctx, locationID, query) (*Location, error)

GET/accounts/{account_id}/gateway/locations/{location_id}

Create a Zero Trust Gateway location

client.ZeroTrust.Gateway.Locations.New(ctx, params) (*Location, error)

POST/accounts/{account_id}/gateway/locations

Update a Zero Trust Gateway location

client.ZeroTrust.Gateway.Locations.Update(ctx, locationID, params) (*Location, error)

PUT/accounts/{account_id}/gateway/locations/{location_id}

Delete a Zero Trust Gateway location

client.ZeroTrust.Gateway.Locations.Delete(ctx, locationID, body) (*GatewayLocationDeleteResponse, error)

DELETE/accounts/{account_id}/gateway/locations/{location_id}

ModelsExpand Collapse

type DOHEndpoint struct{…}

Enabled booloptional

Indicate whether the DOH endpoint is enabled for this location.

Networks []IPNetworkoptional

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

Network string

Specify the IP address or IP CIDR.

RequireToken booloptional

Specify whether the DOH endpoint requires user identity authentication.

type DOTEndpoint struct{…}

Enabled booloptional

Indicate whether the DOT endpoint is enabled for this location.

Networks []IPNetworkoptional

Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

Network string

Specify the IP address or IP CIDR.

type Endpoint struct{…}

Configure the destination endpoints for this location.

DOH DOHEndpoint

DOT DOTEndpoint

IPV4 IPV4Endpoint

IPV6 IPV6Endpoint

type IPNetwork struct{…}

Network string

Specify the IP address or IP CIDR.

type IPV4Endpoint struct{…}

Enabled booloptional

Indicate whether the IPv4 endpoint is enabled for this location.

type IPV6Endpoint struct{…}

Enabled booloptional

Indicate whether the IPV6 endpoint is enabled for this location.

Networks []IPV6Networkoptional

Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location.

Network string

Specify the IPv6 address or IPv6 CIDR.

type IPV6Network struct{…}

Network string

Specify the IPv6 address or IPv6 CIDR.

type Location struct{…}

ID stringoptional

ClientDefault booloptional

Indicate whether this location is the default location.

CreatedAt Timeoptional

formatdate-time

DNSDestinationIPsID stringoptional

Indicate the identifier of the pair of IPv4 addresses assigned to this location.

DNSDestinationIPV6BlockID stringoptional

Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block.

DOHSubdomain stringoptional

Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.

ECSSupport booloptional

Indicate whether the location must resolve EDNS queries.

Endpoints Endpointoptional

Configure the destination endpoints for this location.

IP stringoptional

Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.

IPV4Destination stringoptional

Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

IPV4DestinationBackup stringoptional

Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.

Name stringoptional

Specify the location name.

Networks []LocationNetworkoptional

Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location.

Network string

Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24.

UpdatedAt Timeoptional

formatdate-time

Zero TrustGatewayLogging

Get logging settings for the Zero Trust account

client.ZeroTrust.Gateway.Logging.Get(ctx, query) (*LoggingSetting, error)

GET/accounts/{account_id}/gateway/logging

Update Zero Trust account logging settings

client.ZeroTrust.Gateway.Logging.Update(ctx, params) (*LoggingSetting, error)

PUT/accounts/{account_id}/gateway/logging

ModelsExpand Collapse

type LoggingSetting struct{…}

RedactPii booloptional

Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent).

SettingsByRuleType LoggingSettingSettingsByRuleTypeoptional

Configure logging settings for each rule type.

DNS LoggingSettingSettingsByRuleTypeDNSoptional

Configure logging settings for DNS firewall.

LogAll booloptional

Specify whether to log all requests to this service.

LogBlocks booloptional

Specify whether to log only blocking requests to this service.

HTTP LoggingSettingSettingsByRuleTypeHTTPoptional

Configure logging settings for HTTP/HTTPS firewall.

LogAll booloptional

Specify whether to log all requests to this service.

LogBlocks booloptional

Specify whether to log only blocking requests to this service.

L4 LoggingSettingSettingsByRuleTypeL4optional

Configure logging settings for Network firewall.

LogAll booloptional

Specify whether to log all requests to this service.

LogBlocks booloptional

Specify whether to log only blocking requests to this service.

Zero TrustGatewayProxy Endpoints

List proxy endpoints

client.ZeroTrust.Gateway.ProxyEndpoints.List(ctx, query) (*SinglePage[ProxyEndpoint], error)

GET/accounts/{account_id}/gateway/proxy_endpoints

Get a proxy endpoint

client.ZeroTrust.Gateway.ProxyEndpoints.Get(ctx, proxyEndpointID, query) (*ProxyEndpoint, error)

GET/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

Create a proxy endpoint

client.ZeroTrust.Gateway.ProxyEndpoints.New(ctx, params) (*ProxyEndpoint, error)

POST/accounts/{account_id}/gateway/proxy_endpoints

Update a proxy endpoint

client.ZeroTrust.Gateway.ProxyEndpoints.Edit(ctx, proxyEndpointID, params) (*ProxyEndpoint, error)

PATCH/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

Delete a proxy endpoint

client.ZeroTrust.Gateway.ProxyEndpoints.Delete(ctx, proxyEndpointID, body) (*GatewayProxyEndpointDeleteResponse, error)

DELETE/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}

ModelsExpand Collapse

type GatewayIPs string

Specify an IPv4 or IPv6 CIDR. Limit IPv6 to a maximum of /109 and IPv4 to a maximum of /25.

type ProxyEndpoint interface{…}

One of the following:

type ProxyEndpointZeroTrustGatewayProxyEndpointIP struct{…}

IPs []GatewayIPs

Specify the list of CIDRs to restrict ingress connections.

Name string

Specify the name of the proxy endpoint.

ID stringoptional

CreatedAt Timeoptional

formatdate-time

Kind ProxyEndpointZeroTrustGatewayProxyEndpointIPKindoptional

The proxy endpoint kind

Subdomain stringoptional

Specify the subdomain to use as the destination in the proxy client.

UpdatedAt Timeoptional

formatdate-time

type ProxyEndpointZeroTrustGatewayProxyEndpointIdentity struct{…}

Kind ProxyEndpointZeroTrustGatewayProxyEndpointIdentityKind

The proxy endpoint kind

Name string

Specify the name of the proxy endpoint.

ID stringoptional

CreatedAt Timeoptional

formatdate-time

Subdomain stringoptional

Specify the subdomain to use as the destination in the proxy client.

UpdatedAt Timeoptional

formatdate-time

Zero TrustGatewayRules

List Zero Trust Gateway rules

client.ZeroTrust.Gateway.Rules.List(ctx, query) (*SinglePage[GatewayRule], error)

GET/accounts/{account_id}/gateway/rules

Get Zero Trust Gateway rule details.

client.ZeroTrust.Gateway.Rules.Get(ctx, ruleID, query) (*GatewayRule, error)

GET/accounts/{account_id}/gateway/rules/{rule_id}

Create a Zero Trust Gateway rule

client.ZeroTrust.Gateway.Rules.New(ctx, params) (*GatewayRule, error)

POST/accounts/{account_id}/gateway/rules

Update a Zero Trust Gateway rule

client.ZeroTrust.Gateway.Rules.Update(ctx, ruleID, params) (*GatewayRule, error)

PUT/accounts/{account_id}/gateway/rules/{rule_id}

Delete a Zero Trust Gateway rule

client.ZeroTrust.Gateway.Rules.Delete(ctx, ruleID, body) (*GatewayRuleDeleteResponse, error)

DELETE/accounts/{account_id}/gateway/rules/{rule_id}

List Zero Trust Gateway rules inherited from the parent account

client.ZeroTrust.Gateway.Rules.ListTenant(ctx, query) (*SinglePage[GatewayRule], error)

GET/accounts/{account_id}/gateway/rules/tenant

Reset the expiration of a Zero Trust Gateway Rule

client.ZeroTrust.Gateway.Rules.ResetExpiration(ctx, ruleID, body) (*GatewayRule, error)

POST/accounts/{account_id}/gateway/rules/{rule_id}/reset_expiration

ModelsExpand Collapse

type DNSResolverSettingsV4 struct{…}

IP string

Specify the IPv4 address of the upstream resolver.

Port int64optional

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

RouteThroughPrivateNetwork booloptional

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

VnetID stringoptional

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

type DNSResolverSettingsV6 struct{…}

IP string

Specify the IPv6 address of the upstream resolver.

Port int64optional

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

RouteThroughPrivateNetwork booloptional

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

VnetID stringoptional

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

type GatewayFilter string

Specify the protocol or layer to use.

One of the following:

const GatewayFilterHTTP GatewayFilter = "http"

const GatewayFilterDNS GatewayFilter = "dns"

const GatewayFilterL4 GatewayFilter = "l4"

const GatewayFilterEgress GatewayFilter = "egress"

const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"

type GatewayRule struct{…}

Action GatewayRuleAction

Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.

One of the following:

const GatewayRuleActionOn GatewayRuleAction = "on"

const GatewayRuleActionOff GatewayRuleAction = "off"

const GatewayRuleActionAllow GatewayRuleAction = "allow"

const GatewayRuleActionBlock GatewayRuleAction = "block"

const GatewayRuleActionScan GatewayRuleAction = "scan"

const GatewayRuleActionNoscan GatewayRuleAction = "noscan"

const GatewayRuleActionSafesearch GatewayRuleAction = "safesearch"

const GatewayRuleActionYtrestricted GatewayRuleAction = "ytrestricted"

const GatewayRuleActionIsolate GatewayRuleAction = "isolate"

const GatewayRuleActionNoisolate GatewayRuleAction = "noisolate"

const GatewayRuleActionOverride GatewayRuleAction = "override"

const GatewayRuleActionL4Override GatewayRuleAction = "l4_override"

const GatewayRuleActionEgress GatewayRuleAction = "egress"

const GatewayRuleActionResolve GatewayRuleAction = "resolve"

const GatewayRuleActionQuarantine GatewayRuleAction = "quarantine"

const GatewayRuleActionRedirect GatewayRuleAction = "redirect"

Enabled bool

Specify whether the rule is enabled.

Filters []GatewayFilter

Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.

One of the following:

const GatewayFilterHTTP GatewayFilter = "http"

const GatewayFilterDNS GatewayFilter = "dns"

const GatewayFilterL4 GatewayFilter = "l4"

const GatewayFilterEgress GatewayFilter = "egress"

const GatewayFilterDNSResolver GatewayFilter = "dns_resolver"

Name string

Specify the rule name.

Precedence int64

Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.

Traffic string

Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

ID stringoptional

Identify the API resource with a UUID.

maxLength36

CreatedAt Timeoptional

formatdate-time

DeletedAt Timeoptional

Indicate the date of deletion, if any.

formatdate-time

Description stringoptional

Specify the rule description.

DevicePosture stringoptional

Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

Expiration GatewayRuleExpirationoptional

Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.

ExpiresAt Time

Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.

formatdate-time

Duration int64optional

Defines the default duration a policy active in minutes. Must set in order to use the reset_expiration endpoint on this rule.

minimum5

Expired booloptional

Indicates whether the policy is expired.

Identity stringoptional

Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.

ReadOnly booloptional

Indicate that this rule is shared via the Orgs API and read only.

RuleSettings RuleSettingoptional

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

Schedule Scheduleoptional

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

Sharable booloptional

Indicate that this rule is sharable via the Orgs API.

SourceAccount stringoptional

Provide the account tag of the account that created the rule.

UpdatedAt Timeoptional

formatdate-time

Version int64optional

Indicate the version number of the rule(read-only).

WarningStatus stringoptional

Indicate a warning for a misconfigured rule, if any.

type RuleSetting struct{…}

Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.

AddHeaders map[string, []string]optional

Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.

AllowChildBypass booloptional

Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.

AuditSSH RuleSettingAuditSSHoptional

Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.

CommandLogging booloptional

Enable SSH command logging.

BISOAdminControls RuleSettingBISOAdminControlsoptional

Configure browser isolation behavior. Settable only for http rules with the action set to isolate.

Copy RuleSettingBISOAdminControlsCopyoptional

Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsCopyEnabled RuleSettingBISOAdminControlsCopy = "enabled"

const RuleSettingBISOAdminControlsCopyDisabled RuleSettingBISOAdminControlsCopy = "disabled"

const RuleSettingBISOAdminControlsCopyRemoteOnly RuleSettingBISOAdminControlsCopy = "remote_only"

DCP booloptional

Set to false to enable copy-pasting. Only applies when version == "v1".

DD booloptional

Set to false to enable downloading. Only applies when version == "v1".

DK booloptional

Set to false to enable keyboard usage. Only applies when version == "v1".

Download RuleSettingBISOAdminControlsDownloadoptional

Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsDownloadEnabled RuleSettingBISOAdminControlsDownload = "enabled"

const RuleSettingBISOAdminControlsDownloadDisabled RuleSettingBISOAdminControlsDownload = "disabled"

const RuleSettingBISOAdminControlsDownloadRemoteOnly RuleSettingBISOAdminControlsDownload = "remote_only"

DP booloptional

Set to false to enable printing. Only applies when version == "v1".

DU booloptional

Set to false to enable uploading. Only applies when version == "v1".

Keyboard RuleSettingBISOAdminControlsKeyboardoptional

Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsKeyboardEnabled RuleSettingBISOAdminControlsKeyboard = "enabled"

const RuleSettingBISOAdminControlsKeyboardDisabled RuleSettingBISOAdminControlsKeyboard = "disabled"

Paste RuleSettingBISOAdminControlsPasteoptional

Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsPasteEnabled RuleSettingBISOAdminControlsPaste = "enabled"

const RuleSettingBISOAdminControlsPasteDisabled RuleSettingBISOAdminControlsPaste = "disabled"

const RuleSettingBISOAdminControlsPasteRemoteOnly RuleSettingBISOAdminControlsPaste = "remote_only"

Printing RuleSettingBISOAdminControlsPrintingoptional

Configure print behavior. Default, Printing is enabled. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsPrintingEnabled RuleSettingBISOAdminControlsPrinting = "enabled"

const RuleSettingBISOAdminControlsPrintingDisabled RuleSettingBISOAdminControlsPrinting = "disabled"

Upload RuleSettingBISOAdminControlsUploadoptional

Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2".

One of the following:

const RuleSettingBISOAdminControlsUploadEnabled RuleSettingBISOAdminControlsUpload = "enabled"

const RuleSettingBISOAdminControlsUploadDisabled RuleSettingBISOAdminControlsUpload = "disabled"

Version RuleSettingBISOAdminControlsVersionoptional

Indicate which version of the browser isolation controls should apply.

One of the following:

const RuleSettingBISOAdminControlsVersionV1 RuleSettingBISOAdminControlsVersion = "v1"

const RuleSettingBISOAdminControlsVersionV2 RuleSettingBISOAdminControlsVersion = "v2"

BlockPage RuleSettingBlockPageoptional

Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.

TargetURI string

Specify the URI to which the user is redirected.

formaturi

IncludeContext booloptional

Specify whether to pass the context information as query parameters.

BlockPageEnabled booloptional

Enable the custom block page. Settable only for dns rules with action block.

BlockReason stringoptional

Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.

BypassParentRule booloptional

Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules.

CheckSession RuleSettingCheckSessionoptional

Configure session check behavior. Settable only for l4 and http rules with the action set to allow.

Duration stringoptional

Sets the required session freshness threshold. The API returns a normalized version of this value.

Enforce booloptional

Enable session enforcement.

DNSResolvers RuleSettingDNSResolversoptional

Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

IPV4 []DNSResolverSettingsV4optional

IP string

Specify the IPv4 address of the upstream resolver.

Port int64optional

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

RouteThroughPrivateNetwork booloptional

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

VnetID stringoptional

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

IPV6 []DNSResolverSettingsV6optional

IP string

Specify the IPv6 address of the upstream resolver.

Port int64optional

Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified.

RouteThroughPrivateNetwork booloptional

Indicate whether to connect to this resolver over a private network. Must set when vnet_id set.

VnetID stringoptional

Specify an optional virtual network for this resolver. Uses default virtual network id if omitted.

Egress RuleSettingEgressoptional

Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.

IPV4 stringoptional

Specify the IPv4 address to use for egress.

IPV4Fallback stringoptional

Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs.

IPV6 stringoptional

Specify the IPv6 range to use for egress.

ForensicCopy RuleSettingForensicCopyoptional

Configure whether a copy of the HTTP request will be sent to storage when the rule matches.

Enabled booloptional

Enable sending the copy to storage.

IgnoreCNAMECategoryMatches booloptional

Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.

InsecureDisableDNSSECValidation booloptional

Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.

IPCategories booloptional

Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.

IPIndicatorFeeds booloptional

Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.

L4override RuleSettingL4overrideoptional

Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.

IP stringoptional

Defines the IPv4 or IPv6 address.

Port int64optional

Defines a port number to use for TCP/UDP overrides.

NotificationSettings RuleSettingNotificationSettingsoptional

Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to block.

Enabled booloptional

Enable notification.

IncludeContext booloptional

Indicates whether to pass the context information as query parameters.

Msg stringoptional

Customize the message shown in the notification.

SupportURL stringoptional

Defines an optional URL to direct users to additional information. If unset, the notification opens a block page.

OverrideHost stringoptional

Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.

OverrideIPs []stringoptional

Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.

PayloadLog RuleSettingPayloadLogoptional

Configure DLP payload logging. Settable only for http rules.

Enabled booloptional

Enable DLP payload logging for this rule.

Quarantine RuleSettingQuarantineoptional

Configure settings that apply to quarantine rules. Settable only for http rules.

FileTypes []RuleSettingQuarantineFileTypeoptional

Specify the types of files to sandbox.

One of the following:

const RuleSettingQuarantineFileTypeExe RuleSettingQuarantineFileType = "exe"

const RuleSettingQuarantineFileTypePDF RuleSettingQuarantineFileType = "pdf"

const RuleSettingQuarantineFileTypeDoc RuleSettingQuarantineFileType = "doc"

const RuleSettingQuarantineFileTypeDocm RuleSettingQuarantineFileType = "docm"

const RuleSettingQuarantineFileTypeDocx RuleSettingQuarantineFileType = "docx"

const RuleSettingQuarantineFileTypeRtf RuleSettingQuarantineFileType = "rtf"

const RuleSettingQuarantineFileTypePpt RuleSettingQuarantineFileType = "ppt"

const RuleSettingQuarantineFileTypePptx RuleSettingQuarantineFileType = "pptx"

const RuleSettingQuarantineFileTypeXls RuleSettingQuarantineFileType = "xls"

const RuleSettingQuarantineFileTypeXlsm RuleSettingQuarantineFileType = "xlsm"

const RuleSettingQuarantineFileTypeXlsx RuleSettingQuarantineFileType = "xlsx"

const RuleSettingQuarantineFileTypeZip RuleSettingQuarantineFileType = "zip"

const RuleSettingQuarantineFileTypeRar RuleSettingQuarantineFileType = "rar"

Redirect RuleSettingRedirectoptional

Apply settings to redirect rules. Settable only for http rules with the action set to redirect.

TargetURI string

Specify the URI to which the user is redirected.

formaturi

IncludeContext booloptional

Specify whether to pass the context information as query parameters.

PreservePathAndQuery booloptional

Specify whether to append the path and query parameters from the original request to target_uri.

ResolveDNSInternally RuleSettingResolveDNSInternallyoptional

Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

Fallback RuleSettingResolveDNSInternallyFallbackoptional

Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries.

One of the following:

const RuleSettingResolveDNSInternallyFallbackNone RuleSettingResolveDNSInternallyFallback = "none"

const RuleSettingResolveDNSInternallyFallbackPublicDNS RuleSettingResolveDNSInternallyFallback = "public_dns"

ViewID stringoptional

Specify the internal DNS view identifier to pass to the internal DNS service.

ResolveDNSThroughCloudflare booloptional

Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for dns_resolver rules.

UntrustedCERT RuleSettingUntrustedCERToptional

Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for http rules with the action set to allow.

Action RuleSettingUntrustedCERTActionoptional

Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526.

One of the following:

const RuleSettingUntrustedCERTActionPassThrough RuleSettingUntrustedCERTAction = "pass_through"

const RuleSettingUntrustedCERTActionBlock RuleSettingUntrustedCERTAction = "block"

const RuleSettingUntrustedCERTActionError RuleSettingUntrustedCERTAction = "error"

type Schedule struct{…}

Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.

Fri stringoptional

Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Mon stringoptional

Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Sat stringoptional

Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Sun stringoptional

Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Thu stringoptional

Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

TimeZone stringoptional

Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location.

Tue stringoptional

Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Wed stringoptional

Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.

Zero TrustGatewayCertificates

List Zero Trust certificates

client.ZeroTrust.Gateway.Certificates.List(ctx, query) (*SinglePage[GatewayCertificateListResponse], error)

GET/accounts/{account_id}/gateway/certificates

Get Zero Trust certificate details

client.ZeroTrust.Gateway.Certificates.Get(ctx, certificateID, query) (*GatewayCertificateGetResponse, error)

GET/accounts/{account_id}/gateway/certificates/{certificate_id}

Create Zero Trust certificate

client.ZeroTrust.Gateway.Certificates.New(ctx, params) (*GatewayCertificateNewResponse, error)

POST/accounts/{account_id}/gateway/certificates

Delete Zero Trust certificate

client.ZeroTrust.Gateway.Certificates.Delete(ctx, certificateID, body) (*GatewayCertificateDeleteResponse, error)

DELETE/accounts/{account_id}/gateway/certificates/{certificate_id}

Activate a Zero Trust certificate

client.ZeroTrust.Gateway.Certificates.Activate(ctx, certificateID, params) (*GatewayCertificateActivateResponse, error)

POST/accounts/{account_id}/gateway/certificates/{certificate_id}/activate

Deactivate a Zero Trust certificate

client.ZeroTrust.Gateway.Certificates.Deactivate(ctx, certificateID, params) (*GatewayCertificateDeactivateResponse, error)

POST/accounts/{account_id}/gateway/certificates/{certificate_id}/deactivate

Zero TrustGatewayPacfiles

List PAC files

client.ZeroTrust.Gateway.Pacfiles.List(ctx, query) (*SinglePage[GatewayPacfileListResponse], error)

GET/accounts/{account_id}/gateway/pacfiles

Get a PAC file

client.ZeroTrust.Gateway.Pacfiles.Get(ctx, pacfileID, query) (*GatewayPacfileGetResponse, error)

GET/accounts/{account_id}/gateway/pacfiles/{pacfile_id}

Create a PAC file

client.ZeroTrust.Gateway.Pacfiles.New(ctx, params) (*GatewayPacfileNewResponse, error)

POST/accounts/{account_id}/gateway/pacfiles

Update a Zero Trust Gateway PAC file

client.ZeroTrust.Gateway.Pacfiles.Update(ctx, pacfileID, params) (*GatewayPacfileUpdateResponse, error)

PUT/accounts/{account_id}/gateway/pacfiles/{pacfile_id}

Delete a PAC file

client.ZeroTrust.Gateway.Pacfiles.Delete(ctx, pacfileID, body) (*GatewayPacfileDeleteResponse, error)

DELETE/accounts/{account_id}/gateway/pacfiles/{pacfile_id}

Zero TrustNetworks

Zero TrustNetworksRoutes

List tunnel routes

client.ZeroTrust.Networks.Routes.List(ctx, params) (*V4PagePaginationArray[Teamnet], error)

GET/accounts/{account_id}/teamnet/routes

Get tunnel route

client.ZeroTrust.Networks.Routes.Get(ctx, routeID, query) (*Route, error)

GET/accounts/{account_id}/teamnet/routes/{route_id}

Create a tunnel route

client.ZeroTrust.Networks.Routes.New(ctx, params) (*Route, error)

POST/accounts/{account_id}/teamnet/routes

Update a tunnel route

client.ZeroTrust.Networks.Routes.Edit(ctx, routeID, params) (*Route, error)

PATCH/accounts/{account_id}/teamnet/routes/{route_id}

Delete a tunnel route

client.ZeroTrust.Networks.Routes.Delete(ctx, routeID, body) (*Route, error)

DELETE/accounts/{account_id}/teamnet/routes/{route_id}

ModelsExpand Collapse

type NetworkRoute struct{…}

ID stringoptional

UUID of the route.

maxLength36

Comment stringoptional

Optional remark describing the route.

maxLength100

CreatedAt Timeoptional

Timestamp of when the resource was created.

formatdate-time

DeletedAt Timeoptional

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

formatdate-time

Network stringoptional

The private IPv4 or IPv6 range connected by the route, in CIDR notation.

TunnelID stringoptional

UUID of the tunnel.

formatuuid

maxLength36

VirtualNetworkID stringoptional

UUID of the virtual network.

formatuuid

type Route struct{…}

ID stringoptional

UUID of the route.

maxLength36

Comment stringoptional

Optional remark describing the route.

maxLength100

CreatedAt Timeoptional

Timestamp of when the resource was created.

formatdate-time

DeletedAt Timeoptional

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

formatdate-time

Network stringoptional

The private IPv4 or IPv6 range connected by the route, in CIDR notation.

TunnelID stringoptional

UUID of the tunnel.

formatuuid

maxLength36

VirtualNetworkID stringoptional

UUID of the virtual network.

formatuuid

type Teamnet struct{…}

ID stringoptional

UUID of the route.

maxLength36

Comment stringoptional

Optional remark describing the route.

maxLength100

CreatedAt Timeoptional

Timestamp of when the resource was created.

formatdate-time

DeletedAt Timeoptional

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

formatdate-time

Network stringoptional

The private IPv4 or IPv6 range connected by the route, in CIDR notation.

TunType TeamnetTunTypeoptional

The type of tunnel.

One of the following:

const TeamnetTunTypeCfdTunnel TeamnetTunType = "cfd_tunnel"

const TeamnetTunTypeWARPConnector TeamnetTunType = "warp_connector"

const TeamnetTunTypeWARP TeamnetTunType = "warp"

const TeamnetTunTypeMagic TeamnetTunType = "magic"

const TeamnetTunTypeIPSec TeamnetTunType = "ip_sec"

const TeamnetTunTypeGRE TeamnetTunType = "gre"

const TeamnetTunTypeCNI TeamnetTunType = "cni"

TunnelID stringoptional

UUID of the tunnel.

formatuuid

maxLength36

TunnelName stringoptional

A user-friendly name for a tunnel.

VirtualNetworkID stringoptional

UUID of the virtual network.

formatuuid

VirtualNetworkName stringoptional

A user-friendly name for the virtual network.

maxLength256

Zero TrustNetworksRoutesIPs

Get tunnel route by IP

client.ZeroTrust.Networks.Routes.IPs.Get(ctx, ip, params) (*Teamnet, error)

GET/accounts/{account_id}/teamnet/routes/ip/{ip}

Zero TrustNetworksRoutesNetworks

Create a tunnel route (CIDR Endpoint)

Deprecated

client.ZeroTrust.Networks.Routes.Networks.New(ctx, ipNetworkEncoded, params) (*Route, error)

POST/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}

Update a tunnel route (CIDR Endpoint)

Deprecated

client.ZeroTrust.Networks.Routes.Networks.Edit(ctx, ipNetworkEncoded, body) (*Route, error)

PATCH/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}

Delete a tunnel route (CIDR Endpoint)

Deprecated

client.ZeroTrust.Networks.Routes.Networks.Delete(ctx, ipNetworkEncoded, params) (*Route, error)

DELETE/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}

Zero TrustNetworksVirtual Networks

List virtual networks

client.ZeroTrust.Networks.VirtualNetworks.List(ctx, params) (*SinglePage[VirtualNetwork], error)

GET/accounts/{account_id}/teamnet/virtual_networks

Get a virtual network

client.ZeroTrust.Networks.VirtualNetworks.Get(ctx, virtualNetworkID, query) (*VirtualNetwork, error)

GET/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}

Create a virtual network

client.ZeroTrust.Networks.VirtualNetworks.New(ctx, params) (*VirtualNetwork, error)

POST/accounts/{account_id}/teamnet/virtual_networks

Update a virtual network

client.ZeroTrust.Networks.VirtualNetworks.Edit(ctx, virtualNetworkID, params) (*VirtualNetwork, error)

PATCH/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}

Delete a virtual network

client.ZeroTrust.Networks.VirtualNetworks.Delete(ctx, virtualNetworkID, body) (*VirtualNetwork, error)

DELETE/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}

ModelsExpand Collapse

type VirtualNetwork struct{…}

ID string

UUID of the virtual network.

formatuuid

Comment string

Optional remark describing the virtual network.

maxLength256

CreatedAt Time

Timestamp of when the resource was created.

formatdate-time

IsDefaultNetwork bool

If true, this virtual network is the default for the account.

Name string

A user-friendly name for the virtual network.

maxLength256

DeletedAt Timeoptional

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

formatdate-time

Zero TrustNetworksSubnets

List Subnets

client.ZeroTrust.Networks.Subnets.List(ctx, params) (*V4PagePaginationArray[Subnet], error)

GET/accounts/{account_id}/zerotrust/subnets

Zero TrustNetworksSubnetsWARP

Create WARP IP subnet

client.ZeroTrust.Networks.Subnets.WARP.New(ctx, params) (*Subnet, error)

POST/accounts/{account_id}/zerotrust/subnets/warp

Get WARP IP subnet

client.ZeroTrust.Networks.Subnets.WARP.Get(ctx, subnetID, query) (*Subnet, error)

GET/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}

Update WARP IP subnet

client.ZeroTrust.Networks.Subnets.WARP.Edit(ctx, subnetID, params) (*Subnet, error)

PATCH/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}

Delete WARP IP subnet

client.ZeroTrust.Networks.Subnets.WARP.Delete(ctx, subnetID, body) (*NetworkSubnetWARPDeleteResponse, error)

DELETE/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}

ModelsExpand Collapse

type Subnet struct{…}

ID stringoptional

The UUID of the subnet.

formatuuid

Comment stringoptional

An optional description of the subnet.

CreatedAt Timeoptional

Timestamp of when the resource was created.

formatdate-time

DeletedAt Timeoptional

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

formatdate-time

IsDefaultNetwork booloptional

If true, this is the default subnet for the account. There can only be one default subnet per account.

Name stringoptional

A user-friendly name for the subnet.

Network stringoptional

The private IPv4 or IPv6 range defining the subnet, in CIDR notation.

SubnetType SubnetSubnetTypeoptional

The type of subnet.

One of the following:

const SubnetSubnetTypeCloudflareSource SubnetSubnetType = "cloudflare_source"

const SubnetSubnetTypeWARP SubnetSubnetType = "warp"

Zero TrustNetworksSubnetsCloudflare Source

Update Cloudflare Source Subnet

client.ZeroTrust.Networks.Subnets.CloudflareSource.Update(ctx, addressFamily, params) (*Subnet, error)

PATCH/accounts/{account_id}/zerotrust/subnets/cloudflare_source/{address_family}

Zero TrustNetworksHostname Routes

List hostname routes

client.ZeroTrust.Networks.HostnameRoutes.List(ctx, params) (*V4PagePaginationArray[HostnameRoute], error)

GET/accounts/{account_id}/zerotrust/routes/hostname

Get hostname route

client.ZeroTrust.Networks.HostnameRoutes.Get(ctx, hostnameRouteID, query) (*HostnameRoute, error)

GET/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}

Create hostname route

client.ZeroTrust.Networks.HostnameRoutes.New(ctx, params) (*HostnameRoute, error)

POST/accounts/{account_id}/zerotrust/routes/hostname

Update hostname route

client.ZeroTrust.Networks.HostnameRoutes.Edit(ctx, hostnameRouteID, params) (*HostnameRoute, error)

PATCH/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}

Delete hostname route

client.ZeroTrust.Networks.HostnameRoutes.Delete(ctx, hostnameRouteID, body) (*HostnameRoute, error)

DELETE/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}

ModelsExpand Collapse

type HostnameRoute struct{…}

ID stringoptional

The hostname route ID.

formatuuid

Comment stringoptional

An optional description of the hostname route.

CreatedAt Timeoptional

Timestamp of when the resource was created.

formatdate-time

DeletedAt Timeoptional

Timestamp of when the resource was deleted. If null, the resource has not been deleted.

formatdate-time

Hostname stringoptional

The hostname of the route.

TunnelID stringoptional

UUID of the tunnel.

formatuuid

maxLength36

TunnelName stringoptional

A user-friendly name for a tunnel.

Zero TrustRisk Scoring

Get risk event/score information for a specific user

client.ZeroTrust.RiskScoring.Get(ctx, userID, query) (*RiskScoringGetResponse, error)

GET/accounts/{account_id}/zt_risk_scoring/{user_id}

Clear the risk score for a particular user

client.ZeroTrust.RiskScoring.Reset(ctx, userID, body) (*RiskScoringResetResponse, error)

POST/accounts/{account_id}/zt_risk_scoring/{user_id}/reset

Zero TrustRisk ScoringBehaviours

Get all behaviors and associated configuration

client.ZeroTrust.RiskScoring.Behaviours.Get(ctx, query) (*RiskScoringBehaviourGetResponse, error)

GET/accounts/{account_id}/zt_risk_scoring/behaviors

Update configuration for risk behaviors

client.ZeroTrust.RiskScoring.Behaviours.Update(ctx, params) (*RiskScoringBehaviourUpdateResponse, error)

PUT/accounts/{account_id}/zt_risk_scoring/behaviors

Zero TrustRisk ScoringSummary

Get risk score info for all users in the account

client.ZeroTrust.RiskScoring.Summary.Get(ctx, query) (*RiskScoringSummaryGetResponse, error)

GET/accounts/{account_id}/zt_risk_scoring/summary

Zero TrustRisk ScoringIntegrations

List all risk score integrations for the account.

client.ZeroTrust.RiskScoring.Integrations.List(ctx, query) (*SinglePage[RiskScoringIntegrationListResponse], error)

GET/accounts/{account_id}/zt_risk_scoring/integrations

Get risk score integration by id.

client.ZeroTrust.RiskScoring.Integrations.Get(ctx, integrationID, query) (*RiskScoringIntegrationGetResponse, error)

GET/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}

Create new risk score integration.

client.ZeroTrust.RiskScoring.Integrations.New(ctx, params) (*RiskScoringIntegrationNewResponse, error)

POST/accounts/{account_id}/zt_risk_scoring/integrations

Update a risk score integration.

client.ZeroTrust.RiskScoring.Integrations.Update(ctx, integrationID, params) (*RiskScoringIntegrationUpdateResponse, error)

PUT/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}

Delete a risk score integration.

client.ZeroTrust.RiskScoring.Integrations.Delete(ctx, integrationID, body) (*RiskScoringIntegrationDeleteResponse, error)

DELETE/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}

Zero TrustRisk ScoringIntegrationsReferences

Get risk score integration by reference id.

client.ZeroTrust.RiskScoring.Integrations.References.Get(ctx, referenceID, query) (*RiskScoringIntegrationReferenceGetResponse, error)

GET/accounts/{account_id}/zt_risk_scoring/integrations/reference_id/{reference_id}